Tenable has highlighted the security challenges of manufacturers reusing vulnerable software code, particularly for consumer devices. It follows Tenable Research’s discovery of a 12-year-old vulnerability [CVE-2021-20090], that has potentially left millions of home routers exposed, across 11 countries and dozens of manufacturers.
As the gateway to the internet, consumers use home routers to access a wealth of online content. This includes sharing personal information with online businesses and services, interacting with friends on social media, and even streaming TV channels and box sets. If exploited, this vulnerability could potentially allow attackers to compromise not only the router but any device connected to it.
Given the current trend of remote, home-based workforces, this not only impacts consumers but has the potential to expose organisations to further risk.
“Consumers shouldn’t have to worry whether the device provided to them by their ISP is secure or vulnerable to attack,” explained Evan Grant, staff research engineer at Tenable. “We’re reliant on providers to sell quality equipment that’s secure by design. Hopefully, the vendors affected by this vulnerability will take steps to mitigate the impact of these vulnerabilities on their products and customers.”
To date, 20 routers and modems across 17 different vendors have been identified, including Internet Service Providers (ISPs) used in Argentina, Australia, Canada, Germany, Japan, Mexico, Netherlands, New Zealand, Russia, Spain, and the US.
Tenable Research published a whitepaper detailing the complex vulnerability disclosure process, plus the security implications from reusing vulnerable software code. Technical details of the vulnerability can be found in this blog post.