Network devices, except maybe firewalls, are not usually perceived as security sensitive assets. Manufacturers and users do not invest time in assessing the security state of routers and switches. IT admins, handling business IT infrastructures, are mainly concerned with uptime when it comes to network devices. The usual tasks revolve around backup / restore of configurations, scheduled commands to monitor availability, and scripts to reboot the devices, when needed. Firmware updating or vulnerability assessment are overlooked most of the time. Home users, on the other hand, just want their devices to work so that they can be online to browse or share information. They do not know how network devices work, and they trust vendors to deliver equipment that functions properly and performs as specified. Security is rarely a concern.
Although the number one priority is uptime, such devices are the “man in the middle” for data traffic between the perimeter (be it a business environment or a small home network) and the Internet. Any vulnerability in such a device can lead to the exposure of the data passing through, particularly when the devices are internet-facing.
Recent headlining incidents reveal that even seasoned vendors of network devices may overlook important security aspects and deliver vulnerable equipment. While businesses and their servers remain important attack targets, the home users became attractive targets as well, mostly because they are more vulnerable, security un-aware, and because the benefits can be equally high. Home IT infrastructure usually consists of cheaper devices that are more prone to vulnerabilities while hosting personal information that attackers can use. The newer models of routers also offer the ability to plug in HDDs or USB sticks and share the information across the Internet, or back it up using cloud-based services. These are great features, but have the vendors given any thought to security, when designing them?
Asus RT series
The Asus RT series routers are designed for home or small office use – and are widely used. In spite of the vendor’s experience in building such devices, they were shipped with multiple vulnerabilities that could easily be exploited. This case is outstanding both because of the impact and because of the delay in addressing the security problems.
Last year, security researcher Kyle Lovett reported that Asus routers in the RT series are exposing a series of vulnerabilities that enable unauthenticated access to the device, from the Internet:
- Open FTP: by default the FTP server allows unauthenticated access, enabling directory traversal and access to security sensitive files by anyone on the Internet;
- Exposure of user names and passwords (stored in clear text) for the AiCloud service – an application that allows Asus customers to take advantage of the vendor’s cloud services;
- Access to content on removable devices plugged into the router (USB sticks, HDDs);
- Ability to modify configuration settings of the device;
- Ability to place malicious Java script code in the Smart sync folders of the device – enabling further web attacks when the code is served back to the web interface.
Although this information was reported to the vendor, and made it to the news, it took AsusTeK Corporation more than six months to come up with an updated firmware. In the meantime, attackers placed notification files on the vulnerable devices, informing the users that they are exposed. The end result of this was the following:
- Lists containing more than 12 000 IPs of vulnerable Asus routers published on the Internet
- Thousands of files shared from such devices were made available for download on various websites
- Thousands of login credentials for the AiCloud service were published
Linksys E1000 (E1200)
A similar incident involves another seasoned vendor of network devices: Linksys. Security researchers at SANS have reported an ongoing attack that installs malware on Linksys routers designed for home or small office use. The malware takes advantage of the remote administration interface, provided to ISPs to manage the routers remotely, in order to identify vulnerable devices. It then exploits an authentication bypass vulnerability in a CGI script that is being used by the device, in order to gain access and replicate. Eventually, the worm searches for other vulnerable routers and attempts to spread.
DNS redirection attack
Another incident where home and small office network devices were attacked was discovered in Poland at the end of 2013. Security researchers identified a worm that changed router DNS configuration in order to hijack the DNS requests and forward traffic to malicious servers, with the aim of stealing payment information. The attack also used social engineering techniques to lure users into accessing the bank’s servers, once the router was compromised.
How to prevent such incidents
These incidents reveal issues in the acceptance criteria for releasing the network devices, and in the quality assurance process itself. Making it look like network devices, especially entry level ones, are not tested enough from the security point of view before release, even though they pose a risk to many people who use them.
Vendors should consider using vulnerability assessment tools and scan every firmware release for vulnerabilities that would compromise the device when facing the internet. The appropriate tools for the job are the ones able to detect vulnerabilities in internet facing devices, irrespective of their nature: servers, routers and Internet gateway appliances, and use penetration testing techniques in order to mimic attackers’ behaviour and consequently deliver a more accurate and complete assessment process.
Businesses that do not want to rely on vendors to conduct security testing, can develop an in-house security assessment process. The best way to ensure the security of an IT environment is to have appropriate tools that discover vulnerabilities in Internet-facing assets on a regular basis. Investing in such a solution is a must in any security strategy.