Despite the fact Boa web server has been discontinued since 2005, its presence in the world of IoT devices is still pervasive. Device vendors and SDK publishers still implement it across embedded devices, from routers to cameras. To this day, Internet-exposed Boa web servers on devices to access settings, management consoles, and sign-in screens are over 1 million.
The global success of the discontinued server clashes with the threats it poses, as Boa servers are affected by several vulnerabilities, from arbitrary file access in routers to information disclosure from corporate and manufacturing assets connected to IoT devices.
A new investigation by Microsoft demonstrates how Boa’s vulnerabilities are distributed downstream to organizations and their assets in an insecure IoT device supply chain. Among preventive measures, Microsoft recommends patching vulnerable devices and reducing the attack surface of IoT devices. If those recommendations sound familiar, it’s because they are also the tenets of Ubuntu Core, the operating system optimised for security and IoT devices.