Critical vulnerabilities in Ruckus IoT affect millions of devices

Reporting vulnerabilities on Internet of Things (IoT) devices has become very common among ethical hacking experts. One of the latest reports has to do with Ruckus IoT Software Suite, a hardware and software infrastructure employed by multiple IoT device manufacturers.

One of the most prominent members of this set is IoT Controller, a virtual controller that handles connectivity, device management, and security of non-WiFi devices.

Most of the functionality of this driver requires some form of authentication, although some others ignore this requirement, allowing unauthorized users to issue commands, which could result in a security breach. According to ethical hacking specialists, unprotected features can be abused by unauthenticated remote threat actors to gain access to the target system with high privileges and deploy some malicious activities, such as:

  • Remote manipulation of pre-authentication settings
  • Full access and manipulation of backups
  • Download and update other firmware versions
  • System service control
  • Remote factory reset of the server

The vulnerability was tracked as CVE-2020-8005.

Changing remote settings

The service located at /service/init manages the configuration. When you send it an HTTP PATCH request, the supplied JSON formatted configuration will be interpreted and saved. This allows you to alter some important settings, such as DNS servers.

The device must restart its services, which should happen automatically as part of your routine, completing the changes.

Manipulation of arbitrary backups

The backup manipulation service, located in /service/v1/db, allows three operations: upload, download, and delete backup files.

  • Upload backups:

When you send an HTTP POST request to /service/v1/db/restore, the server restores the requested backup file to the request body. This name can be known beforehand or forced, as the file name follows a specific pattern. The device will restart to restore the arbitrarily chosen backup.

  • Downloading backups:

Sending an HTTP GET to /service/v1/db/backup with the file name as a parameter will provide you with the requested backup file, mention edify ethical hacking specialists. This name can be known in advance or decryption using a brute force attack.

  • Delete backups:

Sending an HTTP DELETE request to /service/v1/db/backup will allow the deletion of the backup files. The backup file name is provided through the parameter.

The International Institute of Cyber Security (IICS) constantly tracks the latest security threats for wireless networks and IoT devices, as attacks against this technology show accelerated growth.