Mass Router Infection Possible: Black HatBlack Hat presenters detail how an HTML5-compliant browser could deliver malicious firmware, bring network-connected hardware under attackers' control.
Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.
At that point, "you've essentially turned these SOHO [small office/home office] devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," meaning users would be none the wiser, said presenter Joshua Brashars, a senior penetration tester at AppSec Consulting.
"We're replacing an operating system on a network device and taking complete control of it," said fellow presenter Phil Purviance, an information security specialist at AppSec Consulting.
[ What can the FBI teach you about corporate security? See Black Hat: 6 Lessons To Tighten Enterprise Security. ]
Another upside--for attackers--of this type of an attack is that it could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.
The researchers demonstrated the attack against a widely available type of Linksys router, noting that additional work would be needed to use the attack on a wide scale. According to Purviance, "this is something that can be done, if someone spent enough time and built a large enough toolkit."
When it comes to making this type of attack succeed, there several caveats, such as having to discover the access credentials for the device. Then again, while network-connected devices are typically password protected, many consumer devices ship with default usernames and passwords that don't get changed. "If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance, noting that websites such as default-router-password database RouterPasswords.com can help.
In addition, the presenters said the attack would be more likely to succeed against SOHO (a.k.a. small or home office) devices, on which it's easier to update firmware, compared with an enterprise device. Some SOHO devices, for example, can even be instructed to fetch and install new firmware from a designated external website.
After identifying the router or other targeted device and brute-force guessing its account name and password, then pushing the correct type of malicious firmware to the device, installing the firmware would require a restart. Might a targeted user notice a router reboot? That's a possibility, but the researchers said that such behavior could be disguised via a social-engineering attack. One possibility would be to serve the attack via a fake file-sharing website, since users are often accustomed to having to wait for a minute or two before being allowed to download a file. After the router or other device restarted, there would be no indication that it was running malicious firmware.
The presenters said their findings built on previous research, including Black Hat talks in 2006 and 2007 delivered by Jeremiah Grossman and Robert Hansen, which demonstrated a cross-site request forgery attack in which websites could pass code to devices on the internal network. The AppSec researchers said they'd improved on that research by eliminating the need to trick users into revealing network-connected device account names and passwords. Instead, they said their attack could be fully automated, requiring no user interaction.
Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)