Header Ads

Home Routers Will Be Cyber Criminal's Slave.

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

With more homes running smart devices use of routers has increased widely since 2015. And whether an end user has a laptop/desktop and router combo, or a collection of other devices connected to the network, the security risks are the same. Based on our research, home routers have been most sensitive to cross-site scripting (XSS) and PHP arbitrary code injection attacks, as well as being involved in carrying out DNS amplification attacks.

A smart but unsecured device connecting to the Internet is much like inviting even a curious script kiddie to attack your systems. Placing basic security on the gateway simply won’t work. Bad guys, presented their recent foray into home networks, will always look for ways to break doors open. Unfortunately, they infect these devices and turn them into slaves that can be ordered to follow the cybercriminals’ command, as exemplified by recent attacks on DNS provider Dyn and Brian Krebs, and a command injection vulnerability found in multiple Netgear routers.

Backdoors, ELFs, and “The Future” 

Home routers and Internet of Things (IoT) devices typically run on Linux given the operating system’s (OS) popularity and cost-effectiveness. By also taking advantage of Linux’s portability, malware written for x86 platforms can be converted to a home router’s (usually ARM or Armel), with few or no changes in the source code.

Home routers can also be affected by malicious applications, scripts, and ELF binaries. BASHLITE (detected by Ethical Hackers Club as ELF_BASHLITE family), for instance, was used in a huge distributed denial-of-service (DDoS) attack in 2014, and recently wrought a DDoS botnet by infecting IoT devices, mostly DVRs in Brazil, Colombia, and Taiwan. They can also be infected with hidden backdoors targeting ARM, Intel and compatible x86 and x86-64 architectures. This includes Ring 3 rootkits such as Umbreon and vlany, which borrowed features from another well-known Linux-targeting rootkit, Jynx2.

Mirai botnet was one of itself, not because of its complexity but as its source code was released on a hacking forum, turning it into an open-source malware which is now widely used and modified to become more effective. Modifications of it were employed to zombify TalkTalk routers. It also caused service outage to customers when a Mirai botnet attacked 900,000 home routers provided by Deutsche Telekom.

Default router credentials used by Mirai

Mirai avoids scanning IPs from private networks and certain organizations

Notable Security Issues affecting Home Networks as found by Ethical Hackers Club

In order to research how Home Networks can be secured, we tested them by the list of available attacks.
What we found us left our team amazed:
These devices were easily turned into slaves.

Most effective security issues were:

  • DNS amplification attacks
  • Bitcoin and Litecoin mining
  • JavaScript obfuscation
  • WScript remote code execution
  • Cross-site scripting (XSS) attempts
  • PHP arbitrary code injection
  • Internet Information Services (IIS) remote code execution (CVE-2015-1635)
  • Android buffer overflow exploit of libstagefright.

Top 10 Rules Triggered
                  Home Devices Affected
1056167 XSS-12
1055106 PHP Code inj
1059684 Bitcoin
1130172 DNS Amp
1054846 XSS-8
1056687 Javascript obfs-5
1130593 IIS HTTP.sys
1050015 XSS-34
1110895 WScript.shell
1132263 Android tx3g B.O.
Test Data Collected by Ethical Hackers Club

The unusually high number of attack compromised home routers controlled by hackers. In terms of location, most were attack prone routers were being used in the New Delhi (more than five times as much as compared to Mumbai), Nashik, Gorakhpur, Varanasi.

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
However, New-Delhi had the highest average number of attacks per router.  New-Delhi had the most attacks and the highest average number of vulnerable home networks. This can be an indication of the scaling frequency of home devices being turned into slaves—along with other malicious activities—in the country.

Protection Tips:

India is faster getting digital and more than enterprise’s home network will soon be prone to attack due to lack of Cyber Security Awareness among people. 
A vulnerable home network can adversely affect not only the owners and ISPs, but also the connected devices and personal data stored on them. While OEMs and equipment manufacturers play vital roles in securing these devices, users can prevent the risks of turning their home routers into slaves by practicing healthy digital security hygiene such as:

  • Don't consider purchasing used Routers.

  • Using devices that go beyond functionality and ease of use, with security and privacy as selling points.

  • Changing the device’s default settings such as log-in credentials (i.e. router SSID, username, and password) to make them less sensitive to unapproved access

  • Regularly checking the router’s DNS settings to see if they’ve been tampered with (checking the DNS servers’ IP address the router is forwarding data to)

  • Encrypting wireless connections (Wi-Fi) to stop network trespassers.

  • Keeping software and firmware up-to-date to prevent vulnerability exploits

  • Use the router’s built-in firewall

  • Configuring the router to be more resistant to attacks (i.e. changing subnet addresses, using random IP addresses on the router, enforcing SSL)

  • Using browser extensions that can help prevent web scripting attacks (i.e. denying access to the router’s IP address)

  • Using tools that check if the router is freely exposed to the Internet (i.e. port scanning)

  • Using only authentic applications through official/trusted app stores, if IoT home devices are connected to a mobile device

  • Disabling unnecessary components in the router such as Universal Plug and Play (UPnP), WPS, and remote administration features such as Telnet and web admin page access via WAN, which can be leveraged by malware when creating botnets

  • Deploying tools that add a layer of security to the device, such as intrusion prevention systems in the gateway

And, of course, stay on top of the latest security threats by following me on Twitter, and ‘Like’ us on Facebook. 
Powered by Blogger.