Tag Archives: Routers

Internet of Things malware destroys devices

In early April embedded devices powered by Google Android, Linux and FreeBSD (specifically the BusyBox distribution) mainly used as media players and routers came under attack from a previously unseen form of malware.

How does this malware affect compromised devices?
Once compromised the device will cease functioning within seconds; an attack being called a PDoS (Permanent Denial of Service). This occurs since the malware corrupts the devices internal storage and reduces the number of kernel (defined) threads (sequences of independent in progress tasks) from several thousand to just one, causing the devices in progress tasks/work load to halt. Security firm Radware demonstrated this result with a webcam.

How does this malware initially compromise a device?
Since early April four unique versions of this malware (dubbed BrickerBot) have emerged. The first version attempted to compromise Radware’s test device almost 2,000 times within four days with the attacks originating from all over the world. The second and more advanced version uses Tor (The Onion Router) to enable attacks to take place from the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the attacks almost impossible.

Versions 3 targets further devices while version 4 was active during a very briefly and ceased its activity after 90 attempted attacks. Radware provide more details in their analysis.

The malwares authors seek to gain control of vulnerable devices by attempting to access them over the internet via the Telnet protocol (defined, which uses TCP and UDP ports 23) by entering commonly used usernames and passwords until successful. If your network contains routers or music/media devices using the BusyBox distribution they are potentially vulnerable to this malware. Attackers can use tools such as Shodan (defined) to locate vulnerable devices over the internet and begin an attack.

How can I protect my devices from this malware?
Radware provide five steps you can take to better secure your internet of things (IoT , defined) devices from this malware. They also suggest the use of an IPS (defined) in this related blog post. The above recommendations are especially important since unlike other malware where you can re-format a hard disk and re-install the operating system (defined), this malware permanently damages the device and it will require a replacement.

Thank you.

Linux Routers Potentially Vulnerable To Telnet Worm

In late March ESET security published a blog post detailing how an updated version of an existing malware infection can exploit many consumer broadband routers and wireless access points.

Why Should This Infection Be Considered Important?
If your router becomes infected with this malware it can communicate back to its creator via a command and control (C2) server (defined). Under their control your router can be used for purposes such as a distributed denial of service attack (DDos) attack (defined) among any other action the attackers may choose. An example of a DDoS attack occurring in the past using routers is the subject of this article and this article.

Given that the malware comes to reside on a router by attempting to connect to random IP addresses (defined) that have port 23 open it may only be a matter of time before your router is tested for this open port.

By convention port 23 is used by the now deprecated Telnet (defined) protocol. If your routers firewall (defined) does not block access to this port from external sources the attackers have a favourable opportunity to infect your router since the malware can download various versions customized to the individual CPU architecture used within the router e.g. MIPS, ARM etc. The malware attempts to gain access to your router using a stored list of username and passwords that are commonly used or are used by default by consumer routers. Once access is obtained the malware is downloaded and installed.

How Can I Protect Myself from This Malware?
As discussed in a previous blog post, please follow the recommendations provided by the US-CERT to secure your router. This will involve (among other changes) changing the default username and password of the router (making it much harder for the malware to guess the correct credentials).

Blocking commonly used protocols from being used to access your router (which in this case is the Telnet protocol) using your firewall is explained here. Use of a tool (e.g. Steve Gibson’s ShieldsUP!) to test the effectiveness of your router’s firewall will also provide additional protection against this threat and other threats that may attempt to access your router is discussed here. A guide for using ShieldsUp to do this is here with a video demo here. Scanning your router using Nmap (a more advanced tool) is discussed in this article.

Since many Internet Service Providers (ISPs) block/prevent end-users/consumers from making many changes to their routers, please contact your ISP for advice on how to block port 23 from being accessed externally to protect against the threat discussed in ESET’s blog post.

Thank you.

Blog Post Shout Out December 2015

Earlier this year CloudFlare published an informative blog post detailing how malicious JavaScript (defined) can be used to cause a distributed denial of service attack (DDos)(which is defined within CloudFlare’s post linked to below).

