The abandonment of old open source software is not without consequences. Microsoft reveals in a blog post having detected several attacks targeting a component of Boa, a server software abandoned in 2005. This is still widely used in several ranges of routers and security cameras, but also by certain popular SDKs allowing to operate systems on a chip .
The flaws allow access to very sensitive data (such as passwords), but also to execute unauthorized code. The Redmond firm realized the extent of the problem while investigating attacks targeting Indian power grids. These attacks specifically targeted IoT devices running Boa and therefore being subject to critical unpatched vulnerabilities.
Microsoft notes that since no one is developing Boa anymore, its known flaws can allow hackers to quietly harvest a lot of data. Boa is often used to access configuration and management consoles as well as device login screens.
According to Microsoft, the risks associated with Boa might relate to “ millions of organizations and devices “. He adds that users may not be aware that Boa components are used by the products and therefore have vulnerabilities that cannot be fixed by software updates.
Solving the problem is complicated: Boa remains widely used and “hides” in connected equipment. The company recommends that manufacturers and network operators patch vulnerable devices when possible and work to identify devices that can be easily hijacked.