Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Router Botnets Are More of a Reality Than You Think

Router Botnets

On Sunday, security researcher Michael Coppola gave a presentation at DEF CON that explored the process of compromising routers used in SOHO (Small Office / Home Office) environments, and turning them into botnet clients.

Router Botnets

On Sunday, security researcher Michael Coppola gave a presentation at DEF CON that explored the process of compromising routers used in SOHO (Small Office / Home Office) environments, and turning them into botnet clients.

Coppola experimented with three different Netgear devices (WNDR3700, WNR1000 and WGR614), a Linksys WRT120N, a D-Link DIR-601, Belkin F5D7230-4, and two TRENDnet devices (TEW-652BRP and TEW-651BR).

Interestingly, his research with the Netgear products is a saga unto itself, as it involved a long back and forth with the company in order to obtain source code needed to unpack the file system on the WNR1000.

In the end however, his research was a success, as Coppola was able to manually backdoor legit firmware on the products tested. Still, the process is time consuming and complicated. So for those who wanted to further explore the topic, he created a tool called rpef, which automates the process.

DEF CON 2012 Wrap Up

The tool itself will support each of the tested products, and can be used to deploy payloads within the firmware that include traffic sniffing, a bind shell, or the creation of a bot client that can be controlled via IRC.  

Slides from his talk from DEF CON can be seen here. The rpef project page is here.

As for the risk of having a SOHO router hijacked, it’s actually rather strong. Coppola said that he discovered thousands of IP addresses owned by open routers that use default credentials. That alone would give an attacker the chance needed to upload modified firmware.

Otherwise, some of the administration panels are Web-based, and could be vulnerable to a number of attacks including XSS or CSRF. Unfortunately, those are just some of the ways to maliciously flash a router without anyone being the wiser.

Advertisement. Scroll to continue reading.

Updated firmware (as in ensuring the device is current on the latest version) can help in some cases but not all, as attacks that target retained settings within the device’s memory can still lead to compromise. In the end, using an open router within an active SOHO environment will come down to risk tolerance.

If the business is ok with the risk, no need to worry. Otherwise, don’t use open hardware, and avoid products from the big box retail outlets.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.