PatrickKinsellaComp116

FinalProject

SecuringtheUbiquitous:AnExaminationofRouterSoftwareVulnerabilities

AbstractThisarticleexploresattackmethodsthatabusethefirmwareupdateprocesstoinstallmalicious

codeonroutersandembeddedoperatingsystems.Thesedevicesoftendonotemploy

cryptographicsignaturesonupdates,andauthenticationmethodsfordeployingupdatesare

generallyweakandinsecure.Additionally,thesedevicesoftenlackanautomatedand

streamlinedupdateprocess,andmustbeupdatedmanuallybymotivatedusers,leavingmany

ofthemrunningthesamesoftwareoriginallyinstalledbytheOEMandleavingconsumers

exposed.Attackersmayplacemaliciouscodeonnetworkeddevicesthatsubvertshome

networkactivