Security starts with a home router
- Transfer
The author of the article is Security Solutions Architect in the CERT division.
Recently, VPNFilter has attracted much attention , especially after the FBI public announcement on May 25 and a number of announcements from device manufacturers and security companies . Consider the VPNFilter malware: what vulnerabilities does it use and how, let's evaluate its impact on the Internet. I also set out recommendations for device manufacturers of the Internet of Things (IoT), including home routers that have become the target of VPNFilter. Since the article emphasizes the priority of several critical vulnerabilities, I will repeat the recommendations made in March 2017 in the article on the Mirai botnet .
A Cisco blog article on VPNFilter contains details on devices affected by this vulnerability, which affected "at least 500,000 network devices worldwide." VPNFilter is somewhat similar to Mirai, because it also targets IoT devices, in particular, home routers. In addition, it is now known that the Mirai botnet used four 0day-exploits , in addition to the usual selection of standard login / password pairs to compromise IoT devices. Recently, a new version of the Mirai botnet was discovered , also aimed at home routers.
Among the well-known manufacturers of routers affected by VPNFilter, Linksys and Netgear attracted my attention because, according to Statistica , their popular models occupy 77% of the home router market. By exploring the typical vulnerabilities for these popular devices, you can identify some general recommendations that will reduce the risk of attacks on such poorly controlled devices.
The CERT unit at the Institute of Software Engineering (SEI) has collaborated with many manufacturers of home routers to identify and track vulnerabilities. This collaboration aims to reduce the impact of such vulnerabilities on the Internet as a whole.
In the diagram below, I noted and classified vulnerabilities on these devices that are likely to be exploited. In many cases, default credentials are also used . Hackers use these vulnerabilities in their toolkit to expand the base of hacked devices.
The vulnerability database of the CERT Coordination Center has published at least two serious vulnerabilities in routers that have widely affected these two main manufacturers:
These vulnerabilities can be tracked by several exploits that are publicly available on exploit-db.com . In some ways, they demonstrate that the software of these devices contains vulnerabilities that can be exploited remotely. In order to prevent such bugs, it is necessary to apply safe practices when programming. But it is clear that in mass production, when devices are quickly released to the market, these vulnerabilities are difficult to avoid and almost impossible to eliminate. We believe that coordination and mitigation due to these shortcomings are essential measures to ensure the reliability and security of the Internet. But it is possible to take additional measures so that because of these bugs there is no massive hacking and abuse, as it is now.
I suspect that if I ask the readers of this article to say when they last rebooted their home router, many would interrupt reading in order to reload it. The close to infinite time of continuous operation of modern home routers gives an advantage to attackers who can maintain long-term access to a compromised system, as described in detail in the popular model of the five stages of hacking .
In reality, Mirai and VPNFIlter stage-2 malware is an unstable malicious code that does not survive after a reboot. This fact shows: the attackers are confident that the devices will not restart for a long time.
The second factor that makes the home router vulnerable is the lack of patches or updates. Updating a home router usually requires a reboot and, probably, a short service interruption. Many home users never reboot their routers because they need uninterrupted daily Internet access for media files, watching videos, and even education. In many developing countries where routers are supplied by an ISP, he recommends users not to update the device to avoid incompatibility problems. In other places where the practice of BYOD (using your device) is common , providers are not able to control which equipment is installed in users ( CPE ).
When I recently visited Côte d'Ivoire for a lecture on DDoS and botnets, representatives of Internet providers explained that users have cheap routers and even unknown models that the provider cannot update. Here is another reason why these devices are poorly maintained and never receive the necessary updates or security patches.
In the previous Mirai article, I offered some recommendations that are practical and available for home routers and IoT devices. I hope that they will push manufacturers and providers to introduce innovative technical solutions to reduce the risk of using routers for malicious purposes:
The task of these simple and inexpensive devices is to transmit data over the network or stream the stream in real time (like IP cameras), there is no particular reason to keep some software on the device. In fact, some of the new home routers support chroot and the read-only file system, which makes it difficult to install exploits. Even if a potential attacker finds out or guesses the administrator password, he will not be able to install a malicious program like VPNFilter or Mirai.
