The Singaporean national computer response team, SingCERT, made it known yesterday that some of the home routers that had been provisioned by ISPs in the country could be easily compromised in many cases.
This information came from research that was published by the security firm Vantage Point. They published their findings that these devices could be easily compromised and in some cases could be made to provide a remote shell. Nothing good about that. To their credit the company refused to release the details of the vulnerabilities but, it seems based on the apparent trivial nature of the compromise that these devices will fall prey to less upstanding denizens of the Internet.
The affected systems are listed in the SingCERT advisory:
Products with vulnerabilities
Zhone zNID GPON 24xx, 24xxA, 42xx, 42xxA, 26xx and 28xx series (CVE-2014-8356, CVE-2014-8357, CVE-2014-9118)
The listed mitigation steps give me pause. They suggest disabling remote access such as web, ssh and telnet. As well changing the default router passwords. Wait, what? Default passwords? Why does this sticky wicket continually bedevil us? It strikes me that there was no attempt to apply even basic security configuration to these devices before they were sent to their customers.
Here is some information gleaned from the Vantage Point write up.
During this research we have developed several proof-of-concept exploits. Given the vulnerabilities found so far, we found thousands of ViewQwest users to be particularly vulnerable – they use the ZHONE GPON router with a statically assigned IP address with all default services exposed on the Internet. Using the vulnerabilities above, it is possible to compromise routers of ViewQwest subscribers at will. An attacker can not only read out the subscriber’s name and residential address via the web interface, but also run arbitrary code on the subscriber’s router, e.g. to install malware on the user’s client systems or read and manipulate the user’s network traffic.
Troubling that these devices were not secured. In addition to the problems that can arise for the customers from negative actors compromising these devices are larger issues. These devices, if compromised, could potentially be put to a more devious purpose as conscripts in a botnet.
There are many botnets for hire that are more commonly referred to as “stressers”. These services can be hired in by individuals for a sum of money, usually paid via bitcoin, and used to launch distributed denial of service (DDoS) attacks other parties. Whether these are competitors or simply some pimply faced kid who beat another at Destiny or Call of Duty remains to be seen.
The problem here is that if a customer that has one of these affected devices is unwittingly made to be a part of one of these botnets that they could suffer consequences of ill formed attribution.
The long and the short of it is that customers of ISPs in Singapore should take steps to secure their routers and contact their ISPs for more information on how best to protect themselves from possible attack.
(Image used under CC from Leonid Yaitskiy)
This information came from research that was published by the security firm Vantage Point. They published their findings that these devices could be easily compromised and in some cases could be made to provide a remote shell. Nothing good about that. To […]