Broadband routers are ubiquitous these days, so much so that they go
unnoticed; unless they fail, no one pays any attention to them. These
routers run some kind of embedded OS, often Linux, on a fairly capable
hardware platform which makes them interesting targets for an attacker.
Because they tend to be invisible and unmonitored, subverting routers without
affecting their normal function makes a perfect hidden space for malicious
code to run.
As a recent Bugtraq posting
from Gadi Evron points out, there have already been a few reports of
vulnerable routers and we can only expect to see more. Even if the
router manufacturers are staying on top of vulnerabilities in their
codebase, which is not a foregone conclusion, there are still serious
questions about how a largely non-technical user base will be
assisted or forced into upgrading their firmware. The logistics of
getting the right firmware and upgrade program into a user's hands and having
them run it correctly so that their router does not turn into a brick is
rather daunting. One can only imagine the volume of support calls that
could be generated.
In many cases, the router makers are selling special versions of their
hardware to specific broadband providers who sell or lease them to their
customers. This allows the router maker to leave the support burden
to the providers who typically already have a large technical support
organization. It is unclear whose responsibility it is to track security
issues and ensure that any critical vulnerabilities are patched, it probably
depends on the contract. The broadband providers typically host any updates
and manufacturer's websites refer users looking for updates there. It
certainly seems like a situation where vulnerabilities could fall through
As an example, Qwest provides a router for their DSL customers, made by
Actiontec, that is based on Linux 2.4.17 which was
released in December 2001.
Since that time, there have been numerous 2.4 kernel releases, with
the most recent, 188.8.131.52 having been
released in April. Many
of those releases have been done for security problems in various subsystems,
including one for
which could potentially lead to a denial of service from a bug in the
netfilter packet filtering code. It is unclear if the router is susceptible
to this particular problem, one hopes not, but there are plenty of other
candidates, in the other security bug fixes or any that come up
in the future.
Any outward (broadband) facing network service is, of course, a potential
vector for security issues. Many of these routers serve web pages for
configuration as well as allowing telnet or ssh
connections for maintenance. One hopes that these services can only be
run on the internal network. Even then, many of these routers provide
a wireless bridge in addition to ethernet on the LAN side and that may
expose those services more broadly.
Once a router has been subverted, it could be turned to any number of
malicious tasks; the simplest might be to add it to a botnet for spamming
or distributed denial of service. It does not take much in the way of
CPU horsepower or RAM to perform those kinds of tasks and they could easily
run on many routers without interfering in any noticeable way. An attack
focused on a particular individual could potentially intercept and report
on all of their internet traffic; there is no better place for spyware
on a network.
It is not only routers, of course, that are vulnerable, any embedded
device could be a target, but routers have the network connectivity
that makes them particularly interesting and accessible. Long before
we start putting wireless network connected Linux systems in
control of our cars,
the need for vigilance about security updates for embedded devices must
be ingrained into users. It needs to become as obvious to people as
the need for an anti-virus scanner on Windows has become.
to post comments)