Discontinued for 17 years, Boa web server still used for IoT devices—exposing massive security vulnerabilities

An embedded application vulnerability may have allowed hackers to snake their way into Indian energy systems, most recently against Tata Power Company in October. That attack, according to the company, impacted IT systems but did not affect critical operational systems.

The attack came via Boa web servers—open-source tech that had maintenance discontinued in 2005 but is still used in embedded systems around the world. Boa vulnerabilities can allow adversaries to access systems and remotely execute code.

Adversaries allegedly tied to China are suspected of continually intruding upon Indian energy infrastructure since September 2021, according to a report last April from Recorded Future, though it’s unclear what damage, if any, they’ve done. Hackers targeted seven State Load Dispatch Center, or SLDCs, similar to the February 2021 China-based RedEcho group attacks that compromised 10 Indian power sector organizations but did not reportedly succeed in causing any damage.

Coiled and ready to strike. A November report from Microsoft Security Threat Intelligence laid out the concerns over Boa vulnerabilities. The team identified over 1 million compromised, internet-exposed Boa servers in just one week, the bulk of which were in India. Vietnam, Brazil, South Africa, and the US also had a large number of the servers.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” according to the report. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”

The Boa vulnerabilities have not stemmed their use in SDKs around the world, despite the danger.

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” the Microsoft researchers wrote. “Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated.”

Microsoft declined to comment for this story.

Antivenom. While Boa is notable for having been discontinued 17 years ago, it’s not the only example of out-of-date, unpatched vulnerabilities that can lead to malware and device insecurity. CVEs are found throughout industrial software and hardware and teams should take a proactive approach to managing the security flaws before they’re used by adversaries, the Microsoft researchers warned.

“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations,” the researchers wrote. “This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.