At the same time, developers and vendors of these devices tend to have other priorities than \”testing\” and \”security.\” Many serious vulnerabilities remain unpatched, and even when patches are released, users are slow to install them. What does this leave us with? Legions of vulnerable devices, lying low until hacked and pressed into service as part of a DDoS botnet.
The Mirai botnet burst onto the world scene in August 2016. MalwareMustDie researchers started to study the malicious network activity of IoT devices in early August, and by September 20, the botnet had grown to approximately 150,000 devices (primarily DVRs and IP cameras) and attacked Minecraft servers hosted by French provider OVH.
IoT devices were infected by attacks on Telnet ports 23 or 2323 using a list of 62 standard passwords. IP addresses were generated completely randomly throughout the entire numbering space; after connecting to the network, each infected device started scanning for these random addresses. The botnet code was not stored in long-term memory and therefore did not survive a restart of the infected device. But considering the speed at which the bots scanned the internet, after a restart the previously infected device would soon rejoin the botnet anyway.
This was followed by massive DDoS attacks on journalist Brian Krebs, DynDNS, Liberia, Deutsche Telekom, and a U.S. college. The Mirai source code was published in early October. The attack on Deutsche Telekom two months later used a modified version of Mirai that exploited a vulnerability in the RomPager server on port 7547 (CWMP protocol).
As claimed by the person who published the Mirai code, the botnet encompassed 380,000 devices simultaneously. The sheer scale of infection was made possible by negligence, of course—externally accessible Telnet and the failure to require non-factory-set passwords were key enablers of the botnet\’s growth.
More than just cameras
Attempts to fight back against these attacks are slowly but surely reducing the number of compromised devices with non-unique passwords. Attackers\’ methods are changing from password-guessing to exploitation of various vulnerabilities.
The Mirai preyed primarily on video cameras and other IoT devices on which Telnet gives access to Linux commands; but on routers, Telnet gave access only to the command-line interface (CLI) for configuration. The CLI allows reading and modifying the device configuration, DNS settings, IP routing, and system information—which is already enough for some attacks, but not enough to install software for remote control.
Here is what we\’ll charitably call \”cute\” protection from bots that can be found on port 23 of some routers:
But the absence of bash terminals does not mean that other attack vectors are absent.
So what is your run-of-the-mill home router? It\’s a package containing:
- Externally accessible web panel with a flashy design
- Read-only squashfs file system and ~10 MB of flash memory
- Busybox (compact UNIX command-line interface with utilities), almost inevitably
- micro http web server, DropBear SSH server
- Open ports: 80, 443, 23, 22, 21, 137
The average age of device firmware is 3–4 years. This age correlates with the average age of routers themselves—in other words, users buy new routers sooner than they update the firmware on their existing ones. Recently an encouraging trend in the direction of improvement has been seen, thanks to providers that remotely (and without user intervention) are able to diagnose, configure, and roll out updates to user routers. One limitation, though, is that this works only for devices put out under the providers\’ own brands.
Based on field experience, passwords for approximately 15 out of 100 devices have never been changed from their default values. And just the five most popular user name/password pairs are enough to get admin access to 1 out of every 10 devices:
Having obtained access to a web panel, an attacker can make life difficult for all of the network users, perform DNS spoofing, and probe the internal network. If lucky, the attacker can also run ping or traceroute from the web panel, find vulnerabilities in the web server code in order to obtain shell access, or use an already-found vulnerability.
The diversity and simplicity of vulnerabilities (not to mention number of bug reports) existing in router software is clear sign that device functionality is rarely subjected to rigorous testing, and that developers do not have the know-how to create secure software. Development does not take intruder models into account. Buyers can walk out of a store today with a router containing one of the following vulnerabilities:
● NETGEAR DGN2200v1/v2/v3/v4 – \’ping.cgi\’ RCE (link). Due to insufficient checks in ping.cgi, user-entered IP addresses are piped directly into bash. Therefore, arbitrary commands can be run in the terminal by appending these commands in the IP address field of a POST request. For example: 184.108.40.206; nc -l 4444 -e /bin/bash. Of course, \”nc\” can be turned into a more powerful payload, such as msfvenom. 3,000 devices are awaiting their hour of reckoning. Exploiting this vulnerability requires authorization in the web interface.
● Multiple vulnerabilities in GoAhead WIFICAM cameras (link). A number of vulnerabilities were found in over 1,250 models of IP cameras, placing approximately 150,000 cameras at risk. An error in implementation of a custom authorization mechanism allows obtaining the administrator password; in addition, an OS Command Injection vulnerability in set_ftp.cgi allows running any and all terminal commands. Together, these give full unrestricted control over the device. Yikes!
This vulnerability was added to the arsenal of the TheMoon botnet, which was first spotted in 2014. Research identified infected cameras on which the settings.ini file had been modified to contain a script that loads malicious code from the attacker\’s server when the device is started.
A series of downloads from the attacker\’s server is concluded with an ARM-compiled executable:
which is identified by 18 out of 57 antivirus products as Linux/Proxy.
