Poor or lacking security on millions of ADSL routers and other devices used by teleworkers represents a threat to global enterprise information security, researchers have warned.
Unscrupulous internet service providers (ISPs) distribute routers that often have several security vulnerabilities, Cisco consultants Kyle Lovett and Dor Tumarkin told the CrestCon & IISP Congress 2015 in London.
Most of these vulnerabilities are well-known and well-documented, and yet ISPs continue to distribute routers without any security evaluation.
“Wide swathes of IP space are being made vulnerable through ISPs in developing countries distributing routers with default passwords that can be easily found on the internet,” said Lovett.
He estimates that between 25 million and 80 million devices used in small office and home office environments can be accessed remotely because default passwords are rarely changed by users.
Attackers can locate vulnerable devices using internet scans and websites such as Shodan which publishes an index of internet-exposed devices.
Research has shown that 14 suppliers have distributed over a million ADSL routers with firmware dating from 2007 that contains multiple critical vulnerabilities that could allow hackers full control.
This means attackers can alter the domain name system (DNS) configuration on these devices to redirect victims to IP addresses and domains controlled by the attacker.
Read more about device security
- Team Cymru has discovered a widespread compromise of consumer-grade small office/home office routers.
- Misfortune Cookie could expose approximately 12 million residential network gateway devices to attack, endangering home networks and any business data that may traverse those networks.
- Hackers can access and manipulate any network service that is available via the internet.
Attackers can conduct man-in-the-middle attacks or redirect victims to anywhere they want, inject their own adverts into web pages or poison search results.
Other vulnerabilities are introduced by ISPs wanting to enable remote management services, the re-use of common source code for firmware and enabling more features than devices were designed to handle.
Many routers have a hidden support account with an easy-to-guess common default password.
Threat to enterprise data
Although the problem has been reported by several researchers in the past few years, little has been done to tackle the issue.
“Because of low margins there is no incentive to improve or fix security flaws, and market demand for features and services typically overrides any security considerations,” said Tumarkin.
The big security threat this is creating for enterprises is that teleworkers and home workers are connecting to corporate networks using routers with little or no security.
The researchers warn that security weaknesses in these devices are potentially opening up ways into the enterprise, users’ smartphones and anything else connecting to the home network.
“We are seeing teleworkers being increasingly targeted because they offer a potentially lucrative door into their employer organisations,” said Tumarkin.
Lovett cites as an example workers at a US defence company who were compromised at home by attackers as a way to access their employer’s corporate network.
This dangerous situation has been allowed to develop, persist and worsen due to the fact that few security researchers are testing devices typically used in the small office and home office environment.
ISPs, manufacturers and distributors need to commit to security
Apathy on the part of suppliers, ISPs and users is also to blame because of consumer demand for high functionality at low cost and relatively low-level media noise around this issue, said Lovett.
The problem is a “serious issue”, particularly in developing countries where the growth of high-speed internet access is far outpacing improvement in processes, security and equipment, said Tumarkin.
“ISPs need to recognise that trusted brands still fail sometimes [when it comes to security] and those failures can backfire and cause the ISPs to look bad,” he said.
Lovett said the best hope is that ISPs, device manufacturers and distributors will recognise the potential threat to enterprise security because there is no-one else who is likely to be able to address the issue.
“Suppliers should ensure devices are sourced, designed, developed and audited as if they were to be deployed in an enterprise environment,” said Lovett.
“There has to be a commitment to security policies, to eliminating the use of default passwords, to requiring password policies, and to disabling non-essential services by default,” he said.
Users also have a role to play in ensuring devices are always patched up to date, that they are using strong and unique passwords, and that unnecessary services are disabled.
Lovett and Tumarkin appealed to the security community to apply pressure on suppliers, help users to understand security processes and develop forensic capabilities to deal with mass compromises.