Router Hacks: Who's Responsible?40,000 Exploited Devices Show 'Internet of Things' Risks
The news that an army of 40,000 small office/home office, or SOHO, routers have been exploited by an Internet-borne worm and used to launch distributed denial-of-service attacks appears to point to networking vendors' culpability. That's because the devices ship with default credentials, which attackers have been able to exploit en masse.
Security researchers say they do not know who is responsible for launching the attacks. But in a sign of how difficult it is to keep so-called "Internet of Things" devices secure, one of the network device manufacturers whose products have been targeted says it only sells its devices to consultants and integrators, and that they should know how to secure the devices before rolling them out at customers' sites.
News of the router botnet comes via the report "Lax Security Opens the Door for Mass-Scale Abuse of SOHO Routers," released by Incapsula, a DDoS defense firm owned by information security vendor Imperva. It warns that attackers, using variants of MrBlack - a.k.a. Spike malware - have created "self-sustaining botnets" that have automatically infected and seized control of tens of thousands of routers, thanks to the devices using well-known default credentials. The vast majority of these malware-infected, devices, it adds, are located in Thailand and Brazil.
"After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks," Incapsula's report says. It says that while routers and other network-connected devices from a number of vendors have been compromised, the majority involve devices based on ARM processors built by San Jose, Calif.-based Ubiquiti Networks. "Faced with this homogenous botnet, our security investigators' initial assumption was that the routers were compromised by a shared firmware vulnerability," Incapsula researchers write in their report. "However, further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials."
Tripwire researcher Ken Westin discusses router-hacking incentives.
To date, it's not clear who is behind this router takeover campaign. Incapsula notes that the timing of spikes in attacks appears to parallel the hacking group Lizard Squad announcing new, related capabilities in its "Lizard Stresser" DDoS-on-demand service. But it says that there is "no hard evidence" of the group's involvement, and says it's just as likely that this router-takeover campaign is the work of a competing or copycat DDoS-as-a-service provider.
SOHO Pharming Campaigns
Of course, this is not the first time that large numbers of devices have been compromised by attackers using dedicated malware. "There have been previous attacks where criminals have compromised home routers using default credentials and modified the DNS settings to direct the end users to websites under the control of the criminals," Dublin-based information security consultant Brian Honan tells Information Security Media Group. "Similarly, there have been a number of worms that have been developed to compromise consumer devices using default credentials."
In early 2014, security research firm Team Cymru warned that a "SOHO pharming campaign that had overwritten router DNS settings in central Europe," reporting that 300,000 devices - from multiple manufacturers - appeared to have been compromised, mostly in Europe and Asia. The greatest number of affected routers were in Vietnam, it reported, followed by India, Italy and Thailand. "Affected devices had their DNS settings changed."
Later that year, the SANS Institute issued an alert about TheMoon worm, which targeted a vulnerability in stock firmware on Linksys devices to gain remote access to machines. But researchers said they saw no follow-on attacks result.
In late 2014, meanwhile, researchers from Check Point Software Technologies warned that at least 12 million SOHO routers - encompassing 200 different products from such vendors as D-Link, Edimax, Huawei, TP-Link and ZTE - had a flaw that they dubbed "misfortune cookie," that attackers could exploit to take control of the device. In response, some vendors said they had been offering firmware patched against the flaw since 2005.
In response to the new Incapsula report, an Ubiquiti Networks spokesman tells ISMG that the company does not sell SOHO routers. "Please note that these are not SOHO devices but units to be used and installed by professional Internet service providers."
The UBNT spokesman also referenced an Ubiquiti community forum post that addresses the Incapsula report. "UBNT devices are sold with the intention that out of the box they can be easily and mass provisioned for the WISP [wireless ISP] to deploy to customers," a Ubiquiti employee says in the forum post. "The configuration is 100 percent up to the WISP."
The Incapsula researchers say they're not trying to blame Ubiquiti, but argue that vendors must ship products that are secure by default. "While I do agree that distributors, resellers and users all share responsibility for their routers' safety, my feeling is that vendors should share that responsibility as well," Incapsula researcher Igal Zeifman says in a blog comment. "Our message here is that of shared responsibility - not allocation of fault or shifting of blame."
But Ubiquiti says it is difficult to keep everyone happy. "Our general recommendation is that any ISP deploying our products should definitely change default credentials, as well as block unnecessary management access," an Ubiquiti employee says in a related posting to the company's forum. "However, we try to strike a balance of imposing security best practices without limiting the functionality and ease of the use for our target customers (ISPs - technical users, not 'home users')."
For example, the employee says, with the company's firmware version 5.5.2 - introduced in 2012 - it added a number of security improvements, including a "nagging reminder that the user is still using default credentials - this has to be dismissed to do anything." The company also disabled active-by-default management access to devices' wide-area-network (WAN) interface, but reports that "there were many, many complaints," since numerous ISPs want remote management access to provision and manage devices. "Even when in place at customer's home, the WISPs still want access," he says. Still, that feature does now at least ship disabled by default.
Ubiquiti says it also continues to ask its customers how it might better balance those security and usability demands. "We can look at other things as well, such as not allowing a configuration change if default credentials are used," the employee says in the forum post. Accordingly, if devices were left with default credentials, an automated worm couldn't gain access to the machine and alter its settings to make it into a botnet zombie - unless, of course, the worm was designed to change the default credentials first.
Internet of (Insecure) Things
The Incapsula report highlights the challenges associated with securing Internet-connected devices. For starters, vendors, distributors, resellers, IT managers - and in some cases end-users - all have a hand in keeping devices secure, both by configuring them correctly, as well as keeping them updated or patched. And reports pointing to tens or hundreds of thousands of compromised devices suggest that today's Internet of Things all too often is not secure.
Such security shortcomings could lead to more than just nuisance attacks. Indeed, Ken Westin, senior security analyst at security firm Tripwire, says he's less concerned about the threat posed by malware-infected routers being used to launch DDoS attacks, and more concerned about the fact that attackers can eavesdrop on all data - online banking credentials, photos and videos, corporate secrets and everything in between - that flows across devices. "Really, where the money is, is in the data," he says. "Going after that information and selling that on black markets, for example, that's usually going to get you more money than doing DDoS attacks."
One way to safeguard data and guard against eavesdropping attacks is to require employees to use VPNs on their laptops, smartphones and tablets. This will keep sensitive data encrypted, even if employees inadvertently connect to attacker-controlled routers or other network devices.
But as the DDoS botnet composed of MrBlack-infected routers highlights, any Internet-connected device is at risk of being turned into an attacker tool. "Remember that once you connect a device to the Internet you are also connecting the Internet to that device," says Honan, who is also a cybersecurity adviser to Europol. "This holds true be that a corporate webserver or an IoT light bulb. All Internet devices should have their traffic monitored and managed via corporate firewalls, and non-critical devices should be segmented away from networks that contain sensitive information."