I’ve spoken in depth on consumer (and some enterprise) router security issues. In brief summary, these devices are pieces of scrap that are full of vulnerabilities and very seldom get updated to fix issues.
It’s no coincidence that this year has seen an exponential growth in attacks on routers as well as botnets making use of pwned routers and other IoT devices. Device pwnage is now one of the main vectors for malicious attacks especially as regards ransomware distribution and cryptomining.
As far as consumer devices go, Wireless Access Points (APs) are in the same poor league as routers, and the same remediations mentioned at the bottom of this article apply. Bluetooth is another area where vulnerabilities are often found so caution is required there too.
Some of the big ones this year:
- Mikrotik routers vulnerable to VPNfilter attack used in cryptojacking campaigns
- Mikrotik routers have a vuln in Winbox (their Windows-based admin tool) that allows for root shell and remote code exec – the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections
- Dlink routers have 8 vulns listed in OCt 2018 including plaintext password and RCE issues
- VPNfilter affecting multiple brand routers including Linksys, Netgear and TPlink
- Cisco has had a torrid time this year with multiple backdoors
- Datacom routers shipped without a telnet password
- Hard-coded root account in ZTE routers
The Dlink issue is so bad that the US FTC has filed a lawsuit against Dlink citing poor security practices.
To summarise, why all these issues?
- lowest quality devices to cater for low consumer pricing
- very little innovation or security in software design leading to (many) vulnerabilities
- vendors have no interest in maintaining firmware
- manual updates and/or no notification of updates
- default and/or backdoor credentials
- insecure UPnP, HNAP and WPS protocols
- consumers not skilled in configuration so config left at factory defaults
- open and web-accessible ports
So how can consumers protect themselves?
- change default admin credentials
- change the defaults SSID (WIFI) name
- enable and only use WPA2 encryption
- disable telnet, WPS, UPNP and HNAP
- don’t use cloud-based router management
- disable remote admin access
- install new firmware when released (monitor your vendors support website)
- change access details for your router’s web management interface (eg. IP address and/or port)
- make use of an open DNS solution like OpenDNS or Google DNS
- advanced: reflash your router’s firmware with alternatives like DD-WRT or OpenWRT
At minimum, consumer devices have no place in business networks, including SMEs. Even when backgrounded by a firewall, non-bridge mode routers can still be compromised and used for external attacks. And it’s been shown that some enterprise-class equipment (eg. Mikrotik and Cisco) suffer from serious issues too.
For home users, the situation is more difficult primarily because of cost – any more specialised equipment is likely to be out of price range for these users. As well, skill requirements for non-consumer equipment increases significantly (consider that most consumers struggle with consumer devices already) so that may be out of the question. Until vendors start thinking about security seriously and bake it into their products, this will continue to be an ongoing issue.
Microsoft (surprisingly) has started a project called Azure Sphere which is a Linux-based operating system that allows 3rd party vendors to design IoT and consumer devices using an embedded security processor (MCU), a secured OS and Cloud Security to significantly improve the overall security surface of their devices. This is an admirable effort and hopefully many vendors get on board or initiate similar projects.
Absent any change in the consumer device arena and their current lax attitude towards security, the issue of botnets and distribution networks is likely to only get significantly worse over time.
Update from The Register: Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet