Gateway For Hackers

Uploaded on 2015-12-09 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The device that connects us to the Internet is dangerously vulnerable, security experts say. And while there are some signs of impending improvements, not much has happened in the past several years, while the threats have grown

It is generally accepted in IT that the weakest link in the security chain is the fallible and frequently careless human.

But a close second, many experts say, is the router – the device that connects people to the Web, sometimes called “the backbone of the Internet”, which is dangerously vulnerable to skilled hackers.

Those experts have been issuing alarms for some time, but they say that, so far, things have not changed much. Dan Geer, chief information security officer at the venture capital firm In-Q-Tel and an adviser to US intelligence agencies, speaking to a conference in Cambridge, Mass., more than a year ago, said most routers are almost comically insecure, given that they have, “drivers and operating systems amounting to snapshots of the state of Linux, plus the lowest-end commodity chips extant at the time of the router’s design.”

The only way to fix the problem, he said, would be to, “unplug all the devices, throw them in the dumpster and install all new ones.” Even that wouldn’t fix it either, because the new ones are, “likely to have the same vulnerability spectrum that made this possible in the first place,” he said.

Jim Gettys, a systems architect, said last year that he had inventoried the age of the packages inside a number of routers, “and they are three to four years old on Day One. And without an update stream, you start with existing vulnerabilities, and it just gets worse from there.”

Bruce Schneier, encryption guru and CTO at Resilient Systems, wrote more than a year ago in a blog post that, “the computers in our routers and modems are much more powerful than the PCs of the mid-1990s,” and warned that if security vulnerabilities in them are not fixed soon, “we're in for a security disaster, as hackers figure out that it's easier to hack routers than computers.”

Such security holes can allow hackers to access files, install malware on a network or use a victim’s security cameras to spy on him, without needing access to the computer hardware.
In a more recent interview with Network World this past April, Schneier said basically the same thing Geer had said a year earlier: “Do you know the way you patch your home router? You throw it away and buy a new one. And that is going to be a freakin' disaster … Low cost, binary blobs, no one knows how they work, there's no one to update them, lots of vulnerabilities, and we're just stuck with it.”
And even if updates are available, they are too difficult to install for the average user, said Lawrence Munro, director at Trustwave.
“The key issue is that upgrading is almost always a manual process that is likely beyond the skill level of a home-user,” he said, “and patches aren’t available quickly in many cases.”
“The key issue is that upgrading is almost always a manual process that is likely beyond the skill level of a home-user.”
Indeed, last December, US-CERT, part of the Department of Homeland Security, warned broadband router manufacturers about a vulnerability called “Misfortune Cookie” that been patched more than 10 years ago, but was still present on many deployed devices.

Researchers at Check Point’s malware and vulnerability group, who came up with the name, noted that, “if your gateway device is vulnerable, then any device connected to your network – including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network – may have increased risk of compromise.”

Mark Stanislav, senior security consultant at Rapid7, noted this week that in a contest at last year’s Def Con, hackers were able to demonstrate 15 zero-day vulnerabilities in more than a half-dozen of the most common Small Office/Home Office (SOHO) routers, including models from Asus, Netgear, DLink, Belkin, Linksys, Actiontec and Trendnet.
Not surprisingly, the contest was titled, “SOHOpelessly Broken.”
If it really is this bad, however, it would seem there would be more stories about disastrous takeovers of networks. Yet while mainstream media regularly report on major hacks, there are few, if any, headlines about router compromises.
“(Automatic firmware updates) can create new problems, especially if the user is unaware of the firmware being updated.”
That, Stanislav said, is probably in part because the average consumer may not even know what a router is. And, “the impact to an individual or their home network isn't necessarily easy to determine without a very specific review of how their device was configured, what vendor it's from, and what firmware it's running,” he said.
“It’s a much more layered and nuanced story than, ‘Company X was hacked, your data is now a risk.’”
Robert Siciliano, online safety expert for Intel Security, agreed. “If the flaw is too complicated for mass media to break down for the general public, they avoid discussing it,” he said.
Munro agreed, but said it is also because the media don’t find it that exciting – at least yet. Remotely hacking a car and causing it to crash catches public attention much more than explaining how a router is vulnerable.
Gettys said he thinks it is because, “it hasn't yet hurt in the pocket book at sufficient scale in the US,” but warns that the hurt is coming.
“People have not realized just how insecure these devices are, or what mischief this can cause for the customers and others – they are being increasingly used as part of botnets to attack others,” he said.
“People have not realized just how insecure these devices are, or what mischief this can cause for the customers and others.”

