Eliminate backdoors into your network: Secure remote employee’s SOHO routers

By Bev Robb, IT consultant

With increasing commute times and technological advances, remote employees who work from home have become a reality. Even if a company has provided the employee with hardware, security software, a VPN connection, encryption, and security training — securing the Small Office/Home Office (SOHO) router is often overlooked and underestimated.

Because I was an IT security consultant for two decades and currently work remotely as an employee for a threat intelligence corporation — I tend to look at all components and connections at my office with security in mind.

For the past few years, we’ve seen an uptick in SOHO router vulnerabilities and exploits. This year alone, we’ve seen several router exploits.

In a recent phone interview with Joe Stewart, Director of Malware Research at Dell SecureWorks I asked Joe about router vulnerabilities:

Bev Robb: How would a hacker go about exploiting a router vulnerability?

Joe Stewart: It depends upon the vulnerability. There are different contexts like exploiting it from outside the network and reaching across the Internet to its natural route, or a lot of other attacks work by exploiting the browser.

There are a great number of these routers hanging out on the Internet that contain default passwords. Vendors set the default passwords and if the ISPs do not change them, they do not have any real security and expose administration of these devices over either a web administration page, telnet, or what have you.

Sadly, the case of a lot of these router exploitations, worms, and things like that, they are cross-platform, so they don’t use an exploit that might only work on one brand of router — chances are that it is going to work on 50 percent of the vulnerable routers out there.

Robb: What type of vulnerabilities are the easiest/the most difficult for hackers to use?

Stewart: Default credentials on external facing management interfaces (web/SNMP/telnet/ssh). There are other types which include authentication bypass vulnerabilities that they try to hack into — and more advanced things like writing your own custom shellcode.

Robb: What search term in Shodan did you use to discover vulnerable routers? Can you give an example?

Stewart: We weren’t searching for vulnerable routers per se – just showing that there are a great deal of routers in Vietnam exposing their management interfaces, which we can search for in Shodan using the country code plus certain known ports or banner strings.

On this IP address, there are certain banners being returned – this indicates a version. That’s very likely to be vulnerable if they did not update the version of the patch. I know that a lot of ISPs and vendors are shipping this particular model of router indicated by this banner and that they are shipping those with default credentials. So, I am thinking that some subset of these routers are still set to default. Shodan gives you a range of router targets to search for a vulnerability or default credentials, that’s all.

Robb: What vendor(s) should home office workers be more aware of specifically in terms of not locking down public interfaces?

Stewart: I am not pointing a finger at the vendors. In a lot of cases, consumers buy it off the shelf. Many of these router brands have learned their lesson and fixed a lot of the problems.

The routers are actually secure against having a default listener on the web interface. It is a lot of work for vendors, because when they get an exploit they have to release updated firmware and provide support for consumers attempting to upgrade from the vulnerable versions.

There are a lot of routers not sold to consumers directly. They are sold to ISPs. They might be made by one to two companies, a generic white-label router, and they sell to an ISP. The ISP private labels it, adds a model, and puts in their own modified firmware with their own branding.

The final configuration of the router is up to the ISP — and they must decide whether or not to leave the management interface open or not. In some cases they might overlook that option, in other cases, it might be intentional on their part. If I said you can’t blame the ISP, what I meant to say is that you can’t blame the router vendor in some cases.

There is a whole slew of routers with default configurations and many different model numbers made by the same vendor. Each ISP has an idea of how they want to administer their customer routers.

Ultimately the ISP makes the final configuration decision. They hold responsibility for the routers being open to abuse in certain cases. However, in terms of internally-exploited vulnerabilities it’s hard to blame the ISP. Instead, ownership of end user security must fall on the vendor.

Robb: Do you feel that broadband router vendors should provide basic education on how to secure their systems for the consumer?

Stewart: I don’t believe that vendors should be educating consumers on the security end. Vendors should be providing instructions to the ISP on how to securely configure their router firmware.

Robb: Regarding the “new” FCC rules that would like to ban Open Source router firmware, could you elaborate on this a bit more?

