The sorry state of consumer (a.k.a. SOHO) routers has reared its ugly head again. This time it came from a report issued by Incapsula called "Lax Security Opens the Door for Mass-Scale Abuse of SOHO Routers".
At the heart of the report is a familiar idea: routers configured with default passwords. Even worse, the malware-infected routers that Incapsula discovered were accessible from the Internet using both HTTP and SSH on their default ports. Bingo! You just can't make a bigger security mistake than to enable remote administration with default passwords.
Needless to say, these brutally vulnerable routers were attacked, compromised by bad guys and used in Denial of Service attacks.
The investigation that led to the just-released report started when Incapsula customers were attacked by a Distributed Denial of Service botnet of "tens of thousands of hijacked routers". They spent four months investigating and found "attack traffic from 40,269 IPs belonging to 1,600 ISPs worldwide." Yikes.
Nobody knows how many compromised routers there are, but Incapsula writes that there are "... hundreds of thousands - more likely millions..."
Hacking routers is now a thing.
In January, Brian Krebs reported on the LizardStresser attack service "powered mostly by thousands of hacked home Internet routers." There have also been many attacks, both via email and malicious web pages, that target routers with default passwords and IP addresses.
The vulnerable routers were brutally attacked.
Incapsula found malware called Mr.Black on most of the routers. But not just one copy of the malware, no, "... on average, each compromised router held four variants of Mr.Black malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks." It's malware Fight Club on those poor routers.
Why so much malware? The report says that "based on the profile of targets and the attack patterns, we know these compromised routers are being exploited by several groups or individuals." One of those groups was Anonymous.
More than 85 percent of the hacked routers are in Thailand and Brazil. The worst botnet they ran across consisted "of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices." It is thought that the security mis-configuration was due to the ISP rather than Ubiquiti. Igal Zeifman, the head researcher behind the report said by email:
In one case we saw an ISP with over 15,000 compromised routers and in another one with over 2,500 similarly vulnerable devices. These numbers can only suggest an issue with a default settings, as it is very unlikely that thousands of users who know to change their remote admin configurations would not bother to change their default passwords.
Interestingly, none of the ISPs were named in the report.
A recent experience with an Arris gateway (combination modem/router) tells me that Time Warner distributes devices configured with default passwords (I did not test if the box was also accessible from the Internet). A September 2014 article by Susan Bradley shows that Comcast does too (she also did not look into the state of the firewall and remote administration).
How do customers get issued severely vulnerable routers? Technical Incompetence? Laziness? The need to save money? Incapsula blames it on "particularly reckless security practices".
There is another possibility too - the routers may have been purposely configured this way by ISPs to enable spying and other assorted attacks on the computing devices behind the router.
Prior to publishing their report, Incapsula contacted both Ubiquiti and the ISPs whose networks they found to be the most open to abuse. The report does not say what, if anything, has been done about the problem. It does say that "Many of these botnet devices remain active, continuing to play a role in attack attempts against our clients and other websites—even as this is being written".
Perhaps somewhere there is a lawyer married to a computer nerd who will file a lawsuit for gross negligence against an ISP. A legal Rosa Parks. Avoiding a large fine is probably the only way this will change.
While Incapsula is focused on defending against DDoS attacks, my focus is more personal. There is no end to the list of bad things that can happen to people and computers that sit behind a compromised router. Really.
With that in mind, I will skip the the usual Defensive Computing advice offered by Incapsula and others describing their report. You probably know the drill: change passwords, test your firewall, update firmware, disable remote administration and eat your vegetables.
Instead, let me suggest that you avoid hardware from your ISP. That is, buy your own modem and router.
I decided to avoid consumer routers a couple years ago. Just last month, router expert Craig Young of Tripwire confirmed this saying
Many of the vendors in this space [consumer routers] have a difficult time justifying additional engineering time to fix security flaws ... our research did not reveal any strong correlation between the selling price of a router and its relative security ... If you want to pay for a more secure experience, ideally you want to skip the SOHO market entirely and jump right into enterprise gear. Vendors selling real enterprise products generally have well resourced security teams to evaluate and respond to threats. In the enterprise space there is far more concern placed on having a reputation for good security since the risks are typically much higher for business users. Ironically with the increase of feature sets on home routers, the price difference between enterprise and SOHO is eroding.
This being Computerworld, some of you are no doubt thinking that third party firmware such DD-WRT and OpenWRT is the way to go. According to Young, while alternate firmware has some advantages, security is not necessarily one of them.
The use of alternative open firmware definitely can have its advantages for advanced users but it is not necessarily the case that it is any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater.