Broadband routers and botnets - being proactive
In this post I'd like to discuss the threat widely circulated insecure
broadband routers pose today. We have touched on it before.
Today, yet another public report of a vulnerable DSL modem type was posted
to bugtraq, this time about a potential WIRELESS flaw with broadband
routers being insecure at Deutsche Telekom. I haven't verified this one
myself but it refers to "Deutsche Telekom Speedport w700v broadband
router":
http://seclists.org/bugtraq/2007/May/0178.html
If you all remember, there was another report a few months ago about a UK
ISP named BeThere with their wireless router being accessible from the
Internet and exploitable, as another example:
http://blogs.securiteam.com/index.php/archives/826
Two issues here:
1. Illegitimate access to broadband routers via wireless communication.
2. Illegitimate access to broadband routers via the WAN.
I'd like to discuss #2.
Some ISPs which provide such devices (as in the example of #2 above) use
them as bridges only, preventing several attack vectors (although not
all). Many others don't. Most broadband ISPs have a vulnerable user-base
on some level.
Many broadband ISPs around the world distribute such devices to their
clients.
Although the general risk is well known, like with many other security
issues many of us remained mostly quiet in the hope of avoiding massive
exploitation. As usual, we only delayed the inevitable. I fear that the
lack of awareness among some ISPs for this "not yet widely exploited
threat" has resulted in us not being PROACTIVE and taking action to secure
the Internet in this regard. What else is new, we are all busy with
yesterday's fires to worry about tomorrow's.
Good people will REACT and solve the problem when it pops up in
wide-exploitation, but what we may potentially be facing is yet another
vector for massive infections and the creation of eventual bot armies on
yet another platform.
My opinion is, that with all these public disclosures and a ripe pool of
potential victims, us delaying massive exploitation of this threat may not
last. I believe there is currently a window of opportunity for service
providers to act and secure their user-base without rushing. Nothing in
security is ever perfect, but actions such as changing default passwords
and preventing connections from the WAN to these devices would be a good
step to consider if you haven't already.
My suggestion would be to take a look at your infrastructure and what your
users use, and if you haven't already, add some security there. You
probably have a remote login option for your tech support staff which you
may want to explore - and secure. That's if things were not left at their
defaults.
Then, I'd also suggest scanning your network for what types of broadband
routers your users make use of, and how many of your clients have port 23
or 80 open. Whether you provide with the devices or not, many will be
using different ones set to default which may pose a similar threat. Being
aware of the current map of vulnerable devices of this type in your
networks can't hurt.
It is not often that we can predict which of the numerous threats out
there that we do not address currently, is going to become exploited
next. If you can spare the effort, I'd strongly urge you to explore this
front and be proactive on your own networks.
The previous unaddressed threat which most of us chose to ignore was
spoofing. We all knew of it for a very long time, but some of us believed
it did not pose a threat to the Internet or their networks for no other
reason than "it is not currently being exploited" and "there are enough
bots out there for spoofing to not be necessary". I still remember the
bitter argument I had with Randy Bush over that one. This is a rare
opportunity, let's not waste it.
We are all busy, but I hope some of you will have the time to look into
this.
I am aware of and have assisted several ISPs, who spent some time and
effort exploring this threat and in some cases acting on it. If anyone can
share their experience on dealing with securing their infrastructure in
this regard publicly, it would be much appreciated.
Thanks.
Gadi Evron.