Tag Archives: routers

2018 the year of the hacked router

I’ve spoken in depth on consumer (and some enterprise) router security issues.  In brief summary, these devices are pieces of scrap that are full of vulnerabilities and very seldom get updated to fix issues.

It’s no coincidence that this year has seen an exponential growth in attacks on routers as well as botnets making use of pwned routers and other IoT devices. Device pwnage is now one of the main vectors for malicious attacks especially as regards ransomware distribution and cryptomining.

As far as consumer devices go, Wireless Access Points (APs) are in the same poor league as routers, and the same remediations mentioned at the bottom of this article apply. Bluetooth is another area where vulnerabilities are often found so caution is required there too.

Some of the big ones this year:

  • Mikrotik routers vulnerable to VPNfilter attack used in cryptojacking campaigns
  • Mikrotik routers have a vuln in Winbox (their Windows-based admin tool) that allows for root shell and remote code exec – the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections
  • Dlink routers have 8 vulns listed in OCt 2018 including plaintext password and RCE issues
  • VPNfilter affecting multiple brand routers including Linksys, Netgear and TPlink
  • Cisco has had a torrid time this year with multiple backdoors
  • Datacom routers shipped without a telnet password
  • Hard-coded root account in ZTE routers

The Dlink issue is so bad that the US FTC has filed a lawsuit against Dlink citing poor security practices.

To summarise, why all these issues?

  • lowest quality devices to cater for low consumer pricing
  • very little innovation or security in software design leading to (many) vulnerabilities
  • vendors have no interest in maintaining firmware
  • manual updates and/or no notification of updates
  • default and/or backdoor credentials
  • insecure UPnP, HNAP and WPS protocols
  • consumers not skilled in configuration so config left at factory defaults
  • open and web-accessible ports

So how can consumers protect themselves?

  • change default admin credentials
  • change the defaults SSID (WIFI) name
  • enable and only use WPA2 encryption
  • disable telnet, WPS, UPNP and HNAP
  • don’t use cloud-based router management
  • disable remote admin access
  • install new firmware when released (monitor your vendors support website)
  • change access details for your router’s web management interface (eg. IP address and/or port)
  • make use of an open DNS solution like OpenDNS or Google DNS
  • advanced: reflash your router’s firmware with alternatives like DD-WRT or OpenWRT

At minimum, consumer devices have no place in business networks, including SMEs. Even when backgrounded by a firewall, non-bridge mode routers can still be compromised and used for external attacks. And it’s been shown that some enterprise-class equipment (eg. Mikrotik and Cisco) suffer from serious issues too.

For home users, the situation is more difficult primarily because of cost – any more specialised equipment is likely to be out of price range for these users. As well, skill requirements for non-consumer equipment increases significantly (consider that most consumers struggle with consumer devices already) so that may be out of the question. Until vendors start thinking about security seriously and bake it into their products, this will continue to be an ongoing issue.

Microsoft (surprisingly) has started a project called Azure Sphere which is a Linux-based operating system that allows 3rd party vendors to design IoT and consumer devices using an embedded security processor (MCU), a secured OS and Cloud Security to significantly improve the overall security surface of their devices. This is an admirable effort and hopefully many vendors get on board or initiate similar projects.

Absent any change in the consumer device arena and their current lax attitude towards security, the issue of botnets and distribution networks is likely to only get significantly worse over time.

 

Update from The Register:  Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet

Update from ZDNet: Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks

Some more on Chalubo: This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

And BlueBorne: Security flaws put billions of Bluetooth phones, devices at risk

Home routers: security fail

It’s no secret that I absolutely hate non-business/home-based ( ADSL/3G/other ) routers. From  a security point of view, they have a history of never-ending security issues that result in a variety of malicious attacks including DNS reflection, remote control, spam, malware infections and  other attacks.