Stewart: What we think about this is that it is kind of a non-problem, it is something that nobody is complaining about it. These new rules are harmful to the Internet. Somebody with custom firmware maybe cranks up the power level on their chip¹. Maybe one in a hundred thousand people who load open-source firmware do this. There’s really not a lot of point to doing it, it’s not a significant improvement in range.

I like to control the security aspect of the router firmware, like DD-WRT and OpenWRT in order to provide more and better security options.

So, having the ability to have third-party firmware you can install on your router makes it a much more secure and more stable router for people who care about security.

Ultimately this ruling is attempting to lock out people who want to make the router more secure. Imagine locking out people who want to be more secure in pursuit of something no one even asked for. It’s essentially a non-problem.

I feel there might be one-in-a-million cases where the FCC ruling might be appropriate. In the interim, we want to encourage the FCC to not enact a rule without carefully considering the unintended consequences.

Robb: Joe, that was eye-opening and thank you for sharing your insights today.

Conclusion

Since wireless routers can become an ideal target for cybercriminals, there are ways that a remote employee can better secure a SOHO router. Joe recommends that if a remote employee has the ability to lock things down on the router, they should definitely do this.

He suggests six basic steps to better secure a SOHO router:

1. Change the default password.
2. Turn the firewall on.
3. Turn logging on.
4. Turn on WPA WiFi-encryption and set as high as possible.
5. Keep routerfirmware up-to-date.
6. Don’t forget to logout after configuring the router.

Aside from remote employees securing their router with the six steps listed above — I would also suggest (if possible in the router configuration) to not use the default IP range of 192.168.0.1, 192.168.1.1; turn off UPnP (Universal Plug and Play, turn off WPS, and disable remote management over the Internet.

Corporate security policies should have an inclusion that all remote SOHO routers used to connect to the company VPN have remote management disabled in the router management interface.

Even with all the router attacks and exploits revealed over the past few years — remote employees can still work safely and securely from a home office with ease —   if the necessary security precautions are implemented in advance.

¹  The wording on the FCC proposal has some people worried that open-source software will be banned. The FCC wants to lock the Wi-Fi router chip down to prevent anyone from exceeding FCC broadcast power limits. It is already illegal to do this. An FCC document that was issued in March, urged manufacturers to prevent loading of software like DD-WRT.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

With increasing commute times and technological advances, remote employees who work from home have become a reality. Even if a company has provided the employee with hardware, security software, a VPN connection, encryption, and security training — securing the Small Office/Home Office (SOHO) router is often overlooked and underestimated.

Because I was an IT security consultant for two decades and currently work remotely as an employee for a threat intelligence corporation — I tend to look at all components and connections at my office with security in mind.

For the past few years, we’ve seen an uptick in SOHO router vulnerabilities and exploits. This year alone, we’ve seen several router exploits.

In a recent phone interview with Joe Stewart, Director of Malware Research at Dell SecureWorks I asked Joe about router vulnerabilities:

Bev Robb: How would a hacker go about exploiting a router vulnerability?

Joe Stewart: It depends upon the vulnerability. There are different contexts like exploiting it from outside the network and reaching across the Internet to its natural route, or a lot of other attacks work by exploiting the browser.

There are a great number of these routers hanging out on the Internet that contain default passwords. Vendors set the default passwords and if the ISPs do not change them, they do not have any real security and expose administration of these devices over either a web administration page, telnet, or what have you.

Sadly, the case of a lot of these router exploitations, worms, and things like that, they are cross-platform, so they don’t use an exploit that might only work on one brand of router — chances are that it is going to work on 50 percent of the vulnerable routers out there.

Robb: What type of vulnerabilities are the easiest/the most difficult for hackers to use?

Stewart: Default credentials on external facing management interfaces (web/SNMP/telnet/ssh). There are other types which include authentication bypass vulnerabilities that they try to hack into — and more advanced things like writing your own custom shellcode.

Robb:  What search term in Shodan did you use to discover vulnerable routers? Can you give an example?

Stewart: We weren’t searching for vulnerable routers per se – just showing that there are a great deal of routers in Vietnam exposing their management interfaces, which we can search for in Shodan using the country code plus certain known ports or banner strings.

