So, you think you’re doing a pretty good job in terms of computer security on your home PC? You’ve kept your computer fully patched against the latest vulnerabilities? You’ve ensured that your PC is running the latest-and-greatest anti-virus updates?
Good for you.
Now, how about your router?
My suspicion is that the typical computer user doesn’t give a second thought about whether their router could be harbouring a security threat, imagining that the devices don’t need to be treated with suspicion.
But if you think that, you’re quite wrong.
Fabio Assolini, a researcher for Kaspersky Labs, gave a fascinating presentation at the Virus Bulletin conference in Dallas last week, describing how more than 4.5 million home DSL routers in Brazil were found to have been silently hacked by cybercriminals last year.
Assolini described in his presentation, entitled “The tale of 1001 ADSL modems: Network devices in the sights of cybercriminals”, how at some Brazilian ISPs, more than 50% of users were reported to have been affected by the attack.
Here’s how the attack came about.
You’re on Google’s website, but you’re not on Google’s website
The first thing users may have noticed is that they would visit legitimate websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software.
In the example below, visitors to Google.com.br were invited to install a program called “Google Defence” in order to access the “new Google”.
Note – google.com.br is the correct web address for the Brazilian edition of Google, and Google’s Brazilian website had not been compromised or hacked to make available a malicious download.
And yet, “Google Defence Para” had nothing whatsoever to do with Google, and was being distributed without the search engine giant’s blessing.
How was this possible?
Exploited routers using malicious DNS servers
The answer is that the user’s ADSL modem had been compromised, and the hackers had changed the router’s configuration to point to a malicious DNS (domain name server). This meant that when the user entered the web address of a legitimate website (like google.com.br or facebook.com) they could be taken to a dangerous website instead, posing as the real thing.
Cybercriminals had managed to access vulnerable modems remotely via the net.
Now, normally if you access a router via the internet you will be asked for a username and password – and so long as the user has chosen hard to guess login credentials (and not gone with manufacturer’s defaults) all should be well.
Unfortunately, in this case, the hackers were able to exploit a vulnerability in the Broadcom chip included in some routers. Assolini explained that “the flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the ADSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.”
In short, the exploit allowed malicious hackers to break into millions of routers remotely, without having to know the passwords being used to protect them.
And once there, the hackers were able to change the ADSL modem’s DNS settings – pointing them to one of 40 malicious DNS servers around the world.
The end result is that many Brazilian users downloaded code, mistakenly believing they were from websites they trusted, including:
- br.msn.com/ChromeSetup.exe
- facebook.com.br/ChromeSetup.exe
- facebook.com/ChromeSetup.exe
- facebook.com.br/Activex_Components.exe
- and many more..
In some cases, the attackers didn’t even have to use such social engineering to trick users into installing the software – exploiting Java vulnerabilities to plant malicious code onto victims’s computers as what should have been trustworthy websites were visited.
Ironically, if users contacted their anti-virus vendor’s tech support line and asked them about the safety of files like facebook.com/ChromeSetup.exe, chances are that the support technician would not be able to locate the file themselves because their own computers were not running through malicious DNS servers.
And, of course, affected users would often be adamant that they had done nothing wrong – certain that their computers were fully updated with patches and anti-virus. But, of course, that didn’t stop the remote attack on their router.
Furthermore, the problem was not just limited to home users. According to Assolini, routers designed for the SOHO market are more commonly encountered than you might imagine on corporate networks, not just in Brazil but worldwide.
Eventually it was discovered that the common denominator between affected computers was that they were all using routers made by one of six different hardware manufacturers.
Fixing the problem, however, was not so easy. The automated remote hacks of millions of ADSL modems had not just changed the devices’ DNS settings – they had also changed the password to access the device to phrases like “dn5ch4ng3” and “cg4ng3dn5”, meaning that users could no longer get in via their admin panels. If only they had known the exploit too..
Hackers reap rewards, and spend it on Rio prostitutes
The motivation for the attack, which impacted millions of Brazilian users, was – of course – money.
Malware installed onto victims’ computers could steal files and keypresses, trick users into entering sensitive information on convincing phishing pages, spy upon passwords and banking information, and provide a flood of data for the hackers to exploit.
Interestingly, in his presentation, Assolini presented an IRC chat between some of the hackers involved in the DNS caper.
One of them described how another hacker earned more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes.
Reasons why routers can be exposed to security threats
So, why is it that routers are seemingly so vulnerable? It turns out there are a few possible explanations.
Poor patching. Despite exploits against a wide range of network devices, modems and routers being publicly available on the internet – some manufacturers have chosen to largely ignore the problem.
That means that even if you want to patch your DSL router against a known security vulnerability, a fix may not be available for you.
Default passwords. In some cases, a vulnerability may not even be needed. For instance, if a device uses a known default password, a malicious hacker does not have to go to any effort to bypass the device’s authentication.
Lack of user awareness. Users of network devices may not be aware that it is necessary to keep them up-to-date with security patches, or that patches are available.
Non-standard update model. The method by which devices are updated can vary from manufacturer to manufacturer, making it more complex for the user.
“Massive attacks are real and here to stay”
Fabio Assolini says that there are number of groups who could carry a proportion of the blame, aside from the hackers themselves.
According to Assolini, security researchers need to be more proactive in reporting flaws related to routers, ADSL modems and other network devices to prevent them from being exploited by malicious hackers. And, of course, the manufacturers have to be responsive.
ISPs are guilty too, says the Kaspersky analyst. He says that it is common for Brazilian ISPs to lend their customers old and vulnerable network devices, and that this is probably happening in other parts of the world too.
And, says the security researcher, governments may not be doing enough. Assolini claims that ANATEL, Brazil’s national agency for telecommunications, approves internet hardware before it can be sold, but it does not verify the security of devices – only standard functionality.
Many thanks to Fabio for a great and thought-provoking presentation. You can read his full paper here.