Weekly Edition
Return to the Security page
| |||||||||||||
When routers go badBroadband routers are ubiquitous these days, so much so that they go unnoticed; unless they fail, no one pays any attention to them. These routers run some kind of embedded OS, often Linux, on a fairly capable hardware platform which makes them interesting targets for an attacker. Because they tend to be invisible and unmonitored, subverting routers without affecting their normal function makes a perfect hidden space for malicious code to run. As a recent Bugtraq posting from Gadi Evron points out, there have already been a few reports of vulnerable routers and we can only expect to see more. Even if the router manufacturers are staying on top of vulnerabilities in their codebase, which is not a foregone conclusion, there are still serious questions about how a largely non-technical user base will be assisted or forced into upgrading their firmware. The logistics of getting the right firmware and upgrade program into a user's hands and having them run it correctly so that their router does not turn into a brick is rather daunting. One can only imagine the volume of support calls that could be generated. In many cases, the router makers are selling special versions of their hardware to specific broadband providers who sell or lease them to their customers. This allows the router maker to leave the support burden to the providers who typically already have a large technical support organization. It is unclear whose responsibility it is to track security issues and ensure that any critical vulnerabilities are patched, it probably depends on the contract. The broadband providers typically host any updates and manufacturer's websites refer users looking for updates there. It certainly seems like a situation where vulnerabilities could fall through the cracks. As an example, Qwest provides a router for their DSL customers, made by Actiontec, that is based on Linux 2.4.17 which was released in December 2001. Since that time, there have been numerous 2.4 kernel releases, with the most recent, 2.4.34.4 having been released in April. Many of those releases have been done for security problems in various subsystems, including one for CAN-2005-0449 which could potentially lead to a denial of service from a bug in the netfilter packet filtering code. It is unclear if the router is susceptible to this particular problem, one hopes not, but there are plenty of other candidates, in the other security bug fixes or any that come up in the future. Any outward (broadband) facing network service is, of course, a potential vector for security issues. Many of these routers serve web pages for configuration as well as allowing telnet or ssh connections for maintenance. One hopes that these services can only be configured to run on the internal network. Even then, many of these routers provide a wireless bridge in addition to ethernet on the LAN side and that may expose those services more broadly. Once a router has been subverted, it could be turned to any number of malicious tasks; the simplest might be to add it to a botnet for spamming or distributed denial of service. It does not take much in the way of CPU horsepower or RAM to perform those kinds of tasks and they could easily run on many routers without interfering in any noticeable way. An attack focused on a particular individual could potentially intercept and report on all of their internet traffic; there is no better place for spyware on a network. It is not only routers, of course, that are vulnerable, any embedded device could be a target, but routers have the network connectivity that makes them particularly interesting and accessible. Long before we start putting wireless network connected Linux systems in control of our cars, the need for vigilance about security updates for embedded devices must be ingrained into users. It needs to become as obvious to people as the need for an anti-virus scanner on Windows has become. (Log in to post comments)
When routers go bad Posted May 24, 2007 3:25 UTC (Thu) by miah (subscriber, #639) [Link] A good example of the wrong that can happen with bad firmware is the Netgear NTP flaw that flooded the University of Wisconsin's NTP server.
When routers go bad Posted May 27, 2007 5:17 UTC (Sun) by dirtyepic (subscriber, #30178) [Link] thanks, that was a good read.
usually i find anything involving networking to be a good cure for insomnia, but for some strange reason i love these kinds of blow by blow case studies.
When routers go bad Posted May 24, 2007 10:22 UTC (Thu) by NRArnot (subscriber, #3033) [Link] Routers should have hardware write-protect switches on their front panels. (Probably two, one for the code and one for the configuration, which should be in two separate chips or subsystems). If they did, at least one could guarantee that power-cycling the router would restore it to its last-written state.
Hardware write-protect switch Posted May 24, 2007 14:04 UTC (Thu) by shane (subscriber, #3335) [Link] I'm not sure how this helps very much. If there is a vulnerable firmware,a compromised system is quite likely that it will get compromised in exactly the same way after a reboot.
This is akin to what used to be conventional wisdom (maybe it still is):
When routers go bad Posted May 24, 2007 15:36 UTC (Thu) by henning (subscriber, #13406) [Link] Some companies are able to force firmware updates to their customersthrough some kind of management interface centrally. Power users probably want to disable this, but for the normal non-technical user this is perhaps the right solution.
When routers go bad Posted Jun 1, 2007 8:22 UTC (Fri) by slamb (guest, #1070) [Link] That setup is quite common these days. At least the advanced models from just about any DSL router vendor support CWMP-based upgrades. My company makes both management servers and devices. I vaguely recall doing interoperability testing with the Actiontec devices mentioned in the story...they've supported it for over a year at least.
When routers go bad Posted May 25, 2007 13:50 UTC (Fri) by eskild (subscriber, #1556) [Link] What the article doesn't mention is that comparatively cheap embedded devices often don't have a very long maintenance life. A year or two down the road there'll be a new, even more capable chip or subsystem which makes the device oh-so-much cheaper to manufacture. At that point, maintenance typically ceases for the original device, and all attention is diverted to the new box.
It would, of course, be desirable to always have updated software, but that's not how proprietary systems work, in particular when the source isn't fully open.
When routers go bad Posted May 25, 2007 18:01 UTC (Fri) by giraffedata (subscriber, #1954) [Link] Router operators don't have a lot of incentive to update a router, or even arrange for someone else to do it. The damage done by a compromised router is done to someone else, which means the owner is probably not even aware of it, and if he is, I can easily see him rationalizing away any responsibility to fix it. The user's lack of interest in updating translates to a manufacturer's lack on interest in providing updates or even preventing defects in the first place. This is one reason I think people need to pay for their impact on the Internet, and there should be no exemption for good intentions. If you get billed for all the spam your router is sending, you'll take the trouble to download new firmware, you'll buy a new router, you'll pay more for an upgradable router or an update service, and you'll also pay more for a router with a warrantee against being hacked. You'll also demand that your ISP place limits on your service to protect you -- e.g. ISP won't accept SMTP connections from your router; ISP won't take more than a million packets in an hour from you, etc.
When routers go bad Posted May 26, 2007 0:23 UTC (Sat) by nlucas (subscriber, #33793) [Link] Although I am also a little paranoid about router exploits, meaning I try to keep up with updates. I don't think the problem is, at most, worst than what we currently have with old unpatched windows machines (except being something non-windows users will have in common with windows users).
If we discount the less appetite for cracking *nix machines than windows ones (because of the "market" share), the big diversity on the linux and *nix "ecosystem" is one of the things that makes them less prone to attack (it's difficult to crack several distros with the same exploit).
The same happens with the different routers systems, each having different versions of the software and kernel (without talking of the hardware).
The main problem is that it can pass a long time before one notices there is a problem, so over time a virus can overcame all routers of the same maker and model.
This reminds me of a fridge I have which decided to not stop freezing, and (as I don't use it much) only noticed the problem after receiving the electricity bill.
When routers go bad Posted Jun 1, 2007 3:33 UTC (Fri) by gregorrothfuss (guest, #45542) [Link] Having users be vigilant about their devices is a non-starter. Why would anyone want to waste quality time with upgrading firmware? In a couple years, almost every device you own will have an OS. Do you really want to have to worry about them? I certainly do not.
Instead, software upgrades need to become fully automated and much more robust.
|
|||||||||||||