Home Routers: Mitigating Attacks that can Turn them to Zombies
by Kevin Y. Huang, Fernando Mercês and Lion Gu
With more households running smart devices that access the internet, the router is typically their only doorkeeper. And whether an end user has a laptop/desktop and router combo, or a miscellany of other devices connected to the network, the security risks are the same. Based on our research, home routers have been most susceptible to cross-site scripting (XSS) and PHP arbitrary code injection attacks, as well as being involved in carrying out DNS amplification attacks.
A smart but unsecure device connecting to the Internet is much like inviting curious—and oftentimes malicious—guests into your home. Placing basic locks on the gateway simply won’t cut it. Bad guys, given their recent foray into home networks, will always look for ways to break doors open. Worse, they infect these devices and turn them into zombies that can be ordered to do the cybercriminals’ bidding, as exemplified by recent attacks on DNS provider Dyn and Brian Krebs, and a command injection vulnerability found in multiple Netgear routers.
Backdoors, ELFs, and “The Future”
Home routers and Internet of Things (IoT) devices are typically run on Linux given the operating system’s (OS) popularity and cost-effectiveness. By also taking advantage of Linux’s portability, malware written for x86 platforms can be converted to a home router’s (usually ARM or Armel), with few or no changes in the source code.
Home routers can also be affected with malicious applications, scripts and ELF binaries. BASHLITE (detected by Trend Micro as ELF_BASHLITE family), for instance, was used in a huge distributed denial-of-service (DDoS) attack in 2014, and recently wrought a DDoS botnet by infecting IoT devices, mostly DVRs in Brazil, Colombia, and Taiwan. They can also be infected with hidden backdoors targeting ARM, Intel and compatible x86 and x86-64 architectures. This includes Ring 3 rootkits such as Umbreon and vlany, which borrowed features from another well-known Linux-targeting rootkit, Jynx2.
Mirai (Japanese for “the future” and detected as ELF_MIRAI family) was in a class by itself, not because of its complexity (it uses a predefined list of default credentials). Its source code was released on a hacking forum, turning it into an open-source malware now widely used and modified to become more potent. Variants of it were employed to zombify TalkTalk routers, and knock high-profile sites offline such as Netflix, Reddit, Twitter and Airbnb. It also caused service outage to customers when a Mirai botnet attacked 900,000 home routers provided by Deutsche Tekekom.
Notable Security Events Triggered in Home Networks
To streamline how home networks can be further secured, we delved into them and uncovered attacks they usually contend with, along with devices and applications frequently leveraged to gain a foothold into the network. A key takeaway: these devices were easily turned into zombies. Our IoT research/telemetry showed that within the first three quarters of 2016, the security rules and events triggered the most were:
- Cross-site scripting (XSS) attempts
- DNS amplification attacks
- PHP arbitrary code injection
- Bitcoin and Litecoin mining
- Internet Information Services (IIS) remote code execution (CVE-2015-1635)
- WScript remote code execution
- Android buffer overflow exploit of libstagefright
|Top 10 Rules Triggered||Home Devices are Attackers|
|1130172 DNS Amp||100%|
|1130593 IIS HTTP.sys||100%|
|1055106 PHP Code inj||96.57%|
|1132263 Android tx3g B.O.||17.57%|
Table 1. Top rules triggered from Q1-Q3, 2016
The unusually high number of triggered security events can indicate that most of the attackers were compromised home routers controlled by hackers. In terms of location, most were triggered in the U.S. (more than five times as much than in China), South Korea, Canada and Russia. The United Kingdom, Germany, Netherlands, Hong Kong, Sweden, Singapore, Australia, Spain, Switzerland, and Austria rounded out the top countries with the most number of router attacks.
However, South Korea had the highest average number of attacks per router. In the third quarter, for instance, South Korea had the most attacks and the highest average number of security events triggered in home networks (150, compared to U.S.’s 31). This can be an indication of the scaling frequency of home devices being turned into zombies—along with other malicious activities—in the country.
Among these triggered rules, three security events stood out due to their consistency in our research and relevance in today’s threat landscape: DNS amplification attacks, exploiting vulnerabilities in IIS, and Bitcoin mining activities.
DNS Amplification Attacks
DNS amplification attacks, a reflection-based DDoS attack, rely on the use of open and publicly accessible DNS resolvers to overwhelm the victim’s system with DNS response traffic. Hosting company OVH was the latest recipient of record DDoS attacks employing this technique, one of which peaked at almost a terabyte of traffic. These attacks were linked to unsecure and zombified IoT devices, comprising Mirai-infected routers, DVRs, and webcams.
Our research revealed that in all instances (100%) where DNS Amplification was triggered, home devices were the attackers; DNS servers and benign servers or hosts were the victims. The attack was done inside-out: a significant amount of home devices were compromised without their owners’ permission, and programmed to attack other networks. Synology NAS (network-attached storage) devices triggered half of all observed DNS amplification security events, averaging 853 events per NAS device—twice higher than others.
|Events||Devices||Average Events per Device|
Table 2. OSes of devices that triggered observed DNS amplification events
IIS Vulnerability (CVE-2015-1635)
Both used by businesses and home users, IIS is an extensible web server developed by Microsoft for use with the Windows NT family, supporting HTTP, HTTPS, FTP, FTPS, SMTP, and NTTP. Our research revealed that vulnerabilities in IIS, particularly CVE-2015-1635, were exploited to compromise the network. CVE-2015-1635 is a remote code execution vulnerability in the HTTP.sys header parameter range, usually used for web page file transfer. Leveraging this vulnerability allowed remote attackers to execute arbitrary code or cause denial of service via crafted HTTP requests. Attacks exploiting CVE-2015-1635 were mainly directed to Windows devices.
Figure 6. IIS server crashing (in Windows 7) after malicious data/payload is successfully sent
Table 3. OSes of devices that attack servers via IIS vulnerability exploit
Bitcoin mining—where encryption techniques are used to generate the digital currency—needs extensive computing power. A home router, though fast enough to process network data, has limited resources. Malware developers and botnet operators infect a sizeable mesh of victims to offset this.
Bitcoin mining activities were triggered from traditional OSes (mostly Windows), as well as smart devices such as IP cameras, and routers. Based on observed network traffic, Bitcoin mining—though legal in most countries—may entail a system compromise especially if it is conducted without the user’s knowledge or consent, which was typically the case for connected devices.
|Device OS/Type||Security Events|
Table 4. Devices that were also part of a Bitcoin-mining zombie army
Home network security is as important as safeguarding the enterprise’s perimeter, as compromised home devices can be made into accomplices in threats that target organizations and their corporate assets. A vulnerable home network can adversely affect not only the owners and ISPs, but also the devices connected to it and personal data stored on them. While original design and equipment manufacturers play vital roles in securing these devices, users can mitigate the risks of turning their home routers into zombies by practicing digital security hygiene such as:
- Using devices that go beyond functionality and ease of use, with security and privacy as selling points
- Changing the device’s default settings such as log-in credentials (i.e. router SSID, username, and password) to make them less susceptible to unauthorized access
- Regularly checking the router’s DNS settings to see if they’ve been tampered with (checking the DNS servers’ IP address the router is forwarding queries to)
- Encrypting wireless connections (Wi-Fi) to thwart network interlopers and piggybackers
- Keeping software and firmware up-to-date to prevent vulnerability exploits
- Enabling the router’s built-in firewall
- Configuring the router to be more resistant to attacks (i.e. changing subnet addresses, using random IP addresses on the router, enforcing SSL)
- Using browser extensions that can help prevent web scripting attacks (i.e. denying access to the router’s IP address)
- Employing tools that check if the router is freely exposed to the Internet (i.e. port scanning)
- Using only legitimate applications through official/trusted app stores, if IoT home devices are connected to a mobile device
- Disabling unnecessary components in the router (unless otherwise needed), such as Universal Plug and Play (UPnP), WPS, and remote administration features such as Telnet and web admin page access via WAN, which can be leveraged by malware when creating botnets
- Reconsidering white-label or used routers, which may be maliciously/improperly configured or even come with backdoors
- Deploying tools that add a layer of security in the device, such as intrusion prevention systems in the gateway