Reporting vulnerabilities on Internet of Things (IoT) devices has become very common among ethical hacking experts. One of the latest reports has to do with Ruckus IoT Software Suite, a hardware and software infrastructure employed by multiple IoT device manufacturers.
One of the most prominent members of this set
is IoT Controller, a virtual controller that handles connectivity, device
management, and security of non-WiFi devices.
Most of the functionality of this driver
requires some form of authentication, although some others ignore this
requirement, allowing unauthorized users to issue commands, which could result
in a security breach. According to ethical hacking specialists, unprotected
features can be abused by unauthenticated remote threat actors to gain access
to the target system with high privileges and deploy some malicious activities,
manipulation of pre-authentication settings
access and manipulation of backups
and update other firmware versions
factory reset of the server
The vulnerability was tracked as CVE-2020-8005.
The service located at /service/init manages the configuration. When you send it an
HTTP PATCH request, the supplied JSON formatted configuration will be
interpreted and saved. This allows you to alter some important settings, such
as DNS servers.
The device must restart its services, which
should happen automatically as part of your routine, completing the changes.
The backup manipulation service, located in /service/v1/db, allows three operations: upload, download,
and delete backup files.
When you send an HTTP POST request to /service/v1/db/restore, the server restores the requested backup file
to the request body. This name can be known beforehand or forced, as the file
name follows a specific pattern. The device will restart to restore the
arbitrarily chosen backup.
Sending an HTTP GET to /service/v1/db/backup with the file name as a parameter will provide
you with the requested backup file, mention edify ethical hacking specialists.
This name can be known in advance or decryption using a brute force attack.
Sending an HTTP DELETE request to /service/v1/db/backup will allow the deletion of the backup files.
The backup file name is provided through the parameter.
The International Institute of Cyber Security (IICS)
constantly tracks the latest security threats for wireless
networks and IoT devices, as attacks against this technology show