Open to remote takeover: Kiwi finds ‘critical vulnerability’ with US giant’s wi-fi gear

Image / NZ Herald

A young Kiwi “penetration tester” has revealed he discovered a ‘critical vulnerability’ in wi-fi access points made by a US giant and popular with schools, hospitals and Government agencies.

The security flaw in Aerohive brand wi-fi gear provided a backdoor for hackers to potentially break into an organisation’s network, steal data and maintain access long-term.

The vulnerability was discovered by Lachlan Davidson, a security consultant with Auckland-based Aura Information Security (which has been a division of Kordia since it was bought by the SOE six years ago).

Aerohive was bought by Nasdaq-listed Extreme Networks (market cap: US$3.5 billion) in 2019.

Aerohive’s devices are used both in New Zealand and globally for a wide range of wireless networking solutions in enterprise and high-performance environments – such as schools, universities, hospitals, offices, and government organisations, according to Aura.

“Network devices are often attractive to threat actors, as they act as entrances into your network. Once a hacker gains access, they could dwell there for some time – exploring your network, intercepting traffic and performing attacks against the rest of your infrastructure,” says Davidson.

Davidson alerted Extreme Networks to the vulnerability and did not publish his research on the issue until the US firm had been able to assess it and issue a fix.

And the US firm did thank the Kiwi in a July 14 security advisory (which also included links to the patch to fix the problem).

“Extreme Networks acknowledges and thanks Lachlan Davidson from Aura Information Security for reporting this vulnerability to Extreme under coordinated vulnerability disclosure protocols,” a security advisory on its website said.

The rationale for keeping it under his hat was obvious: the Kiwi “white hat” hacker did not want to alert cybercriminals that they could take remote control of Aerohive gear and use it as a back door to raid data.

But according to a timeline published by Davidson, it took 120 days from when Aura first contacted Extreme Networks (on March 13) until the US firm had fixed the issue and was ready to disclose it to customers.

Davidson said he originally planned to publish his findings on June 19, but Extreme Networks twice asked for an extension. He says the US firm advised on June 8 that it was unable to replicate the issue and asked for a meeting with Aura, but on June 13 it advised the meeting was no longer necessary.

Even with the delays, Davidson said Extreme Networks had advised that older, end-of-service Aerohive gear would not be patched until later this year.

The Herald has asked the US firm for comment.

Wunderkind

Davidson - in his “early 20s” - said his curiosity was piqued after seeing Aerohive devices in many enterprise settings, as well as March 2021 research by fellow Aura consultant Jordan Smith into the functionality of the access points.

“Organisations frequently decommission these Aerohive devices out of old offices and sell them online, so you can get hold of one for fairly cheap,” Smith wrote at the time. He was able to generate passwords to open a “magic backdoor” to Aerohive gear he tested.

A promo for a July YTech NZ “for youth, by youth” event, co-sponsored by the Ministry billed Davidson as a self-taught wunderkind: “As a web penetration testing specialist for Aura Information Security, Lachlan is crazy about all things security. He loves nothing more than compromising a server or dumping a database. Having joined the industry with a web development background, but no formal qualifications, Lachlan rose from zero to hero at one of New Zealand’s leading security firms.

“Lachlan was recruited in June 2020 as Aura recognised his talent in cyber security,” an Aura spokeswoman said.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.