Decrypt This - By Chris Stobing
 
Home > Computing > Decrypt This: How a cookie ruined routers for the…

Decrypt This: How a cookie ruined routers for the rest of us

Last week, I gave you your first taste of the wild world of home router security.

In the report, I delved into a few of the reasons why, even after three decades in business, router manufacturers continue to struggle to maintain pace with hackers in keeping the personal, professional, and financial information of their customers safe from harm.

Now as promised, I’m back this week with act two. I’ll dive headfirst into why even after so much time on the market, our home networking equipment still lags woefully behind the bell curve when it comes to protecting the data you hold most dear.

This is your primer on where router security is weakest now, and where can it stand to improve the most on the path forward.

Acronyms abound

First, I’ll start by dishing out a few terms that the average reader might be able to recognize without having to break out a dictionary first.

WEP, WPA, WPA2, WPA-KLMNOP.

If you can pick out the one I made up, congratulations, you’re already halfway through your education on the many different styles of defense that routers can deploy to secure a locally broadcast wireless signal.

The inherent problem with our dependence on these encryption standards is that as strong as they may be on their own, for the time being they only address threats that attack your wireless network, and not much else.

Wi-Fi encryption protects your data on the airwaves, but does nothing for security flaws in router firmware.

Sure, if one of your neighbors is trying to poach your Wi-Fi signal from next door, WPA2 is a great way to keep your network under lock and key. Thanks to 256-bit AES encryption, it would take years before a standard computer could come within a mile of cracking the wireless access password.

But even still, the AES protocol doesn’t account for hackers who might try to duck in over the wires, usually through holes left open in universal Plug n Play services, WPS authentication (the one-press wireless login button on top of your router), or the Home Network Administration Protocol (HNAP). The first two are so riddled with vulnerabilities it would take an article dedicated to each to list the problems in full, but the last is where things really start to go off the rails.

The HNAP protocol is designed to give you or your ISP the ability to access a router’s web-based configuration tool, usually through a browser or your computer’s file system directly. You’d likely recognize it best as the prompt that asks for your username and password whenever you type “192.0.168.1” (or some variation of those numbers therein) into the address bar.

Dlerp

According to a study released in 2014 by Tripwire, roughly 80 percent of users don’t change these credentials from the default combination they originally shipped with. This makes it exceedingly simple for hackers to break into the core of a router’s inner workings using remote administration privileges, usually without having to do anything more than type in “admin” and “password” in the awaiting empty fields.

From here your router — and everything it’s supposed to protect — is open season for criminal organizations and their financially-motivated whims. And while this may not be the fault of the router makers themselves (there’s only so much a company can do to protect a customer from themselves), you’ll find out in the next section where they’ve dropped the ball just as hard as the rest of us.

“Firm” is a strong word

As the name implies, firmware is similar to software, except it applies to the tools responsible for operating the inner workings of a piece of hardware, rather than supporting any programs or applications installed on top of the system itself.

Every router you’ve owned has a version of firmware running the show behind the scenes, and is most easily recognized in a visual format as the web application that opens anytime you access the HNAP login.

r6100

It’s here that everything from individual port forwarding permissions to parental controls can be tweaked and configured to a user’s individual preferences, including the option of enabling (or disabling) remote administration altogether.

Theoretically the inclusion of firmware is fine on its own, necessary even. A problem arises however, when manufacturers of these devices decide to spread out the risk for infection by cramming together amalgamations of dozens of different modules into one piece of Frankensteinian-firmware, instead of designing individual loadouts customized to each new make and model on their own.

The flaws of this approach finally appeared at the end of 2014 when the world was introduced to the Misfortune Cookie. The bug which over 200 separate router models at risk from the same exploit, due to the practice of firmware cross-pollination between many of the most popular models in the business. All told, 12 million households were subjected to the whims of bulletin CVE-2014-9222, which to date has only been patched in an estimated 300,000 actively deployed routers.

And the worst part? Researchers, programmers, and manufacturers knew about the problem since as early as 2002. Even then, it took three years before a working fix could be applied on a global scale.

Something that could have been taken care of with a couple lines of code was instead left for the rest of us to figure out on our own, and Misfortune Cookie represents only one of hundreds of new vulnerabilities that are posted to threat boards around the world every year.

Worse yet, that’s just what happens when one bug affects hundreds of different router models at once. What are we going to do when the lion’s share of users are all hooked up to the exact same router/modem combo, simply because their ISP told them the potential savings are too good to pass up?

One of the crowd

Problems like what happened with Misfortune Cookie are further exacerbated by the fact that these days more than ever before, consumers are opting out of buying their own routers, and choosing instead to use whatever generically-branded box their ISP provides them on a lease-by-the-month basis.

With increased homogeneity in the marketplace comes increased risk, because now instead of hackers having to constantly update and re-tool their firmware cracks for the newest models that release each month, instead they can simply employ broad attacks that automatically affect millions of hubs at once.

http://ecx.images-amazon.com/images/I/811NrykZ4XL._SL1500_.jpg

Image Credit: Amazon

By combining the router and the modem into one (what’s referred to as an “Internet gateway”), ISPs are making their customers more vulnerable. These gateways are made by smaller, contracted companies who have only recently started creating networking equipment on an industrial scale, yet consumers are plugging in their devices by the handful without so much as a second glance at the brand name on the bottom of the box.

Simplicity squared

And it’s here the core of the problem at hand becomes apparent: consumer awareness. The reason brands like Apple do so well is because even the least technologically-educated person in the world can figure out how to use an iPad with a few minutes of spare time…but routers aren’t iPads.

Routers are complex, deeply intricate pieces of hardware by the very nature of their design. Devices that require at least a rudimentary understanding of networking just to get into in the first place, let alone to change any of the settings that leave users open to the biggest threats the Internet suffers.

Router manufacturers need to make configuring their hardware as easy as posting on Instagram.

Unless manufacturers can step up to the plate and find out how to make the process of properly configuring a router for optimal safety as easy as posting a photo on Instagram, these problems will remain as a constant on the modern network security battleground.

In next week’s finale, I’m going to address the potential solutions that might be out there for the problems presented in the first two acts, and even go as far to make a few predictions if we’ll still need these hunks of plastic in our home in the future as the standard for security continues to change and evolve on the road ahead.