Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

Router Security

There is finally beginning to be more awareness of router security.   All of us have routers, large or small;   it’s the bridge between ‘The Internets’ and our LAN, and smaller ones have a built-in firewall which many rely on as their only protection.

All routers come with a well-known default username and password, which most people have enough sense to change.   This helps prevent not only unauthorized access over the airwaves, but also through the internet itself, although WPA2 should also be turned on for airwaves protection.

Recently there’s been more black hat exploitation of certain brands of small router, specifically Asus and the sorry Linksys and DLink routers.   Users often opt for convenience and so turn on Remote Admin…   and black hats have automatic worms running around (check at :23 seconds) out there specifically looking for vulns to exploit for fun and profit.   NEVER turn on Remote Admin, and it’s not a good idea to turn on router disk sharing as it uses the terrible Windows Server Message Block (SMB) protocol.

Codenomicon recently ran a series of vulnerability tests on various brands of hardware and found significant security problems with 90% of them!   They’re using the same reconnaissance method as hackers set up their worms to use, called ‘fuzzing’.   IOW a direct attack would be trying all the default passwords first, like admin:admin, and targeting attack by brand.   Fuzzing means making attempts -close- to a direct attack, like Admin:Admin, admin7:admin7, password:password, etc.

The key takeaway is, check your router firmware by whatever method is provided, usually an admin function in its setup webpage.   (If your router is at 192.168.0.1 or .1.1, point a browser there and log in)   Update that firmware, and turn off any doubtful services like Remote Admin and Disk Sharing.   It’s especially important to turn off remote admin with SNMP, and turn off Universal Plug ‘n Play – UPnP.   And if you run larger or enterprise systems, do check each switch, router, SAN, etc to ensure that “debug mode” is disabled. (Arbitrary commands can be executed in debug mode)   Also for each appliance go through the manufacturers’ recommendations for hardening.

UPnP is a convenience technology which is used by devices to easily set themselves up on your network for “The Internet of Things”.   For example your washing machine, fridge, or air conditioner could set itself up to be controlled by an app on your phone with UPnP.   Isn’t that Convenient?   But these appliances often have code which works on multiple types of machine, and often have hardcoded passwords and communicate with a corporate servicing and maintenance system unsecurely.   One researcher monitored the communications of his washing machine, and by looking at the data passing over his home wi-fi network from the appliance, he found that it was regularly sending updates about itself and what it was doing to a service website run by Samsung, lol.   He noticed it was sending back unique identifiers for his device and communicated, whether he turned off communications or not.

App-based control systems are something of an afterthought and few companies have spent the money needed to ensure the apps are secure.   Why is this a problem?   UPnP has well-known exploitable vulnerabilities and a classic black hat approach is to gain entry to some unsecure machine inside, then pivot through that to the real targets.   And anyway, some people believe they have a right to know what their devices are doing. (and apparently, some do not)   Turn off UPnP, Zeroconf, Apple’s Bonjour, Microsoft’s SSDP, and anything similar, if you care about security.

I should note that the aforementioned are not the only ways in, just the easiest ones.

A better solution is to replace that unsecure router firmware, which they give half-a-mind to, with an open-source alternative like OpenWRT, although this may be beyond the technical ability of most, and is limited in what hardware it will run on.   And please consider setting up a dedicated machine to serve as your firewall, maybe a Raspberry Pi running pfSense.   It’s not that hard, and open-source software is free and security-vetted by the best minds in the industry.

Myself, I haven’t had time to install OpenWRT yet, as I have a fairly complex setup with a Ubiquiti NanoBridge M and an older Netgear WNDR3700, and I need to figure out how to set up my firewall (Shorewall) on OpenWRT, a special process.   You can bet I’m up to date with the stock firmware though.

I can tell you though that my next wireless router is going to be 802.11ac from Netgear’s commercial ProSafe line when it comes out, as some will have ‘port mirroring‘.   Why?   To enable a NIDS by mirroring the external WAN port to a special surveillance port which is watched by Snort, netsniff-ng, Sguil, Bro-ids(==NSA’s X-KEYSCORE), ossec, Snorby, and ELSA, for dynamic alerts and automatic response.

,'after' => '

') )