Worm burrows into, infects wireless ISPs, Internet of Things

Consumers, SMBs should register devices, always check for and apply updates

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It has been quite some time since self-replicating computer worms, like Code Red and Conficker, swarmed across the planet taking over control of millions of internet-connected Windows computers.

Microsoft deserves credit for pouring billions of dollars into infrastructure that accomplishes comparatively rapid and widespread patching of fresh Windows operating system vulnerabilities as they are discovered.

But what’s old is new again. A self-replicating worm recently began seeking out networking equipment known to contain an unpatched vulnerability in AirOS, the Linux-based firmware that runs wireless routers, access points, internet-connected cameras and other gear sold by Ubiquiti Networks.

In the open source Linux world, there is nothing quite on par with Windows Auto Update for consumers or Microsoft’s Patch Tuesday for businesses—mechanisms designed to systematically fix freshly discovered flaws. The problem is Linux has come to be used widely across the Internet of Things. So yet another wide attack vector has opened up, creating gaping exposures for consumers and businesses.

ThirdCertainty asked Travis Smith, senior security research engineer at Tripwire, about the wider ramifications.

3C: How are hackers targeting the AirOS vulnerability?

Travis Smith, Tripwire senior security research engineer
Travis Smith, Tripwire senior security research engineer

Smith: The attackers are scanning the internet, using search services such as Shodan, hunting for systems with this vulnerability. Once a vulnerable system is found, attackers point their exploits at anyone they find to be vulnerable. Rarely is a particular victim targeted, more often than not they are a victim of opportunity for simply having vulnerable code.

Related story: Hackers use Shodan search engine to discover vulnerable systems

3C: What does this enable the attacker to do?

Smith: Once the system has been successfully infected, the worm will replace the usernames and passwords on the device, and begin scanning for other vulnerable systems. Eventually, the worm will reset the device back to the factory defaults and leave a backdoor into the device for the attacker. There are no other pieces of malicious intent that have been discovered, so the endgame appears to be an exercise in capabilities by the attacker. With that level of access, it’s possible that the attacker could use these as a pivot point into internal networks, inspect confidential traffic, or much more.

3C: So it is self replicating?

Smith: Yes, the self-replication allows the malware to be a force amplifier for the attacker. Instead of the attacker using their own machine to discover and infect machines, they can multiply their efforts with each successfully infected device.

3C: Ubiquity says it issued a patch last July.

Smith: The fact that the patch was resolved last July means the notice either didn’t reach the customer, or the customer opted to not patch their equipment. Ars Technica has reported that many customers are claiming that they never received notification of the threat.

Enterprises have well-established relationships with their vendors and are generally alerted quickly of updates to the products used in their environment. On the consumer side, that relationship is generally nonexistent. Few consumer products are built to install updates automatically. Unless the end user registered their product when it was purchased, the vendor doesn’t have a clear path to alert the user of known vulnerabilities. Out of sight, out of mind.

3C: What does this tell us about vulnerabilities in software and firmware being rushed into market to support the Internet of Things?

Smith: Risk is introduced anytime a device is connected to the internet. Bad guys have been attempting to exploit these devices for years, so this is nothing new. Larger enterprises are considered the whales for attackers, tougher to catch but the return on investment can be enormous. Consumers and SMBs are the smaller fish, an easier target, but you will need to rely on economies of scale to get a decent return on investment. Attackers will follow the dollars, so if consumers and SMBs are going to be more profitable from these types of attacks, we can expect an increase in frequency.

 3C: What areas appear to be the most vulnerable?

Smith: Most of these cases relate to devices being able to authenticate users from the internet, as opposed to only being available from the internal side of the network. When this happens, the attackers exploit the use of either default credentials the end user did not change or weak, hard-coded credentials the vendor left in the product. This is a real-world example of why end users should change default passwords on all of their devices.

3C: What’s the big takeaway for consumers?

Smith: The most important thing to consider is to continually check your systems for updates and apply them as soon as possible. When available, register your devices with the manufacturer to stay up to date on receiving these notifications.

3C: What’s the big takeaway for SMBs?

Smith: SMBs can take the same protections as consumers by registering their devices with manufacturers to receive update notifications. Apply updates when they become available to reduce the attack surface of their network. Not only will these updates fix critical security issues, but they also may can increase the performance of the network to increase operational efficiencies.

More stories related to wireless security and Internet of Things:
As workers move out of the office, business security risks multiply
Data security even more critical as Internet of Things multiplies, morphs
Inertia, security shortcuts leave IoT devices vulnerable to attack