As part of Fitsec's service offering our labs conduct device audits and research to find new vulnerabilities that might affect our customers. Fitsec's labs come across a wide variety of devices, ranging from consumer products to enterprise devices. In the past, these have included devices such as utility grid monitoring (electricity & water), routers, smartphones and even engine control units (ECU).
During December 2022 we had an internal training session where the objective was to find vulnerabilities in common IOT devices.
For this purpose we purchased a few units of Zyxel NBG-418N V2 home routers, as they were on the low-end in terms of price and features, which makes them popular for consumers and small businesses alike.
To begin with, we first dumped the firmware from the internal Macronix EEPROM chip. We reverse engineered the bootloader in order to gain access to the actual code that was being run in the device.
After dumping, UART connection was also established to capture logs.
We were able to discover 5 unique vulnerabilities in the target device:
- XSS (Cross-site scripting) in the web management interface
- Persistent XSS in the web management interface
- Kernel stack overflows in the CLI (Command Line Interface) app
- Kernel format string vulnerabilities
- Denial of service condition (kernel crash and reboot)
The first issue was already known by Zyxel, but the other 4 were new vulnerabilities.
Based on our findings and reporting, Zyxel has released a firmware update and a security advisory. In case you have a vulnerable device in use, we recommend updating the device to the latest firmware.