Wireless routers are an ideal target for cybercriminals and over the last five years numerous critical security failings have plagued these devices. The unfortunate reality is that it is far more common to find critical flaws in the consumer router devices than it is to find a device without any exploitable flaws.
There are a number of reasons why these devices do not receive much security attention from vendors. As a starting point, it is natural that the vendors want to make their devices as user-friendly and full featured as possible to attract customers, however these goals tend to fly in the face of good security.
As a result of market dynamics that reward low cost, full featured devices and a negligence of security basics, today routers are riddled with flaws and threats which could potentially put a lot of sensitive data at risk.
The root of the problem
Much of the problem with router security comes from vendors competing in a feature race on a product with razor thin margins. Developers know there is a tight timeline to getting their product to market and often take shortcuts that circumvent secure coding practice and ignore potential security vulnerabilities. This mentality is demonstrated by the lack of responsiveness from many vendors that don’t even both to release security updates to their firmware.
Router vendors are notoriously bad at fixing security bugs. Often these fixes can take years and some flaws reported by external researchers are never fixed, especially when there is no active attack in the wild making the headlines. In contrast, vendors that make routers for the enterprise where security is definitely a differentiator and profit margins tend to run higher commonly have fully staffed security teams actively researching their own products as well as acting on reports received from external researchers.
When confronted with the flaws, SOHO vendors tend to either play down the risk of attack or simply ignore reports entirely. This is a huge problem because these devices are gradually becoming so prevalent that a mass infection could have devastating impacts on personal privacy as well as the health of the Internet. Many of the devices being purchased and installed today are vulnerable off-the-shelf and will remain vulnerable indefinitely since vendors may not release updates and even if they do, consumers rarely download updates.
What needs to change?
At a technical level, vendors should all be using signed firmware to protect their systems against unauthorised replacement of the device operating system; this is already a significant problem Lizard Squad has been using this technique to power their DDoS stressor service. Of course this is only part of the solution; a clever attacker can generally find a way to bypass code signing requirements if exploitable conditions exist.
If router vendors were to be more aggressive about designing devices that automatically update themselves as security fixes become available instead of relying on consumers to find and apply the updates security would improve significantly.
However, the more problematic question is, how can vendors be encouraged to take steps to reduce the number of vulnerabilities in production firmware and minimise the time to release fixes when vulnerabilities are reported. There are a couple of ways in which this might happen but none of them are likely to happen anytime soon.
If consumers began making purchasing decisions based on the relative security of one product versus another, vendors would likely slow down on their race to add new features and spend some time focusing on security.
However, for this to happen consumers need some metric to evaluate the security of these products; this could be something like a consumer advocacy group tasked with reviewing and grading products based on results of a standardised security assessment in the same way that cars are tested for safety.
Unfortunately, no such advocacy group exists today and consumers’ eyes tend to glaze over the moment someone starts talking about a computer product in terms of security so this is unlikely to happen.
Another more likely possibility would be for industry regulators to hold vendors accountable for flaws in their products. This would likely mean levying fines against vendors who release products with serious, easily fixed flaws, which should have been discovered internally. Fines could also be given to vendors who fail to fix externally reported issues within a reasonable timeframe. External forces may also play a role in breaking the bad habits of router vendors.
While security researchers generally discourage full disclosure of unpatched flaws, a program like Google’s Project Zero targeted specifically at SOHO routers could ultimately prove successful in getting vendors to think about security to avoid the bad publicity associated with public declarations of unpatched vulnerabilities.
In the meantime nearly everyone using one of these routers is vulnerable. To minimise the most common attacks targeting these devices, here are six basic tips which should be applied to all consumer and business router devices:
Don’t enable remote management over the Internet
Embedded web servers are the source of many flaws. Your corporate security policy should mandate that routers used to con nect to a corporate VPN have remote management features disabled. In situations where it is necessary to manage the router remotely, it is safer to employ NAT rules allowing SSH or VPN access to manage the router. Vulnerability and configuration scanning products and services can be used to determine if employees are connecting through routers with exposed management interfaces.
Don’t use the default IP ranges
Predictable addresses make CSRF attacks easier. Rather than 192.168.1.1, consider 10.9.8.7 or something else which is not commonly used. This is a simple but effective technique for decreasing the likeli hood of a successful CSRF attack.
Don’t forget to log out after con figuring the router
Several of the routers VERT examined will not automatically log out when not in use. This can result in a situation where the web browser used to configure the router remains authenticated, opening the door for CSRF attacks. Although some CSRF attacks can be successful without authentication, this simple step will thwart traditional CSRF attacks which rely upon that authenticated browser session.
Turn on encryption and turn off WPS
It’s much easier for a router to be attacked if someone can connect to it. Turning on AES backed WPA2 protected with a strong (26+ character) pre-shared key is ideal. WPS is a service which makes it easier for authorized clients to connect but also makes it much easier for attackers to determine your wireless passphrase, regardless of its complexity or ‘strength.’
Default passwords are often the same for an entire product line or are generated from a common algorithm making a device easy prey for an attacker. It is imperative that you and other users change passwords rather than using defaults. Using default or weak passwords can make it possible for malicious applications, or even web pages, attack the router.
Keep the router firmware up-to-date: Up-to-date firmware fixes known product issues, including security problems. Routinely logging into the router to check for firmware updates makes it more likely that users may notice unusual behaviour that could indicate compromise.
Sourced from Craig Young, security researcher at Tripwire