Hackers want you to continue ignoring this critical home cybersecurity flaw

[Batu69]

With the number of Internet of Things (IoT) devices expected to grow to over 20 billion by 2020, it is time to take a closer look at one of the Internet’s most vulnerable points: your home router. 

Why routers matter: a central point of weakness

With the number of IoT devices multiplying on home networks, routers now direct Internet traffic flows not just for computers and phones, but for all connected things. The sheer volume of connectivity increases the attack surface for network intrusion. New trends in home automation and remote management, such as smart door locks that can be remotely unlocked, also raise the stakes for data security.

 

Given the central role routers play as gatekeepers between the private home and the public Internet, it may come as a surprise that home routers are actually easier to hack into than computers; it is far easier to simply “set-and-forget” about them as they silently run in the corner.

 

Lack of consumer awareness means that most people have never updated their router firmware or changed the default password on their home Wi-Fi. In a revealing survey released last year by ESET and the National Cyber Security Alliance, nearly 80 percent of Americans expressed confidence in the security of their home network and connected devices. Two out of every five households, however, reported that they have never changed the default passwords on their routers.

A hacker’s paradise

Whether they are common routers — including those made by Linksys, TP-Link, D-Link, and ASUS — or ISP-leased routers, the prevalence of firmware vulnerabilities and non-unique default administrative passwords exposes hundreds of thousands of routers to cyberattacks.

 

If a hacker is particularly lucky, they might find a shiny new router like the Luma, which tracks not only what devices are connected to your network, but also exactly what websites and servers each device is connecting to — a digital goldmine.

 

Routers are thus fast becoming rich targets for hackers. In 2012, Kaspersky Labs discovered that cybercriminals had hacked into more than 4.5 million home DSL routers in Brazil by exploiting a chip vulnerability, manipulating router DNS settings to disguise fake infected websites as legitimate ones. Unsuspecting users were thus tricked into downloading malware that stole their passwords and banking information, earning one hacker more than $50,000. In 2014, another security firm, Team Cymru, reported that more than 300,000 routers — mostly in East Asia — had been compromised. The attack allowed hackers to, for example, redirect search results to infected web pages and install “drive-by downloads” of malware onto users computers. More serious still, in 2015, a group calling itself “Lizard Squad” — which is credited for taking down Sony and Microsoft’s gaming networks — announced a new “for-hire” attack service that relies on bandwidth stolen from thousands of home routers.

 

Meanwhile, DEF CON — one of the world’s largest hacking conferences — commonly features sessions on how to exploit IoT and router vulnerabilities, including one memorable presentation titled “How to Hack Millions of Routers.” A popular DEF CON router-hacking contest revealed 15 major zero-day vulnerabilities, including 7 full router takeovers.

Why router security is so neglected

One reason for the lack of router security is that the supply chain is underprepared to meet data security needs. In the embedded systems market (routers and modems), many manufacturers either cannot or do not patch security holes after shipping, even assuming they acknowledge these security flaws in the first place. As a recent Wall Street Journal study made clear, existing industry lifecycle management has been too forward-focused to dedicate limited resources to supporting and patching older products. In a message to customers, router software company Allegro emphasizes that it is unable to prevent manufacturers from continuing to “make and sell products with software components that are over 13 years old.”

 

Importantly, router attack methods often rely on chip vulnerabilities. Router firmware makers and chipset vendors are notoriously unreliable when it comes to issuing timely patches — even when they acknowledge them publicly. Some companies do not even bother responding to vulnerability reports.

 

Supply chain coordination between vendors and manufacturers on component vulnerabilities will be an especially high priority in this IoT age, as white-labelling (rebranding and reselling products made by another company) is already one of the most popular business models for Chinese manufacturers. Highly branched redistribution networks increase risk for vulnerable consumers and businesses — there are simply  “too many cooks stirring the same rotten pot.”

 

As people entrust their data to an increasing number of Internet-connected devices, it is clear we need to take a closer look at that router collecting dust in the corner. Not closing the loopholes hidden within that one critical device could prove very costly to your privacy, your finances, and even your personal security.

 

Article source

[vibranium]

For the tech-savvy, openwrt is your friend.

[davmil]

Made worse/harder with ISP's like AT&T Uverse that provide their own routers which lack normal configuration and update abilities.  AT&T seems more interested in the ability to remotely push down PPV content and remotely maintain (& I mean by that, simple reboots and log pull) that provide any information regarding configuration.  They've hired some gang from India that knows how to log in to one's router, determine it's bad, and mail you a new one.  That's about as far as their interests and ability goes.