The attraction of routers is clear. Sitting between end-points and the internet, it is the ideal position to listen to traffic – not just on one device, but all devices that connect through that router. But while users have some knowledge of PCs, operating systems and malware, the minimal accessibility of router software, particularly SOHO routers, means that its security is generally overlooked.
Tripwire has attempted to lift the lid with research that combines talking to users and analyzing the products. It spoke to 653 IT and security professionals, and 1009 remote workers in the US and UK – with alarming results. Thirty percent of IT professionals and 46% of workers polled do not even change the default password on their wireless routers. Even more (55% and 85%, respectively) do not change the default IP address on their routers (making cross-site request forgery – CSRF – attacks much easier).
43% and 54% use WPS, an insecure standard, to secure the router. "WPS is a service which makes it easier for authorized clients to connect," comments Tripwire's associated whitepaper, "but also makes it much easier for attackers to determine your wireless passphrase, regardless of its complexity or 'strength.'”
Furthermore, 52% and 59% have not updated their router firmware to the latest versions; so even if a vulnerability has been found and fixed, the router remains vulnerable.
It is fair to say, then, that the majority of users are not security-minded over the use of their SOHO routers.
Tripwire also looked at the routers themselves; and the result here is even more worrying. "In fact," reports the whitepaper, "74 percent of Amazon’s top 50 best-selling SOHO wireless router models have security vulnerabilities. In addition, 34 percent of Amazon’s top 50 selling models have publicly documented exploits available, making it relatively simple for attackers to use this information to craft targeted attacks or simply attack all the vulnerable systems they can find."
One of the problems is that the security users rely on to protect their home networks – primarily anti-virus software and perhaps a free firewall that they install and forget about – offers little defense for the router. "Antivirus doesn't get access to the router," PandaLabs' technical director Luis Corrons told Infosecurity, "so we cannot tell whether it has been compromised, nor even if it is vulnerable." Some indication could be got from the firewall, "which at some point could warn us about something weird happening on that level... but that’s not much," he added. Without being explicitly told there is a problem, most users will simply assume that there isn't one.
ESET senior research fellow David Harley expanded. "You could, in principle, look for some kinds of vulnerability when a router is accessed via a browser or a specialist app, but how practical that is across the whole range of router hardware is another question," he told Infosecurity. "You can detect code that's intended to cause such an infection, of course, if it's carried in a form where it can be scanned by security software on the desktop or perimeter (or even a mobile device), but if it skips from router to router like Moon it isn't likely to be detected on the endpoint."
He pointed out that AV companies are able to detect Moon (a recently detected router worm), "but the scenarios where the product is installed on a device where we're likely to see it are vanishingly small. It makes more sense," he suggested, "to advise people to take more generic action like disabling remote access, limiting access to trusted (local) IPs, changing default passwords and local IP ranges, and so on, rather than having them rely on known malware detection at the endpoint."
Which is what Tripwire recommends. The risks to the enterprise from a compromised remote worker's router are significant, it says. "Until firmware updates are available to address these security vulnerabilities, the best protection is to avoid use of routers marketed to small office and home office users," suggests Tripwire.