2018 the year of the hacked router

I’ve spoken in depth on consumer (and some enterprise) router security issues.  In brief summary, these devices are pieces of scrap that are full of vulnerabilities and very seldom get updated to fix issues.

It’s no coincidence that this year has seen an exponential growth in attacks on routers as well as botnets making use of pwned routers and other IoT devices. Device pwnage is now one of the main vectors for malicious attacks especially as regards ransomware distribution and cryptomining.

As far as consumer devices go, Wireless Access Points (APs) are in the same poor league as routers, and the same remediations mentioned at the bottom of this article apply. Bluetooth is another area where vulnerabilities are often found so caution is required there too.

Some of the big ones this year:

  • Mikrotik routers vulnerable to VPNfilter attack used in cryptojacking campaigns
  • Mikrotik routers have a vuln in Winbox (their Windows-based admin tool) that allows for root shell and remote code exec – the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections
  • Dlink routers have 8 vulns listed in OCt 2018 including plaintext password and RCE issues
  • VPNfilter affecting multiple brand routers including Linksys, Netgear and TPlink
  • Cisco has had a torrid time this year with multiple backdoors
  • Datacom routers shipped without a telnet password
  • Hard-coded root account in ZTE routers

The Dlink issue is so bad that the US FTC has filed a lawsuit against Dlink citing poor security practices.

To summarise, why all these issues?

  • lowest quality devices to cater for low consumer pricing
  • very little innovation or security in software design leading to (many) vulnerabilities
  • vendors have no interest in maintaining firmware
  • manual updates and/or no notification of updates
  • default and/or backdoor credentials
  • insecure UPnP, HNAP and WPS protocols
  • consumers not skilled in configuration so config left at factory defaults
  • open and web-accessible ports

So how can consumers protect themselves?

  • change default admin credentials
  • change the defaults SSID (WIFI) name
  • enable and only use WPA2 encryption
  • disable telnet, WPS, UPNP and HNAP
  • don’t use cloud-based router management
  • disable remote admin access
  • install new firmware when released (monitor your vendors support website)
  • change access details for your router’s web management interface (eg. IP address and/or port)
  • make use of an open DNS solution like OpenDNS or Google DNS
  • advanced: reflash your router’s firmware with alternatives like DD-WRT or OpenWRT

At minimum, consumer devices have no place in business networks, including SMEs. Even when backgrounded by a firewall, non-bridge mode routers can still be compromised and used for external attacks. And it’s been shown that some enterprise-class equipment (eg. Mikrotik and Cisco) suffer from serious issues too.

For home users, the situation is more difficult primarily because of cost – any more specialised equipment is likely to be out of price range for these users. As well, skill requirements for non-consumer equipment increases significantly (consider that most consumers struggle with consumer devices already) so that may be out of the question. Until vendors start thinking about security seriously and bake it into their products, this will continue to be an ongoing issue.

Microsoft (surprisingly) has started a project called Azure Sphere which is a Linux-based operating system that allows 3rd party vendors to design IoT and consumer devices using an embedded security processor (MCU), a secured OS and Cloud Security to significantly improve the overall security surface of their devices. This is an admirable effort and hopefully many vendors get on board or initiate similar projects.

Absent any change in the consumer device arena and their current lax attitude towards security, the issue of botnets and distribution networks is likely to only get significantly worse over time.

 

Update from The Register:  Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet

Update from ZDNet: Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks

Some more on Chalubo: This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

And BlueBorne: Security flaws put billions of Bluetooth phones, devices at risk

(S)RUM

Veronica Schmitt, a senior digital forensic scientist at DFIRLABS, recently featured on Paul’s Security Weekly, showcasing the Microsoft SRUM system tool (System Resource Utilization Monitor).

SRUM was first introduced in Windows 8, and was a new feature designed to track system resource utilization such as CPU cycles, network activity, power consumption, etc. Analysts can use the data collected by SRUM to paint a picture of a user’s activity, and even correlate that activity with network-related events, data transfer, processes, and more.

Very little is known about SRUM outside of a few notes and videos online, and most tellingly, very few sysadmins know about the storage function of this tool.

That sounds pretty interesting.  And it is, especially for performance and system monitoring.

But …

The output from SRUM is continually (at 60min intervals) written to an ese DB, which in turn can be read by a python tool called srum-dump written by Mark Bagget and output to a CSV for further analytics.

The scary part of this is how much data SRUM is actually writing out to the db and what info can be gleaned from this db in forensics terms. Essentially, any actions performed or data generated by a user on that system, can we retrieved at a later stage by srum-dump.

From a forensics pov, that’s brilliant but from a privacy pov, it is very scary. Especially as very few people realise this is going on in the background. It’s also scary in the way that if a (Windows) machine is compromised, the SRUM db can be used to propagate additional (lateral or vertical) malicious activity depending on the data identified.

Comments welcome …