The Worm (Re)Turns, Targets Embedded Linux AirOS

Vulnerable AirMax gear from Ubiquiti networks is being targeted by an Internet worm exploiting a known hole in the AirOS embedded Linux operating system.
Vulnerable AirMax gear from Ubiquiti networks is being targeted by an Internet worm exploiting a known hole in the AirOS embedded Linux operating system.

In-brief: A self-reproducing Internet worm is spreading globally, infecting embedded systems running AirOS, Linux-based firmware that runs hardware like wireless routers and wireless access points.

A self-reproducing Internet worm is spreading globally, infecting embedded systems running AirOS, Linux-based firmware that runs hardware like wireless routers and wireless access points.

Wireless Internet Service Providers and other customers of Ubiquiti Networks, which makes a range of wireless networking equipment, have been filling company support forums with reports of infections of devices running the AirOS operating system for the last week. The worm spreads by exploiting a vulnerability in older version of the AirOS operating system, spreading between AirOS devices on networks that it infects.

The worm is just the latest threat to target vulnerable, embedded systems like routers and wireless access points, which are often loosely managed by businesses and consumers. The effects of the AirOS worm were particularly felt among wireless ISPs (or WISPs) in countries like Spain and Brazil, with reports of thousands of infected devices at customer sites.

Ubiquiti devices including the airMAX M, airMAX AC, airOS 802.11G, the ToughSwitch, airGateway and airFiber running older versions of their firmware are being attacked via a known and exploitable vulnerability reported to Ubiquiti through its bug bounty program and patched in July, 2015.

Despite the availability of a patch 10 months ago, many Ubiquiti devices had not applied the updated firmware. If those unpatched devices also had their HTTP or HTTPS interface exposed (that is: you can connect directly to them via the web), attackers were vulnerable to attack.

An analysis by researchers at Symantec found that Ubiquiti routers are being targeted using HTTP or HTTPS requests that exploit the known firmware vulnerability. When successful, attackers upload malicious files to arbitrary locations on the compromised router and then creates a backdoor account with the user name “mother” and the password…well, you can guess what the password is.

[Read more Security Ledger coverage of embedded systems security.]

After that, the worm blocks administrator access to the device, installs itself on the router so that it will launch every time the router is restarted and starts scanning nearby addresses looking for other AirOS devices to infect.

 

Researchers at Symantec say that the worm does not use its access to infected devices for any nefarious purpose.

Like previous attacks on embedded systems, the hacks of AirOS devices rely on a population of loosely managed and insecure devices. Many AirOS devices are deployed “as is,” without owners bothering to change the default user name and password, let alone apply security fixes.

In January, 2015, researchers warned about Linux.Wifatch, a “backdoor” Trojan horse program that infected embedded Linux systems. In 2014, there was “TheMoon” worm which targeted Linksys routers using a known security flaw.

Comments are closed.