The security of home internet modem/router gateway devices
We were at the Institute of Information Security Professionals and CREST annual conference yesterday where Cisco gave an interesting talk on the security of the home broadband modems and routers that form our digital link between our homes and the internet.
Cisco has been investing heavily in security in recent years both internally and via acquisitions of security companies such as NDS. They now appear increasingly to be using security to increase brand confidence and competitiveness while at the same time deliberately distancing themselves from the more negative connotations of being a US network technology supplier.
The talk was very interesting and resonates well with what we are seeing. We often hear when dealing with consumer electronics companies who are building connected/smart devices for the home, something similar to, “Security isn’t that important – the home modem/router will protect us.”
In an ideal world that should be true, but what if those gateway devices – the electronic doors that connect our home to the internet - aren’t really secure at all? What if, metaphorically, we are unintentionally and without our knowledge leaving the electronic doors and windows of our house open?
For those of us familiar with consumer electronics security, unfortunately we see almost weekly reports on security vulnerabilities in these devices. And it’s often issues that should be relatively simple to fix, such as not using the same default username and password for every device. And a lot of these security vulnerabilities also allow an attacker on the internet to take control of your device remotely.
Even worse, this security risk is not just coming from no-name manufacturers but from big, well-known brands who should know better.
None of these devices run anti-virus software. Their software is also often not updated when a security problem is discovered in it. Even if the software is updated, then you normally have to update it for your device manually. And usually through a very poor web interface that is incomprehensible for a significant proportion of the population. It also doesn’t record any information, unlike PCs, that would allow the source or method of any attack to be discovered.
In fact the general situation is so bad that the Electronic Frontier Foundation announced last year that they were going to produce their own secure software for these devices.
How can an insecure modem/router be misused?
If an attacker takes control of your gateway device it can be used to attack you by, for example, redirecting your banking website to their false one and hijacking your account. They can also use your device to send some digital garbage over the internet to disrupt the internet connection of someone else.
Doesn’t sound serious enough? What if they also used every other device belonging to your ISP (as they’re all going to be the same) to send garbage? What if they used the same type of device all over the world?
Manufacturers may even be inadvertently providing the tools on the devices to enable this to be done more easily!
Current estimates for insecure devices are 20 MILLION. And this is likely to be an underestimate. Some people are proposing a figure of 80 MILLION.
Imagine a concentrated attack coming from millions of devices connected to the internet and spread globally so it’s practically impossible to stop.
This isn’t fiction or even a potential threat – there are companies today offering to sell the use of insecure devices to attack others. The recent attacks on Sony and Microsoft over Christmas have been attributed to the Lizard Squad. The Lizard Squad are thought to control a network of over 100,000 home router devices that they have taken control of. There have also been recent reports of 300,000 devices being taken over.
If a relatively small number of devices can affect major corporations – what could a much larger number of devices do? Imagine the potential disruption to our businesses, finance or even infrastructure.
Why is security not considered?
The fundamental situation is due to the fact that security costs money. Consumer electronics is a cut-throat industry with low profit margins and there’s unfortunately no incentive for manufacturers to add security unless they have to.
There is just not enough pressure on them currently to change.
This requirement for security can only come from consumers (pressuring their internet service provider or brands directly via buying power) or by government regulation.
Unfortunately consumers currently don’t appear to be aware of the implications. There are signs that things may be changing however, with rumours that a well-known consumer research organisation will be highlighting security of products in the near future.
Given the high impact of the risk, even if the likelihood at the moment is low, it is difficult to see how this market can avoid regulation in the longer term.