As a preventative measure they also provide a recommendation to enable HTTPS for your website (which CloudFlare also provide as an option). If you are using a self-hosted WordPress installation (namely where WordPress is installed on a server that you manage/administer), this blog post may be of assistance in enabling HTTPS by default (by using HSTS (discussed/defined at length within a previous blog post of mine)).

Given the severity of DDoS attacks I wanted to provide a respectful shout-out to following CloudFlare blog post:

An introduction to JavaScript-based DDoS by Nick Sullivan (CloudFlare)

In addition, earlier this month US-CERT created a useful security alert containing a list of tips for securing your home broadband/fibre optic router/wireless access point. In addition, their alert also links to an updated list of routers with known security vulnerabilities with advice on addressing them:

Securing Home and Small Business Routers (US-CERT)

I hope that the above mentioned blog posts and resources are of assistance to you in defending your website from becoming part of such DDoS attacks and securing your home router/access point against malicious use.

Thank you.

Very Large Number of Routers/Modems/Internet Gateways Contain Non Unique X509 Certificate and SSH Keys

In the late November the security firm SEC Consult released details within a blog post of their findings after they had conducted scans of many thousands of embedded devices from almost 70 manufacturers. These devices were found to contain X.509 certificates (defined) and SSH (Secure Shell, defined) private keys (from the public/private key pairs namely Asymmetric Encryption (defined)) which were shared among other similar devices from other manufacturers.

Why Should These Issues Be Considered Important?

If an attacker was located within the same network as one of these embedded devices they could perform a man-in-the-middle attack (MITM, defined) allowing them access to any sensitive information e.g. passwords that are being transmitted on the network at that time.

SEC Consult found that approximately 4 million devices are affected by this issue.

A remote attack (i.e. from an attacker not located within your network namely the wider Internet) is far more difficult to conduct and would require the capabilities discussed within the paragraph titled “What is the impact of the vulnerability?” of SEC Consult’s blog post.

For the full list of affected manufacturers of these devices, please see the paragraph titled “Which vendors/products are affected?” of SEC Consult’s blog post and the “Vendor Information” section of this US CERT article. Finally, for affected Cisco devices, a list of affected device models is provided here.

How Can I Protect Myself From These Issues?
For the end users (consumers) who have purchased or have been provided these devices by their ISP’s (Internet Service Providers) there is no action that can be taken to resolve these issues. Since the vulnerable keys are embedded within the firmware of these devices they cannot easily be updated. In some instances however, an update is possible.

If you own a device manufactured by one of the affected vendors (obtained from the lists linked to above) I would follow US CERT’s advice of contacting the vendor to ask if an update for your device will be made available. You can link to SEC Consult’s blog post and US CERT’s advice if the vendor wishes to seek clarification on the issue/vulnerability you are referring to.

For anyone affected by this issue I hope that the above information is of assistance to you. Thank you.

Netgear Releases Router Firmware Update Addressing Security Issues

Early last week Netgear issued a firmware update for some of their consumer broadband routers. This update resolves 2 critical vulnerabilities (1x command injection vulnerability and 1x authentication bypass vulnerability).

Affected Routers (authentication bypass vulnerability):

  • JNR1010v2
  • JNR3000
  • N300
  • R3250
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Affected Routers (command injection vulnerability):

  • JWNR2010v5
  • JWNR2000v5

Why Should These Issues Be Considered Important?
By default the affected routers administrative interface can be accessed by any user on the same internal network as the router. If WAN administration is enabled (a setting that allows anyone outside of your network to access your router) the above mentioned authentication bypass vulnerability is even more serious since a remote attacker could access your router’s admin interface without needing a username or password.

The command injection vulnerability could allow an attacker to issue a command of their choice to your router e.g. performing a file listing.

