Last week, home broadband router maker ASUS was the latest vendor to issue an emergency patch for a critical vulnerability in its products. This, after proof-of-concept exploit code was released for the so-called “Inforsvr” vulnerability that affects several ASUS home routers.
That vulnerability -if left unpatched – would allow anyone with access to a home- or small business network that used an ASUS broadband router to, essentially, commandeer the device.
The “infosvr” feature is typically used for device discovery by the ASUS Wireless Router Device Discovery Utility, but the service also allowed unauthenticated users to execute commands through it using the “root” permissions, according to researcher Friedrich Postelstorfer, who created a proof of concept exploit for the security hole and released it on January 4.
The exploit code finally prompted a patch from ASUS on January 13. The company had spent months analyzing the issue and working on a fix.
Patch aside, it has been a worrying month for the approximately 100 million broadband Internet subscribers in the U.S. The ASUS exploit code was just the latest in a series of security warnings about vulnerable or compromised home and small office routers. Among them:
- The security website Krebs on Security reported on January 15 about research that revealed that the hackers with the Lizard Squad who knocked web sites by Sony and Microsoft offline on Christmas relied on a botnet of compromised systems, many of them hacked home Internet routers.
- As reported by the web site Threatpost.com, Spanish security researcher Eduardo Novella uncovered a critical, remotely exploitable vulnerability in home routers by the manufacturer Pirelli and distributed by Movistar Telefonica in Spain.
- In December, US-CERT at the Department of Homeland Security warned manufacturers of broadband routers of a common vulnerability, dubbed “Misfortune Cookie” that had been patched more than 10 years ago, but is still lingering on many deployed devices.
Add those issues to the myriad of vulnerabilities and exploits of home broadband routers that have cropped up in recent years, and you have a roiling problem of insecure or vulnerable devices.
Home broadband routers are the tip of the spear of the Internet of Things. Still, broadband routers and the companies that sell them still operate largely by means of “security through obscurity.”
“They have the complexity of a computer with a set-and-forget qualities of a TV,” says David Longenecker, an independent security researcher who studies the security of broadband routers.
Longenecker first got interested in the security of the devices after reading an article about a flaw affecting the broadband router he used at home. After learning of a firmware update for the device, he logged into his home router only to discover that the device reported that it was running the most recent firmware version – even though Longenecker had just read that a newer firmware version with a critical security fix was available.
After digging into the firmware code, Longenecker found the source of the conflict – and a host of other problems, including insecure handling of administrative credentials and the absence of integrity checks for firmware updates on the device. “Basically the auto-update feature on the router did nothing to ensure the integrity of the update,” he said.
He says that broadband router security is about where Windows security was around the turn of the Millennium. “It’s a part of the ecosystem that simply has not been paid attention to,” he said. “But hackers are paying attention to it, so we on the other side have to mature the router security in the same way we spent a decade maturing the security of PCs.”
If anything: home routers pose an even greater threat than vulnerable PCs. Compromising one gives the attacker control not only over that device, but over the devices that connect to it. “If I own the router, I can own the network,” he said.
As Internet of Things technologies gain adoption in homes and small businesses, owning the broadband router could be an avenue to highly targeted and personal attacks, Longenecker predicts.
“Things certainly won’t get easier once you start adding IoT into the mix,” he said. “On the one hand, it is very often that a Blu-Ray Player becomes a pivot point to own a network. But it’s absolutely possible that an IP camera you have deployed could be used to spy on you.”
However, lifting the security of the devices sold to consumers and businesses won’t be as easy as cajoling Microsoft or Apple into improving the security of their software.
Dozens of companies compete in the broadband router market, each with a slightly different mix of hardware and software. If you add in specialized firmware and chip makers, there might be as many as 50 or more companies with a hand in the quality of the finished router product. Improving the security practices of such a broad ecosystem of vendors will be difficult.
The more worrying trend may be that consumers treat all connected devices with the “set and forget” attitude they use for their broadband routers. Connected things may, like the routers, be unfamiliar and chimeric – not devices that are thought to require software updates, authentication, secure configuration and so on.
At the very least, Longenecker would like to see router manufacturers take more ownership: sending e-mail updates to customers when new software updates are available and, in some cases, allowing direct over-the-air updates of lower-risk home devices.
As with other technologies, however, consumers are not demanding security in the same way that they demand features like faster speeds or parental controls. That means manufacturers have little incentive to fast-track security improvements. “It’s a matter of economics,” Longenecker said.