On this IP address, there are certain banners being returned – this indicates a version. That’s very likely to be vulnerable if they did not update the version of the patch. I know that a lot of ISPs and vendors are shipping this particular model of router indicated by this banner and that they are shipping those with default credentials. So, I am thinking that some subset of these routers are still set to default. Shodan gives you a range of router targets to search for a vulnerability or default credentials, that’s all.

Robb: What vendor(s) should home office workers be more aware of specifically in terms of not locking down public interfaces?

Stewart: I am not pointing a finger at the vendors. In a lot of cases, consumers buy it off the shelf. Many of these router brands have learned their lesson and fixed a lot of the problems.

The routers are actually secure against having a default listener on the web interface. It is a lot of work for vendors, because when they get an exploit they have to release updated firmware and provide support for consumers attempting to upgrade from the vulnerable versions.

There are a lot of routers not sold to consumers directly. They are sold to ISPs. They might be made by one to two companies, a generic white-label router, and they sell to an ISP. The ISP private labels it, adds a model, and puts in their own modified firmware with their own branding.

The final configuration of the router is up to the ISP — and they must decide whether or not to leave the management interface open or not. In some cases they might overlook that option, in other cases, it might be intentional on their part. If I said you can’t blame the ISP, what I meant to say is that you can’t blame the router vendor in some cases.

There is a whole slew of routers with default configurations and many different model numbers made by the same vendor. Each ISP has an idea of how they want to administer their customer routers.

Ultimately the ISP makes the final configuration decision. They hold responsibility for the routers being open to abuse in certain cases. However, in terms of internally-exploited vulnerabilities it’s hard to blame the ISP. Instead, ownership of end user security must fall on the vendor.

Robb: Do you feel that broadband router vendors should provide basic education on how to secure their systems for the consumer?

Stewart: I don’t believe that vendors should be educating consumers on the security end. Vendors should be providing instructions to the ISP on how to securely configure their router firmware.

Robb: Regarding the “new” FCC rules that would like to ban Open Source router firmware, could you elaborate on this a bit more?

Stewart: What we think about this is that it is kind of a non-problem, it is something that nobody is complaining about it. These new rules are harmful to the Internet. Somebody with custom firmware maybe cranks up the power level on their chip¹. Maybe one in a hundred thousand people who load open-source firmware do this. There’s really not a lot of point to doing it, it’s not a significant improvement in range.

I like to control the security aspect of the router firmware, like DD-WRT andOpenWRT in order to provide more and better security options.

So, having the ability to have third-party firmware you can install on your router makes it a much more secure and more stable router for people who care about security.

Ultimately this ruling is attempting to lock out people who want to make the router more secure. Imagine locking out people who want to be more secure in pursuit of something no one even asked for. It’s essentially a non-problem.

I feel there might be one-in-a-million cases where the FCC ruling might be appropriate. In the interim, we want to encourage the FCC to not enact a rule without carefully considering the unintended consequences.

Robb: Joe, that was eye-opening and thank you for sharing your insights today.

Conclusion

Since wireless routers can become an ideal target for cybercriminals, there are ways that a remote employee can better secure a SOHO router. Joe recommends that if a remote employee has the ability to lock things down on the router, they should definitely do this.

He suggests six basic steps to better secure a SOHO router:

1. Change the default password.
2. Turn the firewall on.
3. Turn logging on.
4. Turn on WPA WiFi-encryption and set as high as possible.
5. Keep routerfirmware up-to-date.
6. Don’t forget to logout after configuring the router.

Aside from remote employees securing their router with the six steps listed above — I would also suggest (if possible in the router configuration) to not use the default IP range of 192.168.0.1, 192.168.1.1; turn off UPnP (Universal Plug and Play, turn off WPS, and disable remote management over the Internet.

Corporate security policies should have an inclusion that all remote SOHO routers used to connect to the company VPN have remote management disabled in the router management interface.

Even with all the router attacks and exploits revealed over the past few years — remote employees can still work safely and securely from a home office with ease —   if the necessary security precautions are implemented in advance.

¹  The wording on the FCC proposal has some people worried that open-source software will be banned. The FCC wants to lock the Wi-Fi router chip down to prevent anyone from exceeding FCC broadcast power limits. It is already illegal to do this. An FCC document that was issued in March, urged manufacturers to prevent loading of software like DD-WRT.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.