Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Your router: Gateway for hackers

Taylor Armerding | Aug. 17, 2015
It is generally accepted in IT that the weakest link in the security chain is the fallible and frequently careless human.

And even if updates are available, they are too difficult to install for the average user, said Lawrence Munro, director at Trustwave.

"The key issue is that upgrading is almost always a manual process that is likely beyond the skill level of a home-user," he said, "and patches aren't available quickly in many cases."

Indeed, last December, US-CERT, part of the Department of Homeland Security, warned broadband router manufacturers about a vulnerability called "Misfortune Cookie" that been patched more than 10 years ago, but was still present on many deployed devices.

Researchers at Check Point's malware and vulnerability group, who came up with the name, noted that, "if your gateway device is vulnerable, then any device connected to your network including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network may have increased risk of compromise."

And Mark Stanislav, senior security consultant at Rapid7, noted this week that in a contest at last year's Def Con, hackers were able to demonstrate 15 zero-day vulnerabilities in more than a half-dozen of the most common Small Office/Home Office (SOHO) routers, including models from Asus, Netgear, DLink, Belkin, Linksys, Actiontec and Trendnet.

Not surprisingly, the contest was titled, "SOHOpelessly Broken."

If it really is this bad, however, it would seem there would be more stories about disastrous takeovers of networks. Yet while mainstream media regularly report on major hacks, there are few, if any, headlines about router compromises.

That, Stanislav said, is probably in part because the average consumer may not even know what a router is. And, "the impact to an individual or their home network isn't necessarily easy to determine without a very specific review of how their device was configured, what vendor it's from, and what firmware it's running," he said.

"It's a much more layered and nuanced story than, Company X was hacked, your data is now a risk.'"

Robert Siciliano, online safety expert for Intel Security, agreed. "If the flaw is too complicated for mass media to break down for the general public, they avoid discussing it," he said.

Munro agreed, but said it is also because the media don't find it that exciting at least yet. Remotely hacking a car and causing it to crash catches public attention much more than explaining how a router is vulnerable.

Gettys said he thinks it is because, "it hasn't yet hurt in the pocket book at sufficient scale in the U.S.," but warns that the hurt is coming.

"People have not realized just how insecure these devices are, or what mischief this can cause for the customers and others they are being increasingly used as part of botnets to attack others," he said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.