What happens when our wi-fi routers are “left to their own devices” — unattended, unpatched, and secured only by default credentials? And if consumers are not knowledgeable enough to patch their own device’s firmware and change their router’s password (and most are definitely not) whose responsibility is it?
Red flags for IoT Security
There are tens and hundreds of million routers around the world. In every household, office, shop and coffee shop. Wi-fi routers are probably the most single used network device that can cause huge damage on all levels: individual, corporate and state. From private data, through business-secrets theft to state-level attacks, routers are in the midst of a security challenge well recognised by hackers worldwide.
On May 2018 the FBI issued a warning, recommending everyone to reboot their routers. This warning came after Cisco revealed that 500,000 routers made by Linksys, Mikro Tik, Netgear, and TP-Link had been infected. The malware VPNFilter that was developed by a Russian hacking group is capable of collecting private data like website credentials or destroying the infected device in one single command.
The FBI advised, “Owners are advised to consider disabling remote-management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
Another attack campaign was first discovered by Radware Security Research Team in July 2018 and again in July 2019, exploiting more than 180,000 home routers in Brazil, stealing bank account credentials. By running large-scale campaigns like the one seen in Brazil, an attacker could simultaneously perform fraudulent transactions from hundreds of thousands of bank accounts, inflicting real damage not just on specific individuals but also the entire Brazilian banking system.
The third example, by Bad packets, shows several attack waves during 2019, consisting of attempts to hijack home routers’ DNS using the hosting services of Google Cloud Platform. This attack was mainly focused on D-link routers but also ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK.
It’s no surprise that routers are targeted by cyber criminals all the time and everywhere. Cyber criminals, like any criminal, are looking for the easiest modus operandi that involves the least risk to gain rewards (money).
Routers, in that sense are just like a remote door to our personal life. A very poorly protected door that once entered can expose our personal data and digital identity to hackers who in turn access other, more valuable doors. The threat, then, stems not only from the compromise of individuals’ private data, but also from the risk of user credentials falling into the wrong hands, enabling remote access to businesses and other sensitive infrastructure.
Whose (IoT security) monkey is it anyway?
The question is, with routers spread across everywhere, can these cyber attacks be prevented and by whom?
The answer is not straightforward. It is a known fact that most of today’s routers were developed with relatively small budgets, with too little effort invested in the security of the device. This fact is reflected in the high percentage of vulnerable routers and number and magnitude of router attacks. Obviously, router manufacturers must invest more efforts in their devices’ built-in security. However, as in every example where an individual threat is small, but the cumulative results may be huge (e.g. Mirai attack of 2016) this is where governments should take responsibility.
The state of California was the first to regulate the need for IoT security with Senate Bill no. SB-327 Information privacy: connected devices (“SB-327”), calling device vendors to define a unique password for each IoT device. This is a small step towards real regulations to mitigate these ever-looming risks.
There are also some new guidelines, not yet regulations, in the UK and Singapore, calling device manufacturers to add security labels to their IoT devices, declaring the device’s security level.
A threefold approach to increasing IoT security
All in all, we can see three methods to address the security risk presented by routers:
- State regulation – There must be a global IoT security standard or at least relevant regulations at the state level, as in California’s SB-327.
- User education – Users at all levels should be made aware of this risk and act to mitigate it. While medium and large corporates employ IT professionals to lower security risks by changing default router passwords, closing remote access features, updating software and configuring better security for their office routers, small businesses, shops and households do not usually pay any attention to these risks. We need to educate all users to better protect their information and at least change their router’s password at first use.
- Security solutions – While standards and regulations are late to come into play, cyber security companies that are aware of this challenge are starting to present new on-device protection mechanisms to prevent most of these attacks, and make our home and office routers secure again. These solutions, offered by companies like Check Point, Karamba Security and Vdoo, offer on-device built-in protection by modelling and monitoring the device CFI (Control Flow Integrity) at run-time.
It is again, a very good example, where the high-tech industry offers a technology-based solution, targeting real needs, while governments lag behind in taking important steps towards our cyber security as individuals, consumers and nations.
Ram Yonish, Firmware Protection Product Evangelist and former Co-Founder of Cymplify Security (acquired by Check Point) and Mor Ahuvia, Product Marketing Manager