Month: August 2018

Consumer DevicesVulnerabilities

Don’t-Link – Consumer-grade Appliances Strike Again

Consumer Devices – Sad.

Shopping. You like shopping, I like shopping, sites like Wirecutter and DudeIWantThat exist solely to facilitate shopping. There are few things more satisfying than peeling that protective plastic layer off of a new piece of tech gear, plugging it in and being treated to a fantastic blinkenlight show. We’re all guilty of making impulse purchases, replacing things that haven’t worn out or gone out of fashion. But what about that dusty modem / access point in the corner of the entertainment unit?

ArsTechnica reports on a new wave of attacks targeting vulnerabilities discovered in D-Link’s modem/router combination devices that allow attackers to alter DNS settings. An attacker can modify DNS entries and send users to malicious sites. In effect, it’s like having a 100% successful phishing campaign that’s invisible to the targeted users.

When initially detected, attackers were targeting Brazilian users of Banco de Brasil and Unibanco. In the former’s case, the legitimate site can be accessed via HTTP and therefore lacked means to verify the authenticity of the site. The latter bank’s redirect target was an empty landing page, indicating that the attackers hadn’t yet set up the spoofed site. Both malicious DNS servers were taken down shortly after being reported.

An interesting side effect of the attack is that, since the malicious DNS servers are offline, users with infected DLink devices won’t be able to resolve any addresses. It’s unclear if simply rebooting the affected devices will clear the malicious settings and prompt the router to pull fresh a fresh DNS server list from the ISP. Consumer internet-facing appliances like modems, routers and IoT devices are juicy targets for attackers because they are often poorly configured and are rarely patched when vulnerabilities are discovered.


Why Does This Happen?

There is a huge difference between the consumer device market and the enterprise sector. Consumers want things to be cheap, shiny and easy. They buy networking gear, get it running and that’s the last time it’s touched until the internet goes down or it’s time to replace the unit. Uneducated consumers don’t consider the implications of an unpatched, unconfigured core network device in their home. They should.

You, me and forward-thinking enterprises know something the general consumer doesn’t: we have things that are worth money to attackers. That could be PII, financial information, compute resources, intellectual property… the list goes on and on. Just thinking about your attack surface and the long list of desirables on your network is enough to make you sound like the local tinfoil hat guy at family dinners.

Enterprise gear is designed for performance, to be highly configurable and, most important, is supported with software updates. A big part of why enterprise-grade equipment is so expensive is the long chain of support from customer service reps all the way to engineers generating code and designing hardware. This seems pointless to the average consumer, until it’s too late – their router (the all-in-one network defender) has been compromised, now working as a double-agent and sending financial information to unknown attackers across the internet. Fortunately, there are some companies that span the divide between the consumer and enterprise segments. That’s where you’ll find products that are robust, easy to use and kept up to date with patches.


What do I do?

The internet is the magic fabric that enables global commerce, provides entertainment and delivers the world’s knowledge to our fingertips. We have to be able to trust devices on our home networks to help keep us safe. To do this, we must take a couple of simple steps to stay informed, proactively seek updates and make good purchasing decisions.

You have to check for updates and make good configuration choices. This means logging on to your modem / router / firewall and (1) checking for updates periodically, (2) Turning off services like UPnP, WPS and WAN management and (3) changing the password to a non-dictionary or easily-guessable value. That’s it. It sounds like tedious SysAdmin work but this will take you about 20 minutes to do the first time around.

Make good choices. Some companies like DLink, Linksys and Netgear (not an exhaustive list) drop support for their products after a couple of years. Save yourself some heartache and look at companies like Netgate (SG-1000 and SG-3000) and Ubiquiti (UniFi Security Gateway) for consumer-friendly offerings that won’t break the bank. These companies (also not an exhaustive list) make fantastic enterprise-grade gear and you can count on support and software updates for years to come.

Stay informed. Subscribe to a blog like Bleeping Computer or set up a Google Alert for your router’s model number and the word “vulnerability”. The best way to protect yourself on the internet’s mean streets is to be aware of your attack surface. If your device is vulnerable and hasn’t been patched in years (such as the DLink devices in this article), it’s time to replace it with a newer, younger, better-supported model.

If I learned anything from G.I. Joe:




Safe harbor is the best harbor

arsTechnica published an article about, a site promoting an open source approach to creating standard policies for companies that protect security researchers and encourage responsible disclosure. This is a response to the technology sector’s current state, where every company has a unique policy (or in many cases, no policy) defining a process where researchers can submit their findings and be guaranteed protection from legal action. This policy minefield puts a damper on research and reporting of new vulnerabilities.

A study commissioned by the Center for Democracy & Technology (CDT) found that security researchers are often hesitant to report their findings for fear of legal action. This creates a chilling effect in the research community and harms overall security by preventing responsible handling of vulnerabilities. Think about this: If you’re a white hat hacker, who do you target for research? Company A with a clearly-defined vulnerability disclosure policy or Company B that takes legal action against researchers?

Of the researchers we interviewed, few reported receiving threats related to a disclosure, either veiled or explicit. The researcher reporting the greatest number of threats often serves as a disclosure intermediary for other researchers. This subject reported that many of the researchers for whom the subject had performed a notification or disclosure did not want to notify the company themselves because of the risk they associated with notification. Other interview subjects reported being pressured by companies to keep quiet or to sign non-disclosure agreements (NDAs).
– Page 12 of the “Risk Basis for Security Research” report.

What is responsible disclosure?

Responsible disclosure is one of several models of releasing security vulnerability research. The key differentiator in the Responsible Disclosure model is that the information is made public only after a period of time has passed and a patch has been released to the public. This model allows researchers to contribute to the greater good while companies have time to develop, test and deploy patches to protect customers. Researchers still receive credit and, in many cases, financial rewards. The SANS Institute InfoSec Reading Room has an excellent paper on Responsible Disclosure and touches on other models.

Why we need standards:

Malicious hackers are examining products as intensely as white-hats – perhaps even more so as there is a huge financial incentive to develop and weaponize vulnerabilities. These weaponized exploits are incorporated into attack tools available for free or at a moderate price on the dark web. Malware as a service (MaaS) is an extension of the shift to cloud-oriented and subscription-based models and is making sophisticated attack tools more accessible to would-be attackers.

Companies that don’t create a safe harbor for security researchers are only hurting themselves and their users. Policies that promote research, give legal protection and outline financial incentives attract ethical people. These researchers act like an extension of a company’s own security and QA resources. By protecting and enabling research the company will be made aware of vulnerabilities before they are discovered and used for malicious purposes. This allows companies to protect their users and avoid significant fines and loss of goodwill.

Companies with no safe harbor policy reap none of the benefits of this supplemental security blanket. Ethical researchers will avoid companies that stifle research and target responsible disclosures with legal action. As white hats avoid these companies, black hats will be attracted to products that aren’t being evaluated for vulnerabilities. Ironically, these vulnerabilities will cost the company many times what an incentive-based, safe harbor policy would. Now that GDPR is enforced, a company can face up to a 4% of Annual Global Turnover fine (or €20 Million, whichever is greater) for violating data privacy regulations.

All companies, whether the product is hardware and software or they’re used to support business operations, has a stake in the effort to promote responsible disclosure of vulnerabilities. Vulnerabilities will continue to be discovered and weaponized, putting users’ privacy at risk and costing companies millions of dollars in lost revenue and remediation. Vaccines are so effective because they create herd immunity. Like a vaccine, the more research directed at technology products the safer we will all be.

2fcibmMugatu knows a trend when he sees one.