When routers go bad
Broadband routers are ubiquitous these days, so much so that they go unnoticed; unless they fail, no one pays any attention to them. These routers run some kind of embedded OS, often Linux, on a fairly capable hardware platform which makes them interesting targets for an attacker. Because they tend to be invisible and unmonitored, subverting routers without affecting their normal function makes a perfect hidden space for malicious code to run.
As a recent Bugtraq posting from Gadi Evron points out, there have already been a few reports of vulnerable routers and we can only expect to see more. Even if the router manufacturers are staying on top of vulnerabilities in their codebase, which is not a foregone conclusion, there are still serious questions about how a largely non-technical user base will be assisted or forced into upgrading their firmware. The logistics of getting the right firmware and upgrade program into a user's hands and having them run it correctly so that their router does not turn into a brick is rather daunting. One can only imagine the volume of support calls that could be generated.
In many cases, the router makers are selling special versions of their hardware to specific broadband providers who sell or lease them to their customers. This allows the router maker to leave the support burden to the providers who typically already have a large technical support organization. It is unclear whose responsibility it is to track security issues and ensure that any critical vulnerabilities are patched, it probably depends on the contract. The broadband providers typically host any updates and manufacturer's websites refer users looking for updates there. It certainly seems like a situation where vulnerabilities could fall through the cracks.
As an example, Qwest provides a router for their DSL customers, made by Actiontec, that is based on Linux 2.4.17 which was released in December 2001. Since that time, there have been numerous 2.4 kernel releases, with the most recent, 2.4.34.4 having been released in April. Many of those releases have been done for security problems in various subsystems, including one for CAN-2005-0449 which could potentially lead to a denial of service from a bug in the netfilter packet filtering code. It is unclear if the router is susceptible to this particular problem, one hopes not, but there are plenty of other candidates, in the other security bug fixes or any that come up in the future.
Any outward (broadband) facing network service is, of course, a potential vector for security issues. Many of these routers serve web pages for configuration as well as allowing telnet or ssh connections for maintenance. One hopes that these services can only be configured to run on the internal network. Even then, many of these routers provide a wireless bridge in addition to ethernet on the LAN side and that may expose those services more broadly.
Once a router has been subverted, it could be turned to any number of malicious tasks; the simplest might be to add it to a botnet for spamming or distributed denial of service. It does not take much in the way of CPU horsepower or RAM to perform those kinds of tasks and they could easily run on many routers without interfering in any noticeable way. An attack focused on a particular individual could potentially intercept and report on all of their internet traffic; there is no better place for spyware on a network.
It is not only routers, of course, that are vulnerable, any embedded device could be a target, but routers have the network connectivity that makes them particularly interesting and accessible. Long before we start putting wireless network connected Linux systems in control of our cars, the need for vigilance about security updates for embedded devices must be ingrained into users. It needs to become as obvious to people as the need for an anti-virus scanner on Windows has become.
| Index entries for this article | |
|---|---|
| GuestArticles | Edge, Jake |
Posted May 24, 2007 3:25 UTC (Thu)
by miah (guest, #639)
[Link] (1 responses)
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Posted May 27, 2007 5:17 UTC (Sun)
by dirtyepic (guest, #30178)
[Link]
usually i find anything involving networking to be a good cure for insomnia, but for some strange reason i love these kinds of blow by blow case studies.
Posted May 24, 2007 10:22 UTC (Thu)
by NRArnot (subscriber, #3033)
[Link] (1 responses)
Posted May 24, 2007 14:04 UTC (Thu)
by shane (subscriber, #3335)
[Link]
This is akin to what used to be conventional wisdom (maybe it still is):
Posted May 24, 2007 15:36 UTC (Thu)
by henning (guest, #13406)
[Link] (1 responses)
Posted Jun 1, 2007 8:22 UTC (Fri)
by slamb (guest, #1070)
[Link]
Posted May 25, 2007 13:50 UTC (Fri)
by eskild (guest, #1556)
[Link]
It would, of course, be desirable to always have updated software, but that's not how proprietary systems work, in particular when the source isn't fully open.
Posted May 25, 2007 18:01 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Router operators don't have a lot of incentive to update a router, or even arrange for someone else to do it. The damage done by a compromised router is done to someone else, which means the owner is probably not even aware of it, and if he is, I can easily see him rationalizing away any responsibility to fix it.
The user's lack of interest in updating translates to a manufacturer's lack on interest in providing updates or even preventing defects in the first place.
This is one reason I think people need to pay for their impact on the Internet, and there should be no exemption for good intentions. If you get billed for all the spam your router is sending, you'll take the trouble to download new firmware, you'll buy a new router, you'll pay more for an upgradable router or an update service, and you'll also pay more for a router with a warrantee against being hacked. You'll also demand that your ISP place limits on your service to protect you -- e.g. ISP won't accept SMTP connections from your router; ISP won't take more than a million packets in an hour from you, etc.
Posted May 26, 2007 0:23 UTC (Sat)
by nlucas (guest, #33793)
[Link]
If we discount the less appetite for cracking *nix machines than windows ones (because of the "market" share), the big diversity on the linux and *nix "ecosystem" is one of the things that makes them less prone to attack (it's difficult to crack several distros with the same exploit).
The same happens with the different routers systems, each having different versions of the software and kernel (without talking of the hardware).
The main problem is that it can pass a long time before one notices there is a problem, so over time a virus can overcame all routers of the same maker and model.
This reminds me of a fridge I have which decided to not stop freezing, and (as I don't use it much) only noticed the problem after receiving the electricity bill.
Posted Jun 1, 2007 3:33 UTC (Fri)
by gregorrothfuss (subscriber, #45542)
[Link]
Instead, software upgrades need to become fully automated and much more robust.
A good example of the wrong that can happen with bad firmware is the Netgear NTP flaw that flooded the University of Wisconsin's NTP server.When routers go bad
thanks, that was a good read.When routers go bad
Routers should have hardware write-protect switches on their front panels. (Probably two, one for the code and one for the configuration, which should be in two separate chips or subsystems). If they did, at least one could guarantee that power-cycling the router would restore it to its last-written state.When routers go bad
I'm not sure how this helps very much. If there is a vulnerable firmware, Hardware write-protect switch
a compromised system is quite likely that it will get compromised in
exactly the same way after a reboot.
if your system is compromised take it off the network and immediately
re-install the OS. But this removes all evidence of what went wrong to get
you exploited, as well as what the intruder did on your system and the
rest of your network.
Some companies are able to force firmware updates to their customers When routers go bad
through some kind of management interface centrally. Power users probably
want to disable this, but for the normal non-technical user this is
perhaps the right solution.
That setup is quite common these days. At least the advanced models from just about any DSL
router vendor support CWMP-based
upgrades. My company
makes both management servers and devices. I vaguely recall doing interoperability testing with the
Actiontec devices mentioned in the story...they've supported it for over a year at least.
When routers go bad
What the article doesn't mention is that comparatively cheap embedded devices often don't have a very long maintenance life. A year or two down the road there'll be a new, even more capable chip or subsystem which makes the device oh-so-much cheaper to manufacture. At that point, maintenance typically ceases for the original device, and all attention is diverted to the new box.When routers go bad
When routers go bad
Although I am also a little paranoid about router exploits, meaning I try to keep up with updates. I don't think the problem is, at most, worst than what we currently have with old unpatched windows machines (except being something non-windows users will have in common with windows users).When routers go bad
Having users be vigilant about their devices is a non-starter. Why would anyone want to waste quality time with upgrading firmware? In a couple years, almost every device you own will have an OS. Do you really want to have to worry about them? I certainly do not.When routers go bad