Ruijie Networks, an Internet of Things (IoT) vendor based in Fuzhou, China, recently took action to address 10 vulnerabilities in its Reyee cloud management platform. These vulnerabilities posed a significant risk, potentially allowing malicious actors to take control of thousands of connected devices in a single cyberattack. Ruijie Networks’ devices are widely used to provide free Wi-Fi in public spaces such as airports, schools, shopping malls, and government buildings in over 90 countries.
The vulnerabilities were uncovered by researchers from Claroty Team82, who developed an attack dubbed “Open Sesame” that exploited weaknesses in Ruijie Networks’ cloud-based Web management portal. This portal is used for remote monitoring and configuration of access points and routers. By leveraging these vulnerabilities, attackers could gain unauthorized access to these devices and the internal networks they are connected to. The researchers estimated that tens of thousands of devices worldwide could be affected by these security flaws.
At the Black Hat Europe 2024 conference, Noam Moshe and Tomer Goldschmidt from Claroty Team82 presented their findings in a session titled “The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices.” The vulnerabilities identified in the report have since been patched by Ruijie Networks to mitigate the risks they posed. Among the vulnerabilities disclosed, three received high CVSS scores of 9 or higher, indicating their severity and potential impact.
One of the most critical vulnerabilities allowed devices to impersonate the Ruijie cloud platform, enabling them to send malicious commands to other devices. This exploitation could lead to remote code execution (RCE) on devices connected to the Ruijie cloud platform, granting attackers full control through legitimate cloud functionality. The research team emphasized that attackers could exploit weak authentication mechanisms to obtain valid device credentials and escalate their privileges.
While the prospect of commandeering over 50,000 IoT devices simultaneously may seem tempting, the Claroty researchers suggested that most threat actors would opt for a more discreet approach. Rather than attracting attention by mass-exploiting devices, attackers could target specific devices in specific locations to fly under the radar. To demonstrate the potential impact of these vulnerabilities, the researchers devised the Open Sesame attack scenario, showcasing how an attacker could compromise a Ruijie device using only its serial number.
To execute the Open Sesame attack, an attacker would need to be in proximity to a Wi-Fi network equipped with Ruijie access points. By intercepting the raw beacons transmitted by the network, the attacker could extract the device’s serial number and exploit vulnerabilities in Ruijie’s MQTT communication to send malicious commands to the target device. This chain of events could result in the attacker gaining unauthorized access to the device’s internal network, highlighting the security risks associated with cloud-connected IoT devices.
Overall, the research conducted by Team82 underscores the vulnerabilities present in IoT devices that rely on cloud infrastructure for management and connectivity. By exposing these weaknesses, the report serves as a reminder of the importance of securing IoT networks and addressing potential threats posed by insecure cloud connections. Moving forward, efforts to strengthen the security of IoT devices and cloud platforms will be crucial in safeguarding against cyber threats in an increasingly interconnected world.