Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks’ cloud-connected devices. By exploiting these vulnerabilities, attackers can remotely compromise access points, gain unauthorized access to internal networks, and execute arbitrary code on affected devices. 

The “Open Sesame” attack demonstrates a practical scenario where an attacker can leverage physical proximity to a Ruijie Reyee OS access point to steal identifiers, compromise the device through the cloud, and ultimately gain remote control over it. 

Ruijie Networks is a global provider of networking solutions, including switches, access points, and cloud services, as researchers focused on Ruijie’s Reyee cloud platform as a potential attack vector for remotely compromising devices.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

By exploiting vulnerabilities in the cloud platform, attackers could gain unauthorized access to devices like access points, even if they are behind firewalls and NAT devices, highlighting the importance of securing cloud-based management platforms to protect connected devices from remote attacks.

Ruijie’s cloud-based management portal allows remote device management and configuration, where devices connect to the cloud via serial number pairing and are claimed by registered users. 

Firmware updates are downloaded from Ruijie’s website but are encrypted and by exploiting a device vulnerability, researchers obtained the decryption binary rg-upgrade-crypto. 

Through the use of QEMU emulation, they carried out the binary in order to decrypt the firmware, which resulted in the illumination of its internal structure, which included the Linux kernel and the root filesystem.

The serial number of the device is used to generate its MQTT credentials, which are then used by Ruijie devices to communicate with the cloud using MQTT. 

By reverse-engineering the firmware, it was discovered that the credential generation process allows users to authenticate to the MQTT broker using leaked serial numbers, as this vulnerability, CVE-2024-45722, compromises device security and enables unauthorized access to the cloud. 

A critical vulnerability was exposed by Ruijie’s MQTT broker, which allowed unauthorized access to sensitive device information. 

By exploiting wildcard subscriptions, attackers could intercept messages sent to and from devices, including device serial numbers and cloud-issued commands, which enabled attackers to impersonate the cloud, execute arbitrary code on any connected device, and potentially compromise entire networks.

Team82 discovered a vulnerability in Ruijie access points that allows attackers to remotely execute code on the device and by sniffing Wi-Fi beacons, attackers can obtain the device’s serial number. 

Leveraging vulnerabilities in Ruijie’s MQTT communication, attackers can impersonate the cloud and send malicious commands to the target device, gaining remote access to the internal network. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free