Hackers penetrate energy systems via outdated Boa web server of IoT components

Sicherheit (Pexels, allgemeine Nutzung)[German]Many vendors use outdated software components in their IoT components. Microsoft has now presented a case in which a web server that was discontinued in 2005 was misused to penetrate the systems of Indian power grid via vulnerabilities. The background is that this obsolete software is still used in IoT components.


The Boa web server

Boa was a free, lightweight web server which was suitable for use in embedded systems, among other things. Originally written by Paul Phillips, it was maintained by Larry Doolittle and Jon Nelson until the project was discontinued in 2005. The server operated on a single thread, unlike most other web servers, such as the Apache web server. Its minimalist approach made it suitable for use on low-powered hardware. In addition to the delivery of static content, Boa was also capable of delivering dynamic content. For this purpose, third-party software could be connected via CGI, which processed user input and generated dynamic output.

Attacks on Indian power grid

The website The Recorded Future reported on ongoing attacks on India's power grid as early as April 2022 in the article  Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. The campaign was allegedly carried out by Chinese state-sponsored hackers (RedEcho) and targeted the Indian power sector.

The activities were identified through a combination of large-scale automated analysis of network traffic and expert analysis. The analysis underlying the above report indicates that common IoT devices are being used as a vector for attacks to gain a foothold in operational networks and distribute malicious payloads.

Microsoft addresses the issue

In investigating the attack activity outlined above, Microsoft researchers identified a vulnerable component on all IP addresses published as Indicator of Compromise (IOCs) and found evidence of a supply chain risk that could affect millions of enterprises and devices.

That's because Microsoft found that a Boa web server is used to access settings and management consoles and login screens in IoT devices. There are vulnerabilities in this software, as development of the Boa web server was discontinued in 2005. Nevertheless, this software continues to be implemented by various vendors in a variety of IoT devices and common software development kits (SDKs).


Unless the Boa web server is managed by developers of this software, its known vulnerabilities could allow attackers to gain undetected access to networks by collecting information from files stored on the web server. In addition, affected individuals may not be aware that their devices run services that use the discontinued Boa web server, and that firmware updates and downstream patches do not fix the known vulnerabilities.

Boa Web Server

Above chart shows that the Boa web server is still in use worldwide, with a strong focus on India. However, IoT devices with this product are probably also in use in Europe. Microsoft published the details of the attacks and other findings in the blog post Vulnerable SDK components lead to supply chain risks in IoT and OT environments on November 22, 2022. In view of such conditions, it seems like a mockery when, on the one hand, the replacement of software that has fallen out of support (e.g., Office, Windows) is always advertised, while, on the other hand, software that has not been further developed for 17 years is used in IoT components. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *