Device designers and manufacturers must be held accountable for publicly known security vulnerabilities that adversely impact devices currently in use by the general public and newly designed and manufactured devices.
Malicious actors can search databases of publicly known Common Vulnerabilities and Exposures (CVE) to determine, based on CVE identifiers (CVE IDs), an ideal method of exploiting a known weakness from an off-the-shelf consumer device. The following CVE IDs – CVE-2017-7398, CVE-2015-5999, CVE-2013-7043, CVE-2013-3095, and CVE-2013-3086 – all address a specific attack, Cross-Site Request Forgery (CSRF), affecting off-the-shelf routers from well-known manufactures including: D-Link, Cisco, and Belkin. CSRF is an attack against an authenticated web application that utilizes cookies while compelling the user to unknowingly visit a malicious website to exploit the established trust relationship between the web application and the user’s browser. While simultaneously logged in to the router’s administrative page, a user accidentally accessing a malicious webpage, usually after being baited by the nefarious entity, will unknowingly provide administrative access to the attacker. Once administrative credentials are captured, the attacker may transmit requests to change the administrative password, reboot the device to default settings, or remove Wi-Fi password settings and effectively commandeer the device for malicious purposes.
Some corporate entities have several devices correlated with CVE IDs exposing similar security vulnerabilities and spanning across multiple years; 2013, 2015, and 2017. This suggests that these corporate entities either have no knowledge of the CVE database and their device’s susceptibility to CSRF attacks, or they have possibly exhibited willful blindness toward publicly known vulnerabilities by choosing to not address the security flaws in newly designed and manufactured routers, thereby potentially jeopardizing the general public’s security and privacy.
Federal legislation provides an avenue to help address device manufactures failing to update consumer devices or design security features into newly manufactured devices in accordance with weaknesses disclosed in CVEs. One solution is legislation requiring manufactures of consumer devices to provide security updates for devices currently in use while either recalling or decommissioning devices that won’t update, redesign future devices to prevent similar breaches addressed in publicly available CVEs, and provide functionality on future devices for pushing over-the-air software updates out to circumvent future CVEs that arise.