The enterprise equation for the past few years has been about the rise of mobile and the decline of desktop devices. Getting a window to a company’s data by tapping into its network from home or work through a variety of devices has become the norm. This has lead to a host of companies touting the benefits of BYOD (Bring Your Own Device) along with policies, procedures and process to adapt to a changing environment. The idea behind BYOD is that people want their data where they are, not where they work. However, this may open up a company to huge risk. With BYOD, not only may the device be vulnerable but also the network within which it connects to the internet.
An example of this can be seen as recently as last month when a vulnerability was found in a few routers which was disclosed in a Github post by a hacker Eloi Vanderbeken of France. Eloi uploaded a PowerPoint presentation to Github describing the backdoor where he found not only in five different Linksys DSL modem/routers, but also in a number of Netgear, Cisco and SerComm home and business boxes. He found the router responding to port 32,764 (TCP/IP allows for 65,535 ports) and found that other routers were responding to it as well. Usually, a router doesn’t respond to an unsolicited incoming request from a random port, it either ignores it, processes it itself or passes it along to one of the computers on the network. Most likely, the request is ignored. However, in this case, Eloi was able use port 32,764 to hack into the router and set the router back to its default settings and then give himself administrator access.
Basically, what this means is that through the use of the unknown port someone could listen to the information that is being sent through the router but also send commands to the router without any authentication. So, when a device is sending or receiving information through the router, presumably, another device can gather data through port 32,764. The caveat to all this is that the device has to be on the inside of the network and connected to the same router in order to access the port and any data.
However, all it takes is one machine inside the firewall and then the whole network is at risk. While authentication (single or multi-factor) may solve some of the problem, it still leaves open the possibility that invited guests can access company data. For example, imagine a company holds a meeting and invites its guests into their network. Presumably, any of these guests would be able to take advantage of a vulnerability, like port 32,764, and compromise the entire network.
What should concern companies is that vulnerabilities like this in consumer products can easily cause problems within the enterprise because of the rise of telecommuting and BYOD. People want their data where they are, not where they work. Alternatively, companies want their employees to conform to constant connection from anywhere. With consumer product vulnerabilities, processes and policy may change so that companies will start to trust no one. I believe that larger companies are going to start making “Trust No One” policy a norm as long as they can make the case that this is part of successful business.. There is no longer a point where you can assume any connected device is safe.
A few years ago, we were talking about bringing smartphones and tablets into the enterprise and nowadays the chatter is whether the companies should adopt the cloud or stand to grow their private servers. However, incidents like Port 32,764 remind us that enterprise security extends to consumer grade products. Enterprise companies will soon see the need for more rigorous authentication and military-grade networks so that information and data will not be leaked.