Researchers at Microsoft have identified vulnerabilities in the software development kits (SDKs) of semiconductors that could leave electricity grids unprotected from attack.
A report from Recorded Future in April detailed suspected electrical grid intrusion activity from Chinese state-sponsored hackers (see link below).
This implicated common IoT devices as the vector used to gain a foothold into networks to deploy malicious payloads into critical infrastructure. While investigating the attack activity, Microsoft researchers identified a vulnerable component on all the published IP addresses and found evidence of a supply chain risk that may affect millions of organizations and devices.
This covers a web server called Boa, which is often used to access settings and management consoles and sign-in screens in devices and is included in the SDK of chips from RealTek. Despite being discontinued in 2005, the web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs).
- Schneider, Omron targeted by electricity grid malware
- Malware targets electricity grids
- Wipers and botnets dominate threats to energy IoT networks
The vulnerabilities in the web server could allow attackers to silently gain access to networks by collecting information from files, with operators unaware their grid networks were compromised. A key worry is that firmware updates and downstream patches to other equipment do not address its known vulnerabilities.
The attack detailed in the Recorded Future report was one of several intrusion attempts on critical infrastructure in India over the least two years. Half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool.
Over 10% of these were related to critical industries, such as the electricity grid with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities
Some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report’s release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands.
Boa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities.
Popular SDKs like those released by RealTek are used in SoC devices in gateway devices such as routers, access points, and repeaters. Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks.
- Hacking of Internet connected cars a national security threat
- Researcher steals fingerprints by hacking smart lock
- Researchers invisibly hack security camera networks with IR
While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities.
Boa servers are affected by several known vulnerabilities, including arbitrary file access (the CVE-2017-9833 vulnerability) and information disclosure (CVE-2021-33558). These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the “passwd” file from the device or accessing sensitive URIs in the web server to extract a user’s credentials.
Surprisingly, these vulnerabilities require no authentication to exploit, making them attractive targets.
The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated.
The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials.
In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.
Microsoft recommends patching vulnerable devices whenever possible to reduce exposure risks and using device discovery and classification to identify devices with vulnerable components.
It also recommends reducing the attack surface by eliminating unnecessary internet connections to IoT devices in the network and using network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion.
IoT and critical device networks should also be isolated with firewalls.