A little over two weeks ago, anon posted almost 13,000 IP addresses of vulnerable Asus routers to Pastebin. The list has been viewed over 44,400 times since posting, enough for a few malicious hackers to get their act together and start exploiting. Another link is available containing over 10,000 lists of files stored on Asus-connected hard drives. The issue is that the vulnerabilities were first exposed more than 6 months ago and Asus had not done anything to patch it until last week. Asus is not the only culprit. Linksys vulnerabilities were exposed by the Internet Storm Center two weeks ago in 23 separate router models. The Moon, a worm targeting Linksys routers, has been happily self-replicating in the E-Series and Wireless-N product line. The exploit bypasses the admin authentication, but only works when the Remote Management Access feature is on. Linksys has published technical advice about how to prevent the routers from getting infected.
The router attack vector is not new. Tripwire recently published a study stating that 80% of the top 25 routers available on Amazon were vulnerable. The Polish CERT team also reported a large scale DNS redirection attack on home routers for financial theft. Further, researchers at the University of Liverpool and Queen’s University Belfast published a paper back in October 2013 on a proof-of-concept Wi-Fi access point to access point virus named Chameleon. This attack replaces the firmware of an existing access point (such as a router) and masquerades the outward facing credentials. The virus essentially employs a WLAN attack technique which independently infects and propagates amongst WiFi access point embedded systems.
The issue, as always, is that equipment manufacturers continue to push out products with poor or non-existent security settings. If the markets for personal clouds, IoT and connected homes are ever going to take off, there needs to be a serious change of mind set with regards to the protection of consumer products. Hiding or ignoring security vulnerabilities is not conducive to long-term business success. The cybercriminal menace is already high enough, and added to that is the credible threat of government espionage. Protecting privacy is just as important as protecting intellectual property rights of big corporations. It’s time for consumer security to be taken seriously. Liability for non-patching of known vulnerabilities affecting top product offerings would be a good start. Until such time as the end-user becomes more educated about cybersecurity, the onus is on the providers of consumer ICTs to ensure that security is adequately addressed in a timely fashion. Anything short of this is simply bad business ethics.