Devices with insecure SSH services are everywhere, say infosec duo A funny thing happened to security researchers at attack surface management company runZero when they were digging into the xz backdoor earlier this year: They found a whole bunch of vulnerabilities stemming from poorly secured or implemented SSH services. The discovery, which runZero director of security research Rob King …
A few years back, a consultant ran vulnerability scans on our office network. The report was full of stuff like "Apache 2.2, upgrade to 2.4" on this, and "obsolete version of PHP" on that. But this turned out to be a projector, and that turned out to be the audio-visual controls for a meeting room. I did not have to manage remediation, but I doubt that the manufacturers offered handy patch kits.
I am grateful to know that most of the appliances in our house are too old to have network interfaces.
And it's only going to get worse as more and more "stuff" goes down the line of "won't work without internet connection to mothership". See icon for what I think of that idea.
In the meantime, people need to learn how to secure their networks from the inside - we're long past the point where securing the perimeter is even remotely enough. It has to be "every device for itself" these days. Plus, put all that IoT stuff on segregated networks to limit their exposure to threats, and the threats to everything else. Though sadly, that's not going to happen for the 99.something% of users who aren't ElReg's typical user, and those with routers that don't support basics like VPN - I was surprised to find FRITZ!Box doesn't, and nor does it route IPv6 via a VPN.
Its not the fact the device communicates, although that's bad enough, its the use of Web protocols for the purpose. Their chronic inefficiency not only wastes a lot of computing resources, memory and bandwidth but also provides a generous attack surface for malware writers. The solution is invariably 'more of the same' -- piecemeal plugging of holes and additional layers of complexity -- when in reality 'less of the same' would do just fine. Unfortunately this contradicts the fundamentals of marketing which has pushed for more and more 'monetizable' features -- huge amounts of programmer time and effort has been spent in the last couple of decades making things that used to work not work (HP's the obvious poster child here -- they used to make quite decent printers but now they sell user nightmares).
[It's] not the fact the device communicates, although that's bad enough, [it's] the use of Web protocols for the purpose.
Oh, there are plenty of vulnerability-ridden uses of other application-layer protocols. Why, I just read an article about some. Or see the steady parade of issues with SCADA systems, say. Or look at, oh, LDAP serialization on the wire.1 And having worked with many ad hoc protocols over the years, I can confidently say that when developers decide to use something that's not standard, it's generally a shit-show.
"Web protocols" are not inherently worse than others in that respect. Nothing about "Web protocols" mandates using or interpreting Javascript, for example; nor do they mandate reflecting or storing tainted data.
Their chronic inefficiency not only wastes a lot of computing resources, memory and bandwidth
The "inefficiency" of HTTP itself is not even a rounding error in the vast resources wasted on the content sent via HTTP.
but also provides a generous attack surface for malware writers.
The protocols themselves don't have that much of an attack surface. (They do have some; HTTP response splitting, for example, which is one reason why HTTP/2 — which has its own problems — moved away from a human-readable protocol with in-band delimiting. [Which has its own problems.])
Most of the attack surface is in 1) implementation and 2) use (which is orders of magnitude larger).
1If there's a trustworthy ASN.1 BER implementation, I've not seen it.
> I was surprised to find FRITZ!Box doesn't [support VPN]
My 7350 does support a VPN, and it's pretty straightforward to set up on the router and on phones / laptops. I have used it many times when out and about on what I think may be a weakly-secured wifi network.
The only problem is that I think sometimes the VPN port is blocked by public routers. I need to look into using a different port.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