If there is any promising news to report, it is that there seems to be a growing awareness among developers and manufacturers that there is a problem.
“IoT (Internet of Things) devices in general are starting to focus more on easy firmware updates – automated processes that don't require user intervention, and overall longevity of hardware updates,” Stanislav said.
“This will, ideally, trickle down into the SOHO router market eventually. As design patterns and technical challenges are overcome, disseminating updates quickly will become easier for manufacturers.”
Gettys said he is hearing behind the scenes that there may be some improvements, “in not-yet-announced products; but I leave that to the manufacturers and service providers announcements to come.
“But even with these glimmers of hope, I'm discouraged, as the economic foundation of the problem has not changed,” he said, adding that changes in the law making the manufacturers of routers liable for security breaches is the only solution.

“The idea that someone can ship a product and not have any liability for even basic maintenance and upgrade of the software it contains for its expected lifetime must change,” he said. Without it, “new entrants who do a better job won't see a reward, and will have higher costs”
Stanislav said he has seen some vendors, “take a more cloud-based approach, where updates are an ongoing process that require less user intervention. But that can create new problems, especially if the user is unaware of the firmware being updated.
“We saw some outrage in 2012 for this type of auto-upgraded firmware from Linksys. This is a balancing act that vendors are still figuring out how to weigh,” he said.
Until major improvements occur, experts collectively recommend a number of steps consumers can take that won’t solve the problem entirely, but will make them less of a target than the average user:
•    Change the default password to one that is unique, long and complex.
•    If it is impossible to upgrade your router, buy a new one that does allow it. According to Munro, “the open-source community has offered alternatives for users by creating projects such as OpenWRT and Tomato, which provide open-source firmware to replace the vendor’s on common hardware platforms.” But, implementing them, “requires a reasonable level of IT skill,” he said.
•    Make sure that uPnP (Universal Plug and Play) is off.
•    Read the manual, and turn off or disable other features you may not need.
•    If your Internet service provider offers a combined router/modem, this could pass some of the responsibility for hardware updates onto it.
If you have the expertise, install OpenWRT. “But that’s not something grandma and grandpa will be capable of,” Gettys said.

CSO Online

 

« Has The US Become Complacent About Resisting Cyber Attacks?
Cyber War Pre-emption Is The Key to Defense »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

it-sa 365

it-sa 365

it-sa 365 is a digital platform for connecting IT security vendors and experts with those who bear responsibility for IT security in management and technology.

Secure360

Secure360

Secure360 focuses on the following key areas: governance, risk and compliance, information security, physical security, business continuity management, and professional development.

France Cybersecurity

France Cybersecurity

France Cybersecurity represents the French cybersecurity industry to raise international awareness of French cybersecurity capabilities and solutions.

Sepior

Sepior

Our vision is to make Sepior the leading provider of cloud-encryption software in the world.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

Cowbell Cyber

Cowbell Cyber

Cowbell Cyber™ offers continuous risk assessment, comprehensive cyber liability coverage, and continuous underwriting through an AI-powered platform.

HSB

HSB

HSB offers insurance for equipment breakdown, cyber risk, data breach, identity recovery & employment practices liability.

PixelPlex

PixelPlex

PixelPlex is a blockchain and custom software development company with offices and developers in New York, Geneva, and Seoul.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

Client Solution Architects (CSA)

Client Solution Architects (CSA)

Client Solution Architects (CSA) is a leading digital transformation consulting firm focused on the U.S. Defense Department and all U.S. Federal enterprise information technology service areas.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

VanishID

VanishID

VanishID (formerly Picnic) is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

The PenTesting Company

The PenTesting Company

The PenTesting Company is owned and operated by offensive security professionals. Penetration Testing is essentially all we do.

Saiflow

Saiflow

SaiFlow provides a tailor-made cybersecurity solution for Electric Vehicles Charging Infrastructure (EVCI), Distributed Energy Resources (DERs) and energy networks and assets.

Roundsec

Roundsec

Roundsec provide information security services including risk assessment and pentesting of sites and apps.