Press "Enter" to skip to content

What Malware Is on Your Router?

router

Mirai is exposing a serious security issue with the Internet of Things that absolutely must be quickly handled.

Until a few days ago, I had been seriously considering replacing the 1999 model Apple Airport wireless router I’ve been using since it was gifted to me in 2007. It still works fine, but I have a philosophy that any hardware that’s more than old enough to drive probably needs replacing. I’ve been planning on taking the 35 mile drive to the nearest Best Buy outlet on Saturday to see what I could get that’s within my price range.

After the news of this week, that trip is now on hold. For the time being I’ve decided to wait until I can be reasonably sure that any router I purchase won’t be hanging out a red light to attract the IoT exploit-of-the-week.

It’s not just routers. I’m also seriously considering installing the low-tech sliding door devices that were handed out as swag at this year’s All Things Open to block the all-seeing-eye of the web cams on my laptops. And I’m becoming worried about the $10 Vonage VoIP modem that keeps my office phone up and running. Thank goodness I don’t have a need for a baby monitor and I don’t own a digital camera, other than what’s on my burner phone.

In case you don’t know, Internet of Things security sucks so much it appears as if the IoT folks have taken a time machine back to 1998 to implement Microsoft’s best practices of that era.

The threat of the week — this one actually goes back to early September — is Mirai, which infects network facing devices to form massive botnets. It also seems to be having new capabilities added as we speak. When Brian Krebs was knocked offline in September, followed by the taking down of many of the largest sites on the web in October, Mirai was infecting IoT devices the easy way — by “guessing” passwords, most of which were still set to the device’s default. Now the black hats have morphed the malware to take advantage of security vulnerabilities in specific devices.

Yesterday we learned that just shy of a million Deutsche Telekom subscribers had been taken offline after their routers were infected by Mirai. Today’s news is that the attack has spread to include routers in the UK, Brazil, Iran, Thailand and elsewhere. So far they’re only attacking routers made by Zyxel, taking advantage of a SOAP vulnerability, but there will be other vulnerabilities to exploit in other routers — and webcams, cameras, thermostats, baby monitors, and ironically, home security devices.

“What we see right now is more or less just a tip of the iceberg,” Johannes Ullrich, dean of research at the SANS Institute, has said. “By adding this exploit, Mirai gained access to many more devices then it already had.”

My guess is that there are many more compromised IoT devices than we imagine. We only know about this latest round of attacks against Zyxel due to a screw up in the black hats’ code that knocked exploited routers offline.

Today, InfoWorld quotes Craig Young, a security researcher at Tripwire, as saying: “The malware may have been too demanding on the routers, and overloaded them, so they wouldn’t be able to operate. Someone will fix the bugs in the code. People will also incorporate more exploits related to routers.”

Obviously, Mirai won’t be the last weapon to be added to the script kiddies IoT arsenal. We need to do something and do it quickly unless we want to see the Internet become as reliable as the electricity supply in Port-au-Prince.

This could all be solved with a little regulation on the marketing end. We could codify some “best practices” for software and patching processes, and require that source code for software in any IoT device be submitted and approved before an IoT device can be brought to market. This would protect the home inventor or hobbyist from having to jump through a mountain of red tape before hooking a DIY SBC-based device to the Internet, while making sure that the likes of Cisco, Cannon and Carrier don’t unleash tens of millions of devices on an already overburdened Internet.

Meanwhile, I’ll stick with my old 1999 Airport for as long as it continues to work, since I can’t guarantee that a new router would be any safer. It’s a crap shoot, and I don’t gamble.

8 Comments

  1. Mike S. Mike S. November 30, 2016

    I run DD-WRT on my home routers, which (hopefully) insulates me against security flaws in the original device firmware.

    One security step any user can take on a home router, regardless of what firmware it runs, is to disable the Universal Plug’N’Play (UPnP) feature. UPnP allows devices on the network to instruct the router to open public ports to allow incoming traffic. It was designed make it easier for non-technical people to host multiplayer games on their home computer or get to their internet-enabled webcam while away without needing to directly log in to the router. But it’s a security risk, because malware or games or other applications or internet-enabled webcams (any IoT device) can use UPnP to allow all kinds of external traffic into your internal network.

    I shut UPnP off on my router. Then for things I want to allow, like my VOIPO (Vonage equivalent) phone service, I log in to the router and add a port-forwarding setting.

  2. Thad Thad November 30, 2016

    I recently built a pfSense router and I’m confident in its security, but it wasn’t cheap; computer, SSD, RAM, switch, and WAP totaled around $400 by the time I was done.

    I’ve used DD-WRT too and had a pretty positive experience. If you’re looking for a budget option, that’s probably the way to go; find an off-the-shelf router that’s compatible with DD-WRT (see http://www.dd-wrt.com/wiki/index.php/Supported_Devices ) and flash the firmware yourself.

    As far as the IoT security crisis, I fear that it’s going to get worse before it gets better. Most of the Internet relies on decades-old standards, and providers are extremely slow to adopt new ones (look how long it’s taking to switch to IPv6, a standard which sees your “old enough to drive” and raises “old enough to vote”), and the world still runs on C despite its lack of built-in memory protection (hoping to see Rust and Go start to displace it, but again, these things take time, and in this case we’re dealing with nearly five decades of inertia).

    And on top of that, no amount of baked-in security at the protocol and OS level is going to protect from idiots who ship devices with open telnet ports and hardcoded, unchangeable root passwords. You’re right: there oughta be a law.

  3. Mike Mike December 1, 2016

    I’ve had positive experiences with Open-WRT.

  4. MyNameIsUnknown MyNameIsUnknown December 1, 2016

    ….. is it like not obvious now, they don’t wanna make it like secure, because,…..

  5. WorBlux WorBlux December 1, 2016

    If have a Compulab Fitlet -A10 with a stable Debian as the primary gateway, and an Ubiquity Unifi AC Lite with Open-WRT installed on it and my wireless AC. Both get regulary updates from upstream.

    I hate to say it but requiring either source of support commitment of 5 years would help. Ultimately however manufacturers of consumer routers want you to throw it away every 2 years and buy a new one. And your average consumer doesn’t care until it’s too late.

    A good thing to do is require open-WRT support. When you go to best buey ask them which model(s) suport it. (TP-Link is a fairly friendly brand for it)

  6. Martin Martin December 1, 2016

    Personally, I only trust OpenBSD. My router is running OpenBSD 6.0-stable on the PC Engines apu2c4 W/ wle200nx (miniPCI express wireless modules). It’s safer than anything else and easy to install/maintain/update.

  7. Mark Mark December 4, 2016

    I run pfsense also. It does not require much money to get a great pfsense box going. In fact your probably have an old forgot PC laying around that will run it just fine, that what I did.

Comments are closed.

Latest Articles