Re: Broadband routers and botnets - being proactive

[coderman <coderman () gmail com>]

On 5/11/07, Gadi Evron <ge () linuxbox org> wrote:
> In this post I'd like to discuss the threat widely circulated insecure
> broadband routers pose today. We have touched on it before.

even better when they sit on fiber.  mmmm, fiber...


> Today, yet another public report of a vulnerable DSL modem type was posted
> to bugtraq, this time about a potential WIRELESS flaw with broadband
> routers being insecure

mmm, wireless and fiber!


> If you all remember, there was another report a few months ago about a UK
> ISP named BeThere with their wireless router being accessible from the
> Internet and exploitable

hey, those "hidden" ports (2222? lol) accepting login are for
"maintenance" or "technical support", aka "a feature, not a bug!"

[the blatant, non-hidden telnet @ 23 is even better.  roffle]


> Two issues here:
> 1. Illegitimate access to broadband routers via wireless communication.

like verizon fios/dsl, with their WEP key set to the MAC of the WAN
port?  that's a problem when the wireless BSSID of the AP is just a
few iterations from the WAN MAC. oops.

mmm, fiber...


> 2. Illegitimate access to broadband routers via the WAN.
>
> I'd like to discuss #2.

yay for busybox linux routers.  cross compile and rootkit for botnet
joy.  remember to alter the "factory reset" tarball / image on the fs.
  (seriously, who thought up that procedure?)


> Although the general risk is well known, like with many other security
> issues many of us remained mostly quiet in the hope of avoiding massive
> exploitation. As usual, we only delayed the inevitable.

oh yeah, it's coming.  legions of fiber zombies!

unfortunately when you look at the ToS / fine print you'll discover
that they don't support that broadband router, even though they gave
it to you and set it up.  it's YOUR responsibility, and when they get
r00ted en masse, guess what?  the telco's/ISP's are going to pass the
buck.

i predict massive customer revolt...


> I fear that the
> lack of awareness among some ISPs for this "not yet widely exploited
> threat" has resulted in us not being PROACTIVE and taking action to secure
> the Internet in this regard.

quick! root them first, and patch!
(ah, curious blue.  such a tantalizing and horrible idea.)


> What else is new, we are all busy with
> yesterday's fires to worry about tomorrow's.
> Good people will REACT and solve the problem when it pops up in
> wide-exploitation

the patch procedure for a compromised router is a "truck roll".  see
above about passing the buck.  this means lots of pissed customers
heading to best buy to purchase new routers, since theirs is pwned,
and the telco/ISP claims no responsibility.  great news!


> but what we may potentially be facing is yet another
> vector for massive infections and the creation of eventual bot armies on
> yet another platform.

mmm, fiber!  always on!  hard-to-fix!


> My opinion is, that with all these public disclosures and a ripe pool of
> potential victims, us delaying massive exploitation of this threat may not
> last. I believe there is currently a window of opportunity for service
> providers to act and secure their user-base without rushing.

lol

i love to dream too, Gadi.  but it doesn't keep my stack and heap sanitary.

they aren't going to listen until it becomes a debacle full of pissed
off customers and saber rattling politicians...


> Nothing in
> security is ever perfect, but actions such as changing default passwords
> and preventing connections from the WAN to these devices would be a good
> step to consider if you haven't already.

how about an embedded network element best practices?  because really,
WEP keys broadcast by BSSID, factory defaults on open ports, etc, etc,
are just idiotic mistakes.

i'm all for individual responsibility, but that kind of shit is just ridiculous.


> My suggestion would be to take a look at your infrastructure and what your
> users use, and if you haven't already, add some security there. You
> probably have a remote login option for your tech support staff which you
> may want to explore - and secure.

speaking of which, some ISP's who will remain nameless use stunnel to
authenticate incoming mgmt connections.  since firmware is notoriously
out of date, compared to patched systems, anyone using openssl 0.9.8b
on their router might want to check for an update.  (see also: PKCS#1
v1.5 fun)


> Then, I'd also suggest scanning your network for what types of broadband
> routers your users make use of, and how many of your clients have port 23
> or 80 open.

and the "hidden" ports too, like 2222, etc.


> I am aware of and have assisted several ISPs, who spent some time and
> effort exploring this threat and in some cases acting on it. If anyone can
> share their experience on dealing with securing their infrastructure in
> this regard publicly, it would be much appreciated.

i'd love to hear some tales of ISP's being responsible and promptly
addressing such flaws.  right now all i see are big behemoths waiting
for their consumer cattle to get slaughtered, en masse.  paying more
attention to absolving their responsibility via contractual agreement
than protecting the consumer with even moderately secured router
hardware.  *sigh*

best regards,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/