IoT cloud cracked by 'Open Sesame' over-the-air attack

Researchers at Black Hat Europe demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.

2 Min Read
Source: Hilke Maunder via Alamy Stock Photo

Internet of Things (IoT) vendor Ruijie Networks has shored up its Reyee cloud management platform against 10 newly discovered vulnerabilities that could have given adversaries control of thousands of connected devices in a single cyberattack.

The Fuzhou, China-based infrastructure maker's Ruijie Networks devices, are commonly used to provide free Wi-Fi in public settings like airports, schools, shopping malls, and governments across more than 90 countries.

A pair of researchers from Claroty Team82 have developed an attack they named "Open Sesame" that they used to successfully take control of Rujie Networks devices through its cloud-based Web management portal for remote monitoring and configuration.

"The Ruijie Reyee cloud platform lets admins remotely manage their access points and routers," researchers Noam Moshe and Tomer Goldschmidt explained in a statement. "By exploiting these vulnerabilities, attackers could access these devices and the internal networks to which they connect. Our research found tens of thousands of potentially affected devices worldwide."

Moshe and Goldschmidt presented their findings in a presentation titled "The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices" at Black Hat Europe 2024 this week.

Of the 10 CVEs outlined by a new Claroty Team82 report, all of which have been patched by Ruijee, three received CVSS scores of 9 or higher: CVE-2024-47547, a weak password recovery bug with a CVSS score of 9.4; CVE-2024-48874, a server-side request forgery vulnerability with a CVSS score of 9.8; and CVE-2024-52324, flagged as a "use of inherently dangerous function," also with a 9.8 CVSS score.

"The most serious vulnerability we discovered was the vulnerability allowing devices to impersonate the Ruijie cloud platform, sending commands to other devices," the Clarity researchers said.

The collection of bugs allowed remote code execution (RCE) on devices connected to the Ruijie cloud platform, they explained.

To read the complete article, visit Dark Reading.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community