Worm burrows into, infects wireless ISPs, Internet of Things

Consumers, SMBs should register devices, always check for and apply updates

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It has been quite some time since self-repli­cat­ing com­put­er worms, like Code Red and Con­fick­er, swarmed across the plan­et tak­ing over con­trol of mil­lions of inter­net-con­nect­ed Win­dows computers.

Microsoft deserves cred­it for pour­ing bil­lions of dol­lars into infra­struc­ture that accom­plish­es com­par­a­tive­ly rapid and wide­spread patch­ing of fresh Win­dows oper­at­ing sys­tem vul­ner­a­bil­i­ties as they are discovered.

But what’s old is new again. A self-repli­cat­ing worm recent­ly began seek­ing out net­work­ing equip­ment known to con­tain an unpatched vul­ner­a­bil­i­ty in AirOS, the Lin­ux-based firmware that runs wire­less routers, access points, inter­net-con­nect­ed cam­eras and oth­er gear sold by Ubiq­ui­ti Net­works.

In the open source Lin­ux world, there is noth­ing quite on par with Win­dows Auto Update for con­sumers or Microsoft’s Patch Tues­day for businesses—mechanisms designed to sys­tem­at­i­cal­ly fix fresh­ly dis­cov­ered flaws. The prob­lem is Lin­ux has come to be used wide­ly across the Inter­net of Things. So yet anoth­er wide attack vec­tor has opened up, cre­at­ing gap­ing expo­sures for con­sumers and businesses.

Third­Cer­tain­ty asked Travis Smith, senior secu­ri­ty research engi­neer at Trip­wire, about the wider ramifications.

3C: How are hack­ers tar­get­ing the AirOS vulnerability?

Travis Smith, Tripwire senior security research engineer
Travis Smith, Trip­wire senior secu­ri­ty research engineer

Smith: The attack­ers are scan­ning the inter­net, using search ser­vices such as Shodan, hunt­ing for sys­tems with this vul­ner­a­bil­i­ty. Once a vul­ner­a­ble sys­tem is found, attack­ers point their exploits at any­one they find to be vul­ner­a­ble. Rarely is a par­tic­u­lar vic­tim tar­get­ed, more often than not they are a vic­tim of oppor­tu­ni­ty for sim­ply hav­ing vul­ner­a­ble code.

Relat­ed sto­ry: Hack­ers use Shodan search engine to dis­cov­er vul­ner­a­ble systems

3C: What does this enable the attack­er to do?

Smith: Once the sys­tem has been suc­cess­ful­ly infect­ed, the worm will replace the user­names and pass­words on the device, and begin scan­ning for oth­er vul­ner­a­ble sys­tems. Even­tu­al­ly, the worm will reset the device back to the fac­to­ry defaults and leave a back­door into the device for the attack­er. There are no oth­er pieces of mali­cious intent that have been dis­cov­ered, so the endgame appears to be an exer­cise in capa­bil­i­ties by the attack­er. With that lev­el of access, it’s pos­si­ble that the attack­er could use these as a piv­ot point into inter­nal net­works, inspect con­fi­den­tial traf­fic, or much more.

3C: So it is self replicating?

Smith: Yes, the self-repli­ca­tion allows the mal­ware to be a force ampli­fi­er for the attack­er. Instead of the attack­er using their own machine to dis­cov­er and infect machines, they can mul­ti­ply their efforts with each suc­cess­ful­ly infect­ed device.

3C: Ubiq­ui­ty says it issued a patch last July.

Smith: The fact that the patch was resolved last July means the notice either didn’t reach the cus­tomer, or the cus­tomer opt­ed to not patch their equip­ment. Ars Tech­ni­ca has report­ed that many cus­tomers are claim­ing that they nev­er received noti­fi­ca­tion of the threat.

Enter­pris­es have well-estab­lished rela­tion­ships with their ven­dors and are gen­er­al­ly alert­ed quick­ly of updates to the prod­ucts used in their envi­ron­ment. On the con­sumer side, that rela­tion­ship is gen­er­al­ly nonex­is­tent. Few con­sumer prod­ucts are built to install updates auto­mat­i­cal­ly. Unless the end user reg­is­tered their prod­uct when it was pur­chased, the ven­dor doesn’t have a clear path to alert the user of known vul­ner­a­bil­i­ties. Out of sight, out of mind.

3C: What does this tell us about vul­ner­a­bil­i­ties in soft­ware and firmware being rushed into mar­ket to sup­port the Inter­net of Things?

Smith: Risk is intro­duced any­time a device is con­nect­ed to the inter­net. Bad guys have been attempt­ing to exploit these devices for years, so this is noth­ing new. Larg­er enter­pris­es are con­sid­ered the whales for attack­ers, tougher to catch but the return on invest­ment can be enor­mous. Con­sumers and SMBs are the small­er fish, an eas­i­er tar­get, but you will need to rely on economies of scale to get a decent return on invest­ment. Attack­ers will fol­low the dol­lars, so if con­sumers and SMBs are going to be more prof­itable from these types of attacks, we can expect an increase in frequency.

 3C: What areas appear to be the most vulnerable?

Smith: Most of these cas­es relate to devices being able to authen­ti­cate users from the inter­net, as opposed to only being avail­able from the inter­nal side of the net­work. When this hap­pens, the attack­ers exploit the use of either default cre­den­tials the end user did not change or weak, hard-cod­ed cre­den­tials the ven­dor left in the prod­uct. This is a real-world exam­ple of why end users should change default pass­words on all of their devices.

3C: What’s the big take­away for consumers?

Smith: The most impor­tant thing to con­sid­er is to con­tin­u­al­ly check your sys­tems for updates and apply them as soon as pos­si­ble. When avail­able, reg­is­ter your devices with the man­u­fac­tur­er to stay up to date on receiv­ing these notifications.

3C: What’s the big take­away for SMBs?

Smith: SMBs can take the same pro­tec­tions as con­sumers by reg­is­ter­ing their devices with man­u­fac­tur­ers to receive update noti­fi­ca­tions. Apply updates when they become avail­able to reduce the attack sur­face of their net­work. Not only will these updates fix crit­i­cal secu­ri­ty issues, but they also may can increase the per­for­mance of the net­work to increase oper­a­tional efficiencies.

More sto­ries relat­ed to wire­less secu­ri­ty and Inter­net of Things:
As work­ers move out of the office, busi­ness secu­ri­ty risks multiply
Data secu­ri­ty even more crit­i­cal as Inter­net of Things mul­ti­plies, morphs
Iner­tia, secu­ri­ty short­cuts leave IoT devices vul­ner­a­ble to attack

Posted in Cybersecurity, Data Breach, Featured Story