In both cases, the malware tries to get full control over the network stack, which allows you to create packets, spoof and intercept packets, and also set “illegible” mode.on infected devices. Such functions on simple routers are not required and usually are not used. Removing the "illegible" mode will completely eliminate the possibility of using compromised systems for malicious purposes, such as DDoS attacks , installing malware, intercepting messages and changing network packets.
In addition to the recommendations above, there are other practical recommendations that can help both device manufacturers and providers. Automatic updates are now implemented on many devices - they have become an integral part of smartphones, tablets and PCs. Some of these updates are non-disruptive.
In cases where a service interruption is required (for example, a reboot), the user should be able to request a preferred period of time, for example, midnight local time or a day off to ensure minimal interruption of service. This type of update is required for devices such as home routers and IoT devices.
If manufacturers and providers manage to implement incremental updates without rebooting, and if they can introduce new methods, such as installing real-time patches ( kpatch ) on vulnerable systems, then it is even more convenient. If a reboot is required, manufacturers and providers can provide their customers with a choice of updates to deliver the least inconvenience while keeping devices up to date.
The first and most important recommendation is to change the default credentials on the home router. Then upgrade and reboot the home router and other Internet of Things in-home devices. A weekly reboot of a home router is not too burdensome and may even improve its performance.
If you like a well-protected home, do not forget to take care of its digital security, and it starts with a home router.
Recently, VPNFilter has attracted much attention , especially after the FBI public announcement on May 25 and a number of announcements from device manufacturers and security companies . Consider the VPNFilter malware: what vulnerabilities does it use and how, let's evaluate its impact on the Internet. I also set out recommendations for device manufacturers of the Internet of Things (IoT), including home routers that have become the target of VPNFilter. Since the article emphasizes the priority of several critical vulnerabilities, I will repeat the recommendations made in March 2017 in the article on the Mirai botnet .
Vulnerability History
A Cisco blog article on VPNFilter contains details on devices affected by this vulnerability, which affected "at least 500,000 network devices worldwide." VPNFilter is somewhat similar to Mirai, because it also targets IoT devices, in particular, home routers. In addition, it is now known that the Mirai botnet used four 0day-exploits , in addition to the usual selection of standard login / password pairs to compromise IoT devices. Recently, a new version of the Mirai botnet was discovered , also aimed at home routers.
Among the well-known manufacturers of routers affected by VPNFilter, Linksys and Netgear attracted my attention because, according to Statistica , their popular models occupy 77% of the home router market. By exploring the typical vulnerabilities for these popular devices, you can identify some general recommendations that will reduce the risk of attacks on such poorly controlled devices.
The CERT unit at the Institute of Software Engineering (SEI) has collaborated with many manufacturers of home routers to identify and track vulnerabilities. This collaboration aims to reduce the impact of such vulnerabilities on the Internet as a whole.
In the diagram below, I noted and classified vulnerabilities on these devices that are likely to be exploited. In many cases, default credentials are also used . Hackers use these vulnerabilities in their toolkit to expand the base of hacked devices.
The vulnerability database of the CERT Coordination Center has published at least two serious vulnerabilities in routers that have widely affected these two main manufacturers:
- Multiple buffer overflow vulnerabilities in multiple routers . A popular library that is used by several manufacturers of routers has a buffer overflow vulnerability that can be used to compromise a router and install arbitrary programs on it.
- Netgear arbitrary remote command injection vulnerabilities . Numerous Netgear routers are vulnerable to the remote execution of arbitrary commands.
