Cymru Discovers 300,000 Compromised Home Routers

Cymru Discovers 300,000 Compromised Home Routers
Cymru Discovers 300,000 Compromised Home Routers

Router vulnerabilities have been much in the news recently, including the discovery of the Moon worm. The problem stems from poor security from the suppliers, and security naivety from the average home router user. Team Cymru suggests that multiple exploits may have been used by the attackers: a "ROM-0" vulnerability published in January, a CSRF vulnerability published in October 2013, and simply brute-forcing passwords (some unchanged from the delivery default password) via the internet.

The danger with a router compromise is that it provides the attackers with a persistent man-in-the-middle position. "Attackers are altering the DNS configuration on these devices in order to redirect victims DNS requests and subsequently replace the intended answers with IP addresses and domains controlled by the attackers, effectively conducting a Man-in-the-Middle attack," explains the Team Cymru report. Every single device using the router can be redirected to a malicious site for data and/or credential theft.

Sean Sullivan, a security researcher with F-Secure, has also been looking at router problems. "We've been analyzing the SANS sample [the Moon worm]," he told Infosecurity. "Fascinating stuff and more advanced than first guessed. The Team Cymru looks equally interesting. A lot of this problem is related to web-access features. Those features are not worth the potential problems in my view. Even before the recent samples came to light."

John Yeo, EMEA director at Trustwave, pointed out that the problems are less to do with remote update as by remote administration. "SOHO router compromises," he told Infosecurity, "are typically a result of either leaving the management interface accessible on the internet – especially when 'protected' only by default or easily guessed credentials; or vulnerabilities in the web application software that is used to 'remotely administer' the device, even if that interface is not listening on the public internet."

It's a problem that is only likely to grow; not merely for routers, but for all devices with embedded software that connect to the internet. "As the bar is increasingly raised for compromising endpoint workstations, cyber criminals are turning to new methods to achieve their desired goals, without gaining access to victims’ machines directly." This is the internet of things, where the user has little knowledge of nor access to the inner workings of the devices.

“Vendors must work with the understanding that their routers, just like any other part of the network, are constantly targeted in cyber attacks," Adrian Culley, global technical consultant with Damballa explained. "It is the vicarious responsibility of firms who provide routers to homes and business to ensure that their product is built with the presumption it will be continuously probed and attacked to ensure safety of the end user. Routers have vulnerabilities like any other piece of hardware or software and vulnerabilities lead to exploitation. Cyber criminals work to take advantage of any possible vulnerability.”

Yeo agrees. "Manufacturers should have the device and its software subjected to expert security review prior to any major releases," he said.

If a breach happens, the vendors must make more effort to help the user. "Most router providers are able to set up a remote diagnostic or help session," Culley told Infosecurity. "With the customer’s permission, the vendor can analyze the router via SSL or SSH to help solve any operational issues or to detect any breaches that may have occurred."

What’s Hot on Infosecurity Magazine?