Please see NetComm firmware (version 126.96.36.199) on the NetComm site and the release notes from the same.
Carve Systems consultants performed, and continue to perform, research on a number of IoT devices. The Carve Systems team coordiantes its disclosure with vendors when at all possible. This advisory is for the NetComm Wireless NWL-11 device. The consultants performed research against the device running the 03.001 version of the firmware. The consultants discovered numerous security findings and disclosed these findings to the vendor.
- 3/14/16 – Initial contact email sent to vendor.
- 3/14/16 – Received email from vendor contact with gpg key for further communication. Vulnerabilities communicated to NetComm.
- 3/22/16 – Followup email to NetComm asking if all issues are clear and general status. Contact responds with internal tracking numbers and will follow up with timeline for fix.
- 5/18/16 – NetComm sends updated firmware image for testing.
- 5/26/16 – Carve re-tests and closes 3 issues on new firmware version.
- 6/9/16 – Coordinated public disclosure.