These vulnerabilities can be tracked by several exploits that are publicly available on exploit-db.com . In some ways, they demonstrate that the software of these devices contains vulnerabilities that can be exploited remotely. In order to prevent such bugs, it is necessary to apply safe practices when programming. But it is clear that in mass production, when devices are quickly released to the market, these vulnerabilities are difficult to avoid and almost impossible to eliminate. We believe that coordination and mitigation due to these shortcomings are essential measures to ensure the reliability and security of the Internet. But it is possible to take additional measures so that because of these bugs there is no massive hacking and abuse, as it is now.
The problem is almost constant uptime
I suspect that if I ask the readers of this article to say when they last rebooted their home router, many would interrupt reading in order to reload it. The close to infinite time of continuous operation of modern home routers gives an advantage to attackers who can maintain long-term access to a compromised system, as described in detail in the popular model of the five stages of hacking .
In reality, Mirai and VPNFIlter stage-2 malware is an unstable malicious code that does not survive after a reboot. This fact shows: the attackers are confident that the devices will not restart for a long time.
The role of careless maintenance
The second factor that makes the home router vulnerable is the lack of patches or updates. Updating a home router usually requires a reboot and, probably, a short service interruption. Many home users never reboot their routers because they need uninterrupted daily Internet access for media files, watching videos, and even education. In many developing countries where routers are supplied by an ISP, he recommends users not to update the device to avoid incompatibility problems. In other places where the practice of BYOD (using your device) is common , providers are not able to control which equipment is installed in users ( CPE ).
When I recently visited Côte d'Ivoire for a lecture on DDoS and botnets, representatives of Internet providers explained that users have cheap routers and even unknown models that the provider cannot update. Here is another reason why these devices are poorly maintained and never receive the necessary updates or security patches.
Call to action
In the previous Mirai article, I offered some recommendations that are practical and available for home routers and IoT devices. I hope that they will push manufacturers and providers to introduce innovative technical solutions to reduce the risk of using routers for malicious purposes:
- Installing file systems in home routers and IoT devices is read-only, which makes it difficult to install malware.
- Disabling any batch mode, spoofing, or “illegible” mode [in which the network card allows you to receive all packets, regardless of who they are addressed to - approx. trans.] at the firmware level to avoid malicious use of a network resource on these devices.
- Automatic firmware update for proactively resolving vulnerabilities — either with scheduled downtime or no downtime.
The task of these simple and inexpensive devices is to transmit data over the network or stream the stream in real time (like IP cameras), there is no particular reason to keep some software on the device. In fact, some of the new home routers support chroot and the read-only file system, which makes it difficult to install exploits. Even if a potential attacker finds out or guesses the administrator password, he will not be able to install a malicious program like VPNFilter or Mirai.
In both cases, the malware tries to get full control over the network stack, which allows you to create packets, spoof and intercept packets, and also set “illegible” mode.on infected devices. Such functions on simple routers are not required and usually are not used. Removing the "illegible" mode will completely eliminate the possibility of using compromised systems for malicious purposes, such as DDoS attacks , installing malware, intercepting messages and changing network packets.
Other recommendations
In addition to the recommendations above, there are other practical recommendations that can help both device manufacturers and providers. Automatic updates are now implemented on many devices - they have become an integral part of smartphones, tablets and PCs. Some of these updates are non-disruptive.
In cases where a service interruption is required (for example, a reboot), the user should be able to request a preferred period of time, for example, midnight local time or a day off to ensure minimal interruption of service. This type of update is required for devices such as home routers and IoT devices.
If manufacturers and providers manage to implement incremental updates without rebooting, and if they can introduce new methods, such as installing real-time patches ( kpatch ) on vulnerable systems, then it is even more convenient. If a reboot is required, manufacturers and providers can provide their customers with a choice of updates to deliver the least inconvenience while keeping devices up to date.
Recommendations for users
The first and most important recommendation is to change the default credentials on the home router. Then upgrade and reboot the home router and other Internet of Things in-home devices. A weekly reboot of a home router is not too burdensome and may even improve its performance.
If you like a well-protected home, do not forget to take care of its digital security, and it starts with a home router.