Your home/small office Internet router is your gateway to the Internet. It is a combination of hardware, software and communication protocols that coexist in a complex system. As such, your router is subject to software and hardware vulnerabilities in much the same way as your PC or mobile device.
On 19 June 2020 Bleeping Computer reported that 79 Netgear routers were vulnerable to an unpatched zero-day that allowed an attacker to take complete control of the router remotely. The security researchers who discovered this (Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam’s VNPT ISC) notified Netgear responsibly and have since published a proof of concept hack that successfully exploits the vulnerability.
On 4 June 2020 ZDNet reported that a set off Cisco Routers were affected by 4 critical flaws affecting enterprise level routers (CVE reference CVE-2020-3227).
On 2 June 2020 another Cisco device was discovered to have a security flaw (CVE reference CVE-2020-10136). This flaw could be used to initiate a Denial of Service attack.
On 2 February 2020, The Hacker News reported 5 high impact flaws that affected routers, Switches, IP Phones and web cameras (CVE references CVE-2020-3119, CVE-2020-3118, CVE-2020-3111, CVE-2020-3110, CVE-2020-3120).
On 26 March 2020 Techradar reported that Linksys and D-Link routers were being targeted by a new malware attempt that hijacks devices and gain access to home networks as well as exfiltrating private information from the attacked networks. The hackers also use a pre-set list of websites, which when accessed, users were redirected automatically to another site to trick users into downloading the fake Covid-19 app, allegedly from the World Health Organisation (WHO).
On 29 May 2018 PC Mag reported on a new strain of router malware called VPNFilter that affected Routers and NAS devices. This was particularly vicious since it was a multi-phase attack:
- Stage 1 downloaded a small piece of software that could be persisted in the devices firmware and made a connection to its command and control server on the deep web
- Stage 2 downloads the main package that allows various plugins to be installed
- Stage 3 downloaded various plugins that serviced as exploits for various vulnerabilities and attack vectors such as packet sniffers and DDoS attacks.
The nasty part of the malware is that it survived a reboot of the device (due to stage 1 of the attack). Typical router based malware does not survive a reboot of the device.
What can we do about this?
The above are just a few of the reports I have seen this year.
Routers are very complex devices. Vulnerabilities will exist in all software due to programming mistakes, hardware vulnerabilities (e.g. as seen in the 2018 Intel Spectre and Meltdown side channel vulnerabilities) as well as errors in the standards of the communication protocols used by WiFi as was evident in the KRACK vulnerability that affected the WPA protocol that was first discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven.
If your network slows down for any reason, then take a look at your network metrics. This can sometimes be found in your router configuration pages. If this traffic has increased, especially at times when you would not be using the network (e.g. when you are asleep), then you may have a malware infestation.
TIP 1: The fist thing you need to do is to protect your router. We posted about this in “Securing your Internet Router – A Pocket Guide“. This post gets quite technical, but these are the things you need to observe and configure on your router. Here is the distilled list:
- Change your routers WiFi SSID/name
- Disable Network Name/SSID broadcasting
- Turn of WiFi encryption
- Check your routers firewall is enabled
- Keep your firmware current
- If you are going to be offline for a while, turn it off.
TIP 2: If you suspect a malware infestation, the first thing you should do is reboot your router. As most router based malware does not survive a reboot since it only exists in memory, and not in the firmware, a simple reboot (switch off and back on after a few minutes) of the device will clear out the malware. However, you may get re-infected since the attackers are probably monitoring their command and control service for any devices that drop off their botnet.
TIP 3: Keep your router firmware/software up to date. You will likely find somewhere in your router configuration app (often accessed using your browser) a place to update your firmware. This can be done by triggering an automated scan of the device support pages or by manually downloading and installing a firmware update.
TIP 4: If available in your routers config app, set up an automated scan to update of your routers firmware. Some manufacturers will email you when an update is available. This service is often not available as it is dependant on your routers manufacturer and level of support.
TIP 5: This is standing advice. Be aware of what websites you are going to, especially if you received the link from an email or IM which could be part of a Phishing attack or other social engineering attack. Router malware can infest your router in the same way it can infest your PC or mobile device.
TIP 6: In the case of the KRACK malware (mentioned above), the only way to get rid of this malware is to re-install your firmware from a secured file downloaded from the manufacturers website. If this feature is disabled by the malware, then you can often reset to factory settings which is often provided by a recessed button on the back of your router. If all else fails, then buy a new router. However, resetting to factory settings will erase any settings you have made in your configuration, but this is often the only way to take back control of your router.
TIP 7: If your router is old (by that I mean a few years and no longer receives firmware updates), then maybe it is time to replace it. If it is provided by your ISP, then look into any upgrades they can provide that come with a new router. Some ISP’s will periodically replace their routers so that they can keep their network secure, as well as offer you new services.
Your router is the key to your home and business network. This network will house a lot of private information that needs to be secured. To attack your router the attacker only needs to be within range of its WiFi signal to launch their attack, or worse case you download malware from a malicious link.
As we are all working from hoe at the moment due to the current health crisis, we also need to be particularly vigilant since router vulnerabilities may represent an attack vector to attack your employers network.
The communications industry is very bad at keeping router firmware up to date. Often there is a facility to update your routers firmware in the settings app, but this is often manual or requires automatic updates to be switched on since these are often switched off by default. In addition, routers (as well as other firmware based devices like NAS drives) are only supported for a limited time (typically 2 years from initial availability), although data centre based devices used in enterprises may have a longer support lifecycle.
We wont publish blogs on our website when specific vulnerabilities are announced. If you want the up to date information on any merging threats then we suggest you look at our Twitter feed which is where we re-blog articles in the technical press.
You can also monitor:
- the Common Vulnerabilities and Exposures (CVE) website for any new announcements
- Googles Project Zero pages since Googles security research division often publish vulnerabilities typically 90 days after being informed.
Security Researchers will find vulnerabilities through their original research and notify the manufacturer with their proof of concept code for a viable exploit of the vulnerability. They often give the manufacturer 90 days to issue a patch for the vulnerability and then disclose it publicly to the wider security community which is when I typically get to hear about it. Some security researchers do not responsibly disclose vulnerabilities and just publish without giving the manufacturer the opportunity to fix the problem. Some Cyber Criminals will also never disclose vulnerabilities so that they can exploit them in the clear.
The guidance on this website is one place to keep informed about security issues and how to defend yourself. Please keep returning to out site and maybe even subscribing to it for immediate updates when we post new blogs.