NetUSB flaw puts millions of IoT devices at risk

Security researchers point finger at USB-over-IP tool supplied by KCodes

Research from security organisation SEC Consult Vulnerability Lab has warned that a flaw in the NetUSB Internet of Things technology could have put millions of routers at risk.

SEC has released an advisory on the problem, warning that a small Taiwanese software company called KCodes has potentially put the IoT market at risk through its provision of USB-over-IP tools that have a vulnerability dating back to the 1990s.

SEC has released a fix for the flaw and the advisory provides a list of affected hardware, which includes several products from TP-LINK and Netgear. NetUSB has different names from different providers, but remains at risk whatever it is called.

The company said in a blog post about the NetUSB flaw that it could be used by a hacker to take remote control of a system or involve it in a denial-of-service attack.

"To establish a server connection, a simple mutual authentication check needs to be passed. As part of the connection initiation, the client sends his computer name," explained the post.

"This is where it gets interesting. The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket.

"Easy as pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a ‘rare' remote kernel stack buffer overflow."

SEC said that it contacted KCode with information about the risk earlier this year, but to no avail.

"We tried to get in contact with KCodes back in February and provided a detailed vulnerability analysis including proof-of-concept exploit code. They sent a few nonsensical responses and then ignored us," the firm explained.

"Afterwards, we informed TP-LINK and Netgear directly about the vulnerability. The other vendors were informed by CERT/CC and other CERTs."

SEC Consult said that only TP-LINK has released a fix for the vulnerability.