The router of all evil

We spend a lot of time researching and highlighting the dangers of IoT devices. Cameras, DVRs, thermostats, light bulbs, and even refrigerators, connected to the internet may be vulnerable to attacks and exploits.

Still, there’s one IoT device that everyone owns and, I’ll wager, the vast majority of people forget about: the router.

“The box,” as my parents call it, typically is happily blinking away in a forgotten corner of the house and left alone for years. These home routers recently became the target of a Russian malware campaign using what is known as “VPNfilter” malware.

By creating software to compromise and infect many different brands and models, upwards of 70 models across a half-dozen brands, the group behind the campaign can tap into a vast pool of potential devices and monitor Internet traffic, degrade traffic from HTTPS to HTTP, and even inject malware into the data stream to compromise devices further downstream. The malware additionally comes with a self-destruct function that removes it from the device and destroys the device itself.

Evil on two sides

VPNfilter has two distinct components. The first is a resident malware that establishes a permanent backdoor to the device and persists through a reboot. The only function of the component is to locate a command and control (C2) node to download the second component. The other component does not persist and contains code to allow the malware to download files, exfiltrate data and even overwrite the device’s firmware and trigger a reboot, rendering the device unusable. Other plugins for the second component include a packet sniffer, an encrypted communication module and a code injection module that can insert malicious code into communications running through the infected router. It’s this module that can downgrade connections from HTTPS to HTTP.

The fact that the malware has two separate components, one persistent and one ephemeral, is what caused the FBI to call for every owner of a SOHO router to reboot it. The reboot would clear out the second malware component, but also help investigators track the C2 nodes when the persistent component tried to reach out and download again.

Given the sophistication of VPNfilter, and the modular approach the designers used, it’s not a stretch to believe that this, or another variant, will soon be spreading. Routers, by their design, are difficult to secure. They are frequently facing the internet directly, and installed with little thought to updates and maintenance. Most people rarely reboot their router, so the ephemeral malware can reside in memory for months or even years.

The design of VPNfilter puts this malware in a different class than others we’ve seen. The capabilities of this malware are clearly more closely aligned with intelligence gathering and information warfare than turning devices into DDoS-for-hire or spam bots. The addition of the capability to disable an infected router completely is a chilling indicator that the controllers could, at a moment’s notice, disrupt a large percentage of a country’s communication infrastructure. Shutting down access to news sites would make it difficult for citizens to learn about what might be happening, while at the same time preventing people from communicating via Skype, or other internet-based channels.

While worrying in its own right, now that this malware has been revealed, it’s highly likely that other nation-states will be looking to replicate it, and very likely that other adversaries, like cybercriminal gangs, will also be looking at this new vector. A malware that can not only steal credentials right off the wire, but also shut down a user’s internet connection unless a ransom is paid, opens up new avenues for theft and extortion. A turnkey package sold on the dark web could allow DDoS for hire services to leverage millions of routers to attack unsuspecting victims.

The good and evil of IoT

This is usually the point where security professionals give a standard slate of advice. “Patch your devices.” “Get new hardware.” “Monitor your manufacturer’s site for updates.”

What we have instead is a microcosm of the larger IoT problem. How do we protect ourselves, and the internet from out-of-date and unpatched systems?

Like many IoT devices, routers provide reliable service long after manufacturers withdraw support. In the future, when refrigerators, cars and other long-lived, expensive devices are internet-connected, is it going to be necessary for owners to power-cycle their homes once a month to clear out memory resident malware? Are we going to need to create a system where consumers need to lease their appliances to ensure they have supported devices? How about implanted medical devices? 

The biggest problem with connected devices is that the criteria for a good IoT device doesn’t necessarily include security. An IoT camera needs to have good resolution and zoom capability. An IoT refrigerator needs to keep food cold and run quietly. A router needs to move packets to the correct devices on the local network. Very few consumers are knowledgeable, or care enough, to ask about the security around these devices. Are there hardcoded passwords? How long are firmware updates available? What happens when the device goes out of support?

All these are questions that the nascent IoT industry needs to start giving a lot of thought to, otherwise consumer protection agencies will. And they will lay down regulations to ensure safety, both of consumers and the internet at large.

I once read somewhere, “The ‘S’ in IoT stands for security.” Think about that.