It’s 2018, but it feels like 2008. I often reflect on how relatively simplistic the attack surface of nearly everything was just 10 years ago, and how much we’ve evolved since then. I remember writing exploits for trivial buffer overflows without having to deal with exception handling, address randomization, stack and heap execution protections, and many other significant enhancements to operating systems, browsers and software in general. As the years passed, we started to see software vendors making tangible progress in the areas of secure coding and vulnerability mitigations. The most popular exploits tended to be in the browser space, and as such we saw an increasingly rapid response from browser vendors over the years as they struggled to gain or maintain market share in an aggressively contested market. With the evolution of sandboxing and containerization, popular browsers such as Internet Explorer and Chrome began to raise the bar on what it took to execute malicious code. Bypass mitigations, such as MemGC in the Microsoft Edge browser were implemented to reduce the number of trivial use-after-free vulnerabilities. Operating systems have been hardened with new features such as VBS in Windows 10 (no not Visual Basic Scripting) to provide virtualization-based security for protection of critical systems and data. It would be great if I could just end this discussion here, and we could all go home feeling great about the future of information security. Unfortunately, not everyone is aboard this train. Specifically, device manufacturers continue to neglect the necessity of secure code in order to get faster, larger and more feature-rich products to market quickly.
Western Digital is by no means any worse an offender in this area than others, but after reading the latest vulnerability disclosures in its ubiquitous network storage device known as WDMyCloud, I felt it was necessary to provide some basic insight to the industry about the implications and effects of insecure software development. The principal problem is not that these devices contain vulnerabilities; even software vendors such as Apple, which pours millions of dollars and dedicated security teams into securing its operating system, have been bitten (pun intended) by asinine security flaws. The High Sierra empty password root authentication bypass is a good example of this.
No, the problem lies in the complete lack of interest in developing secure code. Even someone with zero software development experience could probably look at the following script and see the issue. Spoiler alert, it’s a classic backdoor:
It leads me to ask the simple question – how are hardcoded backdoors still a thing? Even if you can get past the myriad of early-millennium-style vulnerabilities reported in this disclosure, why won’t device manufacturers make the relatively small investment to review the code of the products they are selling worldwide? Automated tools exist for this, and even a junior-level security practitioner could likely uncover some of these flaws. Every year brings another collection of similar disclosures, yet the bar stays the same. Simple format string abuse, rudimentary authentication bypasses, command injections and buffer overflows just to name a few.
I think part of the problem is the sheer noise. You’d be hard-pressed to find a software or device manufacturer out there who hasn’t been exposed to some negative press based on vulnerabilities reported in its products. After enough exposure, consumers subconsciously begin to tune this noise out and it becomes the de facto standard for the products they buy; a “tax” if you will, where they carry much of the risk. In this case, it’s the potential theft of personal data and privacy.
It begs the question – what can be done to improve this process and move the industry as a whole towards better security practices? We’d like to challenge vendors to invest in secure development, code review, and patching and mitigation strategies. The ultimate solutions to this are bigger than code review and coding skill alone (because these are usually design-time problems). In the IoT space, the socio-economic aspects are one key factor. It’s also time that consumers demand more from vendors. Ultimately, the consumer carries the most significant tool of all, which is the decision about which products they buy and their mandate for security accountability. Within McAfee’s Advanced Threat Research team, we firmly believe in the process of responsible disclosure and the openness of the research community in finding and reporting similar issues. Whenever possible, we will continue to work directly with vendors who answer this call in order to find and effectively eliminate vulnerabilities through the disclosure process. Let’s make hardcoded backdoors and other trivial security flaws truly a thing of the past.
The post Trivial Software Flaws Continue to Plague Networked Devices appeared first on McAfee Blogs.