How Can I Protect Myself From These Issues?
If you own any of the affected routers listed above, please either apply the update (if it is already available for your router). If not, check if an updated firmware is available for your router that corrects this issue. If no corrected version is available it would be advisable to contact Netgear to determine if an update is planned. They may also be able to supply steps to mitigate the issue if no update is planned.

Netgear has issued updated firmware for some of the affected routers:

  • JNR1010v2
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Please follow the instructions within the above linked to Netgear knowledgebase article to install the updated firmware.

Thank you.

Belkin N600 DB Wireless Dual Band N+ Router Contains Unpatched Security Issues

A particular model of consumer/home user broadband router/wireless access point from Belkin has been found to be vulnerable to a set of security issues that can have potentially serious consequences.

The Belkin N600 DB Wireless Dual Band N+ router model F9K1102 v2 with firmware version 2.10.17 and possibly earlier are affected.

There are 5 sets of issues (4 of which have been assigned CVEs, defined):

Use of Insufficiently Random Values – CVE-2015-5987: This issue would allow an attacker to spoof Belkin’s firmware update servers and to connect to any device (server, computer etc.) an attacker chooses.

Cleartext Transmission of Sensitive Information: This issue is somewhat related to the above issue since firmware update requests could be intercepted thus allowing an attacker to substitute a firmware update with an update of their choice or prevent firmware updates from taking place. An attacker would first have to be able to conduct a man in the middle (MITM) attack (MITM, defined) first for these malicious capabilities to become available to them.

Use of Client-Side Authentication – CVE-2015-5989: Due to the means of how the router checks if a legitimate user of the router is logged in, these values can be manually manipulated to allow an attacker to log into the administration interface (a webpage shown to the user to allow them to change the settings of the router) of the router with the same permissions as the legitimate user. The attacker would already need access to your local area network (LAN) (the network within your home) to carry out this method of attack. Carrying out this attack remotely would not be possible.

Cross-Site Request Forgery (CSRF) – CVE-2015-5990: If the owner/user of the router is logged into the administrative interface of the router and clicks on a link (within another browser tab) or accesses a website of the attacker’s choice the attacker will obtain the same permissions as the legitimate user. This is known as a Cross-Site Request Forgery (CSRF) attack (CSRF, defined here and here). If the issue mentioned below is also present (namely no password set by the user to access the admin interface) the attacker would not need for the user to be already logged in to use this attack against the legitimate user.

Credentials Management – CVE-2015-5988: If an attacker already has access to your home network they can access the admin interface of the router if the default configuration of the router has not been changed, namely if no password has been set.

Why Should These Issues Be Considered Important?
If an attacker can obtain full access to your router, they can change any setting they wish e.g. the DNS settings (as discussed in a previous post), disconnect you and other legitimate users from your own internet connection and have the possibility of installing rogue firmware onto your router.

While only one issue (Use of Insufficiently Random Values) can be exploited remotely with the remaining issues requiring access to your network or a man in the middle (MITM) connection these issues should still be considered serious since they have the potential to take control of your router away from you and denying access to your internet connection. The devices you have connected to the router may also visit websites that you didn’t intend (due to the DNS settings being changed as mentioned above).

How Can I Protect Myself From These Issues?
While Belkin has not released a firmware update to resolve these issue and may choose not to do so, I would recommend following the advice provided in this CERT advisory. Essentially not allowing untrusted users to access your home network and having strong passwords for your Wireless LAN key and password for the routers admin interface.

If you are an owner of this router or know someone who is, I hope that the above advice is useful to you in preventing any malicious user from using these issues against you or someone you know.

Thank you.

Several Consumer Broadband Routers Use Static Passwords

Several consumer broadband routers from varying manufacturers have been found to contain static administrative passwords. The names/models of the affected routers (at the time of writing) are shown below:

  • DIGICOM DG-5524T
  • Observa Telecom RTA01N
  • Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293
  • ZTE ZXV10 W300

Please refer to this CERT knowledge base article for the most up to date list of affected models.

Why Should This Issue Be Considered Important?

Using these static credentials a remote attacker could potentially gain access to your broadband router and make any changes they wish to it’s settings/configuration.

How Can I Protect Myself From This Issue?
Unfortunately it does not appear that the manufacturers of these routers intend to provide mitigations or updates to the routers firmware to address their use of static administrative passwords.

In order to prevent an attacker from being able to access your router remotely, please follow the workaround provided in this CERT knowledge base article. This workaround will involve blocking the SNMP ports (161, 162 as well as Secure SNMP ports 10161 and 10162) to prevent the attacker being able to determine the MAC address of your router. This is important since the password for all routers affected by this issue is XXXXairocan where XXXX is the last four characters of the routers MAC address. An SNMP query to your router is used to obtain the appropriate MAC address.

See Aside and Aside 2 for definitions of SNMP and MAC addresses (respectively).

You may need to refer the documentation (if any) for your router in order to determine the exact steps needed to block the above mentioned ports using the routers firewall. A Google search for your router model or a call to your Internet Service Provider (ISP) may also help with this.

If you own one of the affected routers (or you know someone that does) I hope that the above advice is useful in protecting you from this potential threat.

Thank you.
What is SNMP?
Simple Network Management Protocol (SNMP) is a device management protocol. It is used to manage devices such as routers, servers and network printers (among others). If a device develops a fault or requires attention it can notify the network administrator using SNMP e.g. that a printer is low on ink or that a server is under heavy CPU or memory load. Further information on SNMP is available here.


Aside 2:
What is a MAC address?

A media access control (MAC) address is the unique identifier of a network interface card (NIC). This NIC can be wired or wireless. For a common Ethernet network a MAC address is made up of 6 groups of two hexadecimal digits which are separated by hyphens ( – ) or semi colons ( : ). Hexadecimal is a numbering system that has 16 values increasing in value from 0 to 9 and a to f, more information on hexadecimal.

An example MAC address would be 00:0A:11:22:33:44. A MAC is sometimes referred to as the physical address since this address is assigned in the factory to the network card (NIC) of your device (similar to a unique serial number).

The first 6 digits of a MAC address are called the prefix and are associated with the name of the network card manufacturer e.g. Broadcom or Realtek etc. The remaining 6 digits are the unique numbers that are used to identify your specific network card.

You may be wondering why MAC addresses are used when computers have IP addresses already?

The answer is that the OSI networking model is made up of 7 layers. The network access layer 2 uses MAC addresses to tell the difference between one device on the network and another. At layer 2, network bridges, switches and wireless access points operate and do so without the use of IP addresses.
As mentioned ab
ove devices are uniquely identified by their MAC address. Layer 2 uses MAC addresses so that it can operate with other network transmission standards other than TCP/IP if required. Layer 3 uses IP addresses (which form the IP of TCP/IP) and at this layer routers use them to forward traffic to the correct devices/destinations.

Network switches (devices that send traffic between devices and routers on the network in order to move network data/traffic to it’s eventual destination) use MAC addresses to tell the difference between the devices connected to their ports and to determine which device to send specific network traffic to.

When a packet (piece of data) is going to be sent on the network, for example your web browser (an application) requests a new webpage. This is done at the top layer of the TCP/IP model (layer 7 the application layer). As the request moves down the network stack in your operating system more and more data is added to it by each layer namely layer 6, layer 5 and so on. Layer 3 and above use IP addresses while layer 2 uses MAC addresses since by this time the layer 3 information is no longer present (it is designed to be removed once used by layer 3 devices).

The MAC address of the networks card(s) installed within your system can be displayed using the following commands:

Linux (from a terminal window) (the MAC address will appear as “HWaddr”):
ifconfig –a
Apple Mac OS X:
Please see this link for the necessary steps.
Press the Windows key and the letter R to open a Run box. Type cmd and press Enter
Type the following command (the MAC address will appear as “Physical address”):

ipconfig /all