It's unknown how many attacks originate in public, rather than over the Internet. But having easily exploited, widely used devices susceptible without patches available certainly opens up an opportunity.
SEC Consult also found that some devices--though not ones they tested--expose access to the USB device over the Internet at a specific port. If that turns out to be the case on a broad scale, we'll immediately see attempts to use that vector, which turns it into a global problem rather than a local one. This has happened repeatedly with exposed services, like web-enabled cameras and screen-sharing software.
The researchers found that nearly 100 models affected out of major vendors whose firmware disk images they tested could be vulnerable. Many others could also be susceptible. At least millions of routers are at risk. Despite following responsible disclosure practices, only TP-Link has released updates. The other makers have fallen down.
Open says me
The NetUSB case is all too common. Networked hardware, including set-top boxes, Wi-Fi routers and broadband modems provided by telephone, cable, and other television-service companies, is rarely updated to fix security flaws. If a company or its software module provider create updates, most hardware doesn't notify you of fixes.
I've been writing stories for years about these risks, both to educate readers and potentially provide fodder for product managers or others inside companies trying to get the funding or support to have an ongoing path for security upgrades and user notifications. Most mainstream hardware churns so quickly through product options and technical specs that any model you buy is simply dropped from a support path not long after it's made.
Better brands support products longer, but not as long as they can be useful. Apple's record on this front is mixed, as I and many others have written. It gets away with dropping support for older but not very old versions of OS X and iOS with security upgrades because it generally offers upgrades to years-old gear and provides fixes for exploits back at least one version.
Because so many Apple product users upgrade to newer OS versions quickly, the exploit target for older users rapidly becomes so small, there's little incentive for criminals (or even vandals) to go after these old problems.
Networked devices change the equation, and Apple has a much better track record at patching Wi-Fi routers dating way, way back. Apple's chain of firmware updates (including a few stinkers later fixed) for its 802.11n routers allow every Extreme and Time Capsule model it made between 2007 and 2013 to be upgraded. The introduction of 802.11ac in mid-2013 started a new chain, but I still expect firmware updates if security flaws are discovered in the older devices. (The last 802.11n update for them was in 2013 after the 802.11ac base stations had shipped.)
Sign up for CIO Asia eNewsletters.