● Linksys Smart Wi-Fi Vulnerabilities (link). Security analysis of 25 popular Linksys Smart Wi-Fi routers sold worldwide led to identification of 10 vulnerabilities of various types and danger levels. Some of the vulnerabilities allow running arbitrary commands with root privileges. Although Shodan shows only a total of 1,000 such devices, researchers have described scanning over 7,000 devices.
● Siklu EtherHaul Unauthenticated Remote Command Execution Vulnerability (link
). These high-end millimeter wave radios from Siklu provide subscriber connectivity at 70/80/GHz. A researcher found that the mysterious port 555 is used to communicate with other Siklu EH devices. But since access to the port is not restricted and passwords are stored in cleartext, the researcher chanced upon an exploit that can change the administrator password. This architecture-level defect was assigned a CVE number: CVE-2017-7318.
● Bypassing Authentication on iBall Baton Routers (link). Although the administrator interface for the iBall Baton 150M is secured by HTTP authorization, anyone at all can view password.cgi. It would seem that the developers forgot about this fact and stored passwords for all three of the device accounts in cleartext in a script on an HTML page. 2,500 administrator passwords are out there for the taking!
These examples all come from just one month. More thorough compendiums of router-related vulnerabilities are available from routersecurity.org and as part of the excellent routersploit framework, which collect dozens of vulnerabilities and exploits in convenient form.
To summarize: An enormous number of holes in web administration code make it possible to obtain passwords and run arbitrary code.
Other threat vectors
Besides a web interface, the average router has four to five ports open, including Telnet (23), SSH (22), and FTP (21).
In practice, Telnet gives access to the CLI for router settings and FTP enables updating router firmware remotely. For instance, on 18,000 D-Link DSL 2750U modems, anyone bruteforcing accounts can install firmware with a built-in backdoor. So an attacker can take control in a way that is resistant to restarting and unlikely to be reversed by another attacker. Here is what that attacker would do:
- Download device firmware from the device manufacturer (D-Link).
- Extract the firmware archive.
- Alter the firmware by adding a backdoor account or script that runs bind shell. Here the attacker can use a bit of imagination when choosing one of the many methods for getting shell access.
- Reassemble this franken-firmware. Tools for this purpose include the firmware framework.
- Update the device firmware via FTP.
Besides FTP, D-Link devices can also be updated via Telnet (160,000 CLIs available) or web panel. Compared to this, the DNS Hijack threat looks like peanuts!
Recent attacks on Eir D1000 devices involved an OS Command Injection vulnerability in the TR-064 implementation of CWMP. This resulted in infection of around 900,000 devices with a modified version of Mirai. Another vulnerability in RomPager server versions prior to 4.34, dubbed Misfortune Cookie (CVE-2014-9222), has a maximum CVSS 10 rating.
Meanwhile, just under half of all CWMP-enabled devices use the vulnerable RomPager 4.07. That\’s almost 3,300,000 internet-accessible devices. Check Point at RSA 2017 presented research on security issues with TR-064.
RomPager 4.07 is far from the only out-of-date service used by firmware developers. Genivia gSOAP 2.7 was released in 2004, while DropBear SSH 0.46 saw the light of day in 2005, yet both can be found on devices today.
Multiple vulnerabilities (DoS and Authenticated RCE) are known for DropBear.
On April 4, researchers Bertin Jose and Fernandez Ezequiel published a report on an SNMP agent issue affecting 18 vendors, 78 models, and over half a million devices. Anyone can obtain full read/write access to all values due to this bug. The SNMP agent simply fails to check the community string: any combination is accepted for authorization. Bearing the fashionable name of StringBleed, this vulnerability primarily affects cable modems although the researchers have found a similar vulnerability on other devices. The consequences are the same as if there were no authorization at all.
Last but not least, 9 out of 1,000 routers provide a free DNS server with recursion enabled by default. Exploitation of this feature is a long-known technique and will continue until router DNS stops responding to internet-originated queries by default.
Manufacturers of connected home devices are gradually closing off the most commonplace methods for botnet infection. Instead of simple bruteforcing, attackers have shifted their efforts to exploiting vulnerabilities, which give substantially better results. Non-stop scanning of the entire range of IP addresses enables attackers to find all vulnerable devices. A huge number of device models have vulnerabilities; some vulnerabilities are specific to a certain model, while others affect hundreds of thousands or millions of devices, turning devices into an pliable toy in the hands of an attacker.
Methods for fighting botnet infection are simple—starting with the most important ones, they are:
- Restricting access by default from the internet to the administration panel, CLI, and FTP.
- Using the latest firmware versions.
- Requiring customers to use strong passwords.
- Limiting brute-force attempts.
The most popular devices are—because of their popularity—the most interesting for both attackers and researchers. Until security becomes a serious priority, rushed and incomplete development cycles will continue to result in vulnerable router software.
Author: Kirill Shipulin, Positive Technologies