Consumer electronics continue to be a weak security link as the residential environment becomes more and more connected. For instance, Cisco has released a patch to address a vulnerability in multiple wireless residential gateway products, which could put sensitive data and information at risk.
The issue is in the web server used, which could allow an unauthenticated, remote attacker to crash the web server with a buffer overflow, and execute arbitrary code with elevated privileges. According to Cisco’s advisory, the vulnerability is due to incorrect input validation for HTTP requests; an attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. The vulnerability exists whether the device is configured in router mode or gateway mode.
The list of affected products include:
- Cisco DPC3212 VoIP Cable Modem
- Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco EPC3212 VoIP Cable Modem
- Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem
- Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
- Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
- Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
- Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
So far, Cisco is unaware of any public exploits. The company has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
The development gives concreteness to heightened awareness of potential data breaches stemming from the rise of the connected home and the internet of things (IoT).
Fortinet recently found that vendors need to be thinking about security now: a majority (61%) of all US respondents believe that the connected home is “extremely likely” to become a reality in the next five years, in line with the global average. China led the world in this category with more than 84% affirming support.
“The battle for the internet of things has just begun,” said John Maddison, vice president of marketing at Fortinet. “The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”