Consumer Devices – Sad.
Shopping. You like shopping, I like shopping, sites like Wirecutter and DudeIWantThat exist solely to facilitate shopping. There are few things more satisfying than peeling that protective plastic layer off of a new piece of tech gear, plugging it in and being treated to a fantastic blinkenlight show. We’re all guilty of making impulse purchases, replacing things that haven’t worn out or gone out of fashion. But what about that dusty modem / access point in the corner of the entertainment unit?
ArsTechnica reports on a new wave of attacks targeting vulnerabilities discovered in D-Link’s modem/router combination devices that allow attackers to alter DNS settings. An attacker can modify DNS entries and send users to malicious sites. In effect, it’s like having a 100% successful phishing campaign that’s invisible to the targeted users.
When initially detected, attackers were targeting Brazilian users of Banco de Brasil and Unibanco. In the former’s case, the legitimate site can be accessed via HTTP and therefore lacked means to verify the authenticity of the site. The latter bank’s redirect target was an empty landing page, indicating that the attackers hadn’t yet set up the spoofed site. Both malicious DNS servers were taken down shortly after being reported.
An interesting side effect of the attack is that, since the malicious DNS servers are offline, users with infected DLink devices won’t be able to resolve any addresses. It’s unclear if simply rebooting the affected devices will clear the malicious settings and prompt the router to pull fresh a fresh DNS server list from the ISP. Consumer internet-facing appliances like modems, routers and IoT devices are juicy targets for attackers because they are often poorly configured and are rarely patched when vulnerabilities are discovered.
Why Does This Happen?
There is a huge difference between the consumer device market and the enterprise sector. Consumers want things to be cheap, shiny and easy. They buy networking gear, get it running and that’s the last time it’s touched until the internet goes down or it’s time to replace the unit. Uneducated consumers don’t consider the implications of an unpatched, unconfigured core network device in their home. They should.
You, me and forward-thinking enterprises know something the general consumer doesn’t: we have things that are worth money to attackers. That could be PII, financial information, compute resources, intellectual property… the list goes on and on. Just thinking about your attack surface and the long list of desirables on your network is enough to make you sound like the local tinfoil hat guy at family dinners.
Enterprise gear is designed for performance, to be highly configurable and, most important, is supported with software updates. A big part of why enterprise-grade equipment is so expensive is the long chain of support from customer service reps all the way to engineers generating code and designing hardware. This seems pointless to the average consumer, until it’s too late – their router (the all-in-one network defender) has been compromised, now working as a double-agent and sending financial information to unknown attackers across the internet. Fortunately, there are some companies that span the divide between the consumer and enterprise segments. That’s where you’ll find products that are robust, easy to use and kept up to date with patches.
What do I do?
The internet is the magic fabric that enables global commerce, provides entertainment and delivers the world’s knowledge to our fingertips. We have to be able to trust devices on our home networks to help keep us safe. To do this, we must take a couple of simple steps to stay informed, proactively seek updates and make good purchasing decisions.
You have to check for updates and make good configuration choices. This means logging on to your modem / router / firewall and (1) checking for updates periodically, (2) Turning off services like UPnP, WPS and WAN management and (3) changing the password to a non-dictionary or easily-guessable value. That’s it. It sounds like tedious SysAdmin work but this will take you about 20 minutes to do the first time around.
Make good choices. Some companies like DLink, Linksys and Netgear (not an exhaustive list) drop support for their products after a couple of years. Save yourself some heartache and look at companies like Netgate (SG-1000 and SG-3000) and Ubiquiti (UniFi Security Gateway) for consumer-friendly offerings that won’t break the bank. These companies (also not an exhaustive list) make fantastic enterprise-grade gear and you can count on support and software updates for years to come.
Stay informed. Subscribe to a blog like Bleeping Computer or set up a Google Alert for your router’s model number and the word “vulnerability”. The best way to protect yourself on the internet’s mean streets is to be aware of your attack surface. If your device is vulnerable and hasn’t been patched in years (such as the DLink devices in this article), it’s time to replace it with a newer, younger, better-supported model.
If I learned anything from G.I. Joe:
Mugatu knows a trend when he sees one.
Worth it.
Grit City Security 