On December 9, security researchers at Carnegie Mellon University warned about a major vulnerability discovered in several popular Netgear routers that could leave thousands of home networking devices exposed to arbitrary command injection. If exploited, hackers could gain full control of these devices and incorporate the compromised device to a botnet.
Based on their initial findings, the flaw affected three models (R6400, R7000, and R8000) but later on confirmed that five more models (R6200, R6700, R7100LG, R7300, and R7900) are also affected. “By convincing a user to visit a specially crafted website, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request,”security experts warn. Since exploiting these vulnerabilities is trivial, researchers recommended that users turn off these affected routers and switch to an alternative product. On December 16, Netgear released a security advisory with a list of firmware fixes for some of the affected devices, adding that the company will continue to release more updates for other affected models.
Router vulnerabilities are becoming a growing security problem as seen in previous incidents. With the steady adoption of IoT devices, businesses and home users are now exposed to more threats from compromised devices and unsecured routers. Attackers are not only targeting PCs anymore but are seeing routers as an effective means to get hold of victims’ credentials.
A lot of router manufacturers seldom roll out updates to older firmware. Hackers take advantage of these outdated versions to gain access to local router commands, which they use to steal a user’s name and password. This allows attackers to create botnets that could scan for other routers that have remote administration interfaces that can be accessed with default usernames and passwords, which are then used to infect other users. In some cases, some products may come with preloaded malware.
The Netgear vulnerability is only one of the most recent incidents that show just how serious the router problem is turning out to be. Over the previous months, a wave of Mirai botnet attacks crippled internet access for a million home users across Europe. This happened shortly after a DDoS attack on DNS provider Dyn caused a massive outage of high-profile sites.
Trend Micro Senior Director of Forward-Looking Threat Research (FTR) Team, Martin Roesler, believes that the unprecedented DDoS attacks significantly highlights that the Internet of Things is not only broken but also potentially dangerous. Unfortunately, the problem seems to lie in the hands of Internet Service Providers (ISPs). For instance, ISPs must recognize that TCP/IP ports are risky, so if they want to access customers’ devices on an open port, it is imperative that they take the necessary steps to make sure that this restricted access can be done only by the ISPs. Using arbitrary sources on the internet could lead to the misconfiguration of both routers and internal networks. It is regrettable, however, that while ISPs might understand the costs of compromise, they are still not security-conscious enough and lack a more rigid approach to securing devices.
Roesler adds that while the current status of the Internet of Things seems grim, these incidents could serve as a wake-up call for ISPs as their support costs could increase. Because of this, ISPs should implement proper protocols against unpatched routers and start to pressure router vendors to deploy tools that add a layer of security in the devices, such as intrusion prevention systems in the gateway. “Home routers are the primary target in the new IoT world, regardless if we talk about Smart Homes, Industry 4.0, or autonomous systems like connected cars. For attackers, the router is always the first choice”, Roesler says.
Both IoT manufacturers and users must apply proper security measures to minimize potential risks. However, reducing risks is not just the responsibility of the hardware manufacturer. The rest of the IoT ecosystem must do its part. ISPs should not only compete for speed or bandwidth, but security should also become a priority. Many ISPs are working to include security as a core part of their service, and there are some measures that can be implemented to improve in this area.
To combat risks, here are a few recommendations:
Implement a security-by-design approach - while functionality and ease-of-use are essential, implementing appropriate security measures will go a long way in securing not only your product but your customer’s loyalty as well.
Conduct vulnerability testing and other regular security audits - knowing how attackers work can give you a better idea of how, when, and where to implement proper security controls.
Consider a partnership with security specialists - due to the limited experience of manufacturers on security, it’s best to assess whether a third-party security team can work with developers to implement functionalities or features that are consistent with the device’s design.
Make sure there are no security holes – if you have features that compromise security, it is best to reassess these components and get rid of features that require access to users' routers.
Establish baseline filters as a standard – ISPs should agree on a standard that logs new and wide-spreading malware. This implementation can also help other ISPs share indicators of compromise and defend against likely attacks.
Provide security notifications to users – most, if not all users are mostly kept in the dark when it comes to knowing if they’ve been affected. ISPs must offer security notices and provide remediation services for their customers to help ensure data protection and lessen the possible effects of an attack.
Apply security controls to your infrastructure - implementing proper security measures such as firewalls and intrusion detection can help in maintaining your service and mitigating attacks.