“In 2012, hackers were able to gain remote access to 4.5 million DSL modems in Brazil through a flaw in the devices’ firmware,” F-Secure Security Advisor Tom Gaffney explains in a new article for CED Magazine.
In this case hackers were using a “man-in-the-middle-attack” to go after after banking credentials. In others, criminals used routers to direct people to malicious website. Both hacktivists and extortionist have overrun routers in order to build botnets that can be used to stage larger attacks.
Routers are persistently vulnerable and that’s a bad omen for the developing Internet of Things.
“There’s not one security issue making routers vulnerable to attacks – there are several,” Gaffney explains before focusing on the most common issue — firmware, which is “the software that controls the basic functions of a particular device.”
Like any software, firmware needs to be kept updated to stay functional and secure. And while we’re getting better at making this happen on our smartphones and PCs, developers haven’t yet seriously taken the necessary steps to make sure routers are patched and protected.
“Mark Shuttleworth, founder of the Ubuntu Linux Distribution, called firmware a ‘cesspool of insecurity’ on his blog. Consumers rarely think about applying security patches or installing updates in devices like routers,” Gaffney writes. “People don’t receive notifications about firmware issues like they do with software on their PCs, so it’s completely up to them to monitor the websites of manufacturers for updates.”
Updating your router’s firmware is one of our three key recommendations for securing your smart home, as Adam explained last summer:
But updating firmware isn’t as easy as updating apps on your PC or phone. It’s something many people either don’t know how to do, or they simply aren’t aware when it’s required. Most routers can’t be updated automatically, or even directly online. People typically have to download the update to their PC first and then use that to install it on the router.
There are some generic guides online that can give you an overview on how it works, but how to update and when depends on the manufacturer, so you should consult their website for specific instructions.
It might also be worth simply buying a new router if yours is quite old and hasn’t been updated regularly. Manufacturers will often stop providing updates after a few years, even though the devices can last for a decade. Plus, many newer routers offer additional capabilities, and [F-Secure Security Advisor Sean] Sullivan admits that some of the newer features (such as guest settings) not only offer security benefits, but also allow them to work better with the diverse range of IoT devices used in smart homes.
Firmware could easily become the Kryptonite of the IoT, Gaffney explains, if we don’t learn from the issues we’ve seen with securing routers.
“Routers are not widely recognized as IoT devices, but they’re strikingly similar,” he writes. “They’re small, relatively inexpensive gadgets that have a very limited set of functions compared to smartphones and computers. It wouldn’t be surprising to see routers replaced with some kind of new IoT device that combines the functions of routers with a TV, fridge, thermostat, or other type of product.”
Given the massive amounts of data these smart devices will have on us securing them will be increasingly important to consumers.
“The key issue that needs to be understood is that routers, IoT devices, computers, phones and anything else that connects to another device creates a network. And not securing the different parts of a network risks compromises the entire thing, including all of its devices and data.”
While he fears that there’s “a good chance that firmware vulnerabilities will spread with the IoT,” he does see light at the end of the tunnel.
“Firmware is evolving into ‘light’ operating systems that make managing devices with limited functionality (like routers and IoT devices) easier for users by offering features like auto-updates and notifications.”
The real question, as always, is if it can evolve fast enough to out evolve the hackers.
[Image by Sunil Soundarapandian |Flickr]
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018