Researchers at Team Cymru have detailed a massive compromise of small office/home office (SOHO) routers throughout Europe and Asia and shined a light on the security of devices that are sometimes overlooked.
According to Team Cymru, the attackers are altering the domain name system (DNS) settings on devices to redirect victims to IP addresses and domains under their control. Believed to have impacted more than 300,000 routers from TP-Link, D-Link and others, the attack campaign underscores a particularly dangerous attack vector for users.
“We have been collecting SOHO router attacks in the Metasploit Framework for many, many months now, and have been predicting a steep rise in criminal activity in this area over the same period,” said Tod Beardsley, engineer manager at Rapid7. “It was only a matter of time before these woefully out of date, and often difficult to patch, devices became primary targets for criminal enterprise.”
It is far from the first time routers have been targeted by attackers. The SANS Institute warned about the spread of a worm targeting Linksys routers. But even in 2011, researchers at Kaspersky Lab observed a widespread attack in Brazil that affected 4.5 million devices.
“It’s becoming common, but still not known from the public,” Fabio Assolini, security researcher at Kaspersky Lab, said of router attacks.
The situation described by Team Cymru is sophisticated because it is silent and remote, and the perpetrator can prepare a crawler to scan a certain IP range to find vulnerable devices and attack, Assolini explained.
“All they need is a vulnerability not fixed by the network device manufacturer or finding an outdated device, running and old firmware,” he said.
In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe. To date, 300,000 devices have been identified around the world compromised as part of this campaign, one which dates back to at least mid-December of 2013. The affected devices had their DNS settings changed to use the IP addresses 126.96.36.199 and 188.8.131.52.
Most of these devices are located in Vietnam; however others are located in Italy, India and Thailand.
“The affected devices we observed were vulnerable to multiple exploit techniques including a recently disclosed authentication bypass vulnerability in ZyXEL firmware and cross-site request forgery techniques similar to those reported in late 2013,” according to the Team Cymru paper.
“Because of the ubiquity of factory default settings on SOHO devices, some are vulnerable to simple password guessing,” according to the report. “We observed many of the devices communicating with suspicious DNS servers had graphical user interfaces that [were] accessible from the Internet, and thus vulnerable to simple brute force log-on attempts. A considerable number of remotely accessible devices appeared vulnerable to the “ROM-0” vulnerability published in early January. This vulnerability in ZyXEL’s ZynOS allows attackers to download the router’s configuration file from the unauthenticated GUI URL: http://[IP address]/rom-0. While the resulting ROM-0 file still has to be decompressed, this process is trivial with available tools, and automated attack scripts are available online which explicitly call out the ability to change DNS settings.”
Organizations should urge their customers and external partners review their local router settings and security policies and disable remote user mode administration features, Team Cymru recommends. Command line configuration of devices should be used where possible.
“The absolute easiest thing users of SOHO devices can do to help protect themselves is to figure out non-factory-default settings for their routers,” Beardsley said. “First and foremost, that means changing passwords and writing those passwords down in a reasonable secure location, like on the underside of the router – this assumes the attacker isn’t “calling from inside the house.”
“To avoid the [cross-site request forgery] attacks documented by Team Cymru in specific, the easiest route to avoiding compromise is to also change the default network settings,” he said. “Ninety-nine percent of SOHO routers use 192.168.1.0/24 or 172.16.0.0/16 or 10.0.0.0/8, with a router address of 192.168.1.1, 172.16.1.1 or 10.1.1.1 respectively. Simply changing the network to something more restricted (172.16.100.0/24, for example), and the router address to something a little weird like 172.16.100.100, makes automated attacks that use CSRF to send commands to the router much more difficult to pull off.”
The attack is another example of consumers being surrounded by devices they don’t think of as computers, said Patrick Thomas, security consultant at Neohapsis. All of the security concerns with normal desktop computers exist with these devices, but neither consumers nor manufacturers have adjusted to thinking this way, he said.
“Microsoft didn’t get a handle on the security of the Windows ecosystem until they had solid automatic updates,” he said. “Similarly, web browsers and their plugins were a security nightmare until all of the major browser vendors rolled out reliable auto-update approaches. In general, consumers lack the expertise and initiative to manually maintain software versions on their devices, so the onus is on vendors to build sane updating into anything that might possibly need it.”
For most home users, routers are a ‘set it and forget it’ type of device, said Jaeson Schultz, a researcher with Cisco’s Security Threat Research, Analysis and Communications (TRAC) team.
“Only when things aren’t working correctly do users even notice,” he said. “There is also no easy mechanism for the router manufacturers to notify users of security vulnerabilities. Because of this…routers can lag other devices in terms of proper security update application.
*This story was updated with additional commentary.