Claroty’s research outfit, Team82, has invested resources in 2024 in the security of cloud connectivity and improving device authentication to cloud platforms and services. Its latest research project focused on Ruijie Networks’ popular line of wireless access points and devices. Team82’s research uncovered 10 vulnerabilities; chains of those vulnerabilities exposed every device connected to the Ruijie cloud to attack, including remote code execution.
In this episode of the Nexus Podcast, researchers Noam Moshe and Tomer Goldschmidt, fresh off a presentation at Black Hat Europe on the subject, provide their perspective on the issues plaguing IoT clouds and why attackers and defenders should be locking down device authentication and other avenues exposing clouds to attack.
Device authentication, Moshe said, is less understood and explored, unlike user authentication which has paradigms such as strong passwords and multifaceted authentication that are entrenched in implementations. In its Ruijie research, for example, Team82 was able to exploit device authentication weaknesses to impersonate the Ruiji cloud, gain access to, and execute code on devices.
“For device credentials, device authentication, this is not as relevant and not as explored. And because of that, we see a lot of times where this exact scenario of impersonating a device or using device credentials may be badly generated, and badly stored device credentials, as the starting point of our attack is very, very common,” Moshe said.
“And I think this is the core issue here and in many different research [projects] we've done in the past, where while user authentication is very good, very tight, but the device point of view is less explored,” Moshe added. “And I think that this is only made more serious when we're talking about IoT or devices that by default the vendor thinks is under their control.”
Ruijie, and other vendors, would not view their devices as rogue, and would inherently trust them. An attacker who is able to impersonate these devices is in a powerful, trusted position and can carry out attacks with privileges.
“It resonates with me the idea where devices and the cloud infrastructure as a whole have this kind of trust relationship that maybe—I wouldn't say lacks suspicion—in some cases there is some kind of trust between the device and the cloud that there the other entity is who it's supposed to be,” Goldschmidt said.
In the case of Ruijie, only a serial number was required—information that was readily leaked by the device—to assume the identity of the device.
“Then you can also do some intricate stuff with regards to cloud communication with other devices,” Goldschmidt said. “So the whole relationship between device and cloud infrastructure is actually very prone and very risky turf, I would say.”
Ruijie has addressed all 10 vulnerabilities in its cloud infrastructure, and no action is required by users to remediate.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