There are other serious issues including ( but not limited to ):

  • vendors of these devices are slow to react to vulnerabilities and often don’t even patch these
  • users either don’t know that updates are available, don’t know how to apply patches/updates or just can’t be bothered to apply updates
  • the firewall/protection features of these devices are limited
  • there are common back-doors included in many of these devices which opens up access to attackers

Because non-business grade routers/firewalls don’t carry any sort of guarantee or warranty in terms of performance, vendors do not put ( as much ) effort into these in terms of keeping them secure. The following link describes just how bad the situation is:

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

If you have any concern over your internet security or use your internet link for any secure services ( like online shopping or internet banking ), consider purchasing/using a business-grade firewall that will:

  • provide you with a decent level of protection
  • be updated regularly by the manufacturer

Keeping your desktop computers, laptops and mobile devices safe is only one part of home security. You also need to look at the security of your network devices  including routers, printers and WiFi access points as these are an important point of access to your home network and can compromise your systems as easily as a virus on your computer.

Security issues in ADSL and other routers

I’ve never been a fan of using ADSL/Wifi routers as the main firewall for a network ( which unfortunately ends up being the case for most home users ). These are devices built to the cheapest price, using the cheapest software development and generally, there are very few ( if any updates ) for security issues on these devices. Even if there are firmware updates available, end-users tend not to update these either through ignorance or lack of skill.

There are many vulnerabilities relating to ADSL/Wireless routers in the wild, often causing havoc with DNS and other systems. The latest bug relates to open DNS proxies on routers resulting in a 24-million router DNS denial of service attack on ISPs.

A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices’ configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.

Another is the Wifi hacking trojan, RBrute which infects Wifi routers and then distributes the Sality malware family which can subsequently infect Windows systems with web/dns redirection, remote access, information theft, rootkit capabilities, disabling firewalls/av and downloading additional malware. The list goes on and on. This stuff is nasty to say the least.

This doesn’t stop at low-end routers like TP-Link, Netgear and Dlink – others like Linksys and Belkin are also often targeted. The main problems with these routers come in 2 areas:

1. mis-configuration

2. software issues

The mis-configuration issue can be laid at both the end-users’ and manufacturers doors. First, end-users aren’t always skilled enough to configure these systems properly. Second, manufacturers often add additional accounts to routers that aren’t normally used and end-users are unaware of. These then present back-doors for malware and attackers to misuse.

The quality of software development in these systems is of a very low quality resulting in all sorts of vulnerabilities such as cross-site scripting issues to DNS amplification attacks. Manufacturers also tend to update their routers very seldom ( if at all ) resulting in the bulk of routers out there having some issue or other.

If you are going to use an ADSL/Wifi router, then make sure you update its firmware to the latest available, and clsoe/change passwords for any accounts on the unit. Better yet, you should put the unit into bridge mode and use a proper firewall for your protection.

ADSL Router Security in the crosshairs

It’s long been a bugbear of mine when ADSL modems are used at the perimeter of networks as the security device/firewall. Including the fact that many of these units are made to the lowest cost possible and have many vulnerabilities, they are holy unsuited to the task of providing decent security. That’s why I always switch them to bridge mode where possible and use a proper firewall behind them.

The issues of ADSL routers include but are not limited to:

  • default password not changed
  • external management/administration switched on
  • software vulnerabilities ( including XSS and DNS reflection issues )

Many of the recent issues with regards to DDoS attacks are related to the unauthorised use of ADSL modems that either have public management switched on with default passwords, or vulnerabilities that have been exploited. The process goes as follows:

  • Use the CSRF ( cross site forgery request ) vulnerability in Broadcom-based routers to access the admin console without requiring the password
  • Change the routers DNS server(s) to point to a a malicious DNS server
  • Change the router’s password so the rightful owner can no longer get in
  • When going to a site, the malicious DNS server sends the user to an alternate location
  • At the alternate location, the user downloads what they think is a valid installation file but which is in fact an infected or malicious file
  • Install malware onto the user’s machines to log keystrokes and steal files

A recent ITWeb article singled out the Dlink 2750 modem, however, many modems from many vendors are susceptible to attacks should they be vulnerable or configured incorrectly. Read the fascinating article on how 4.5 million routers were hacked in Brazil.

It’s up to the end user to configure the units correctly and safely, or contract a security person to do so. Remember you are responsible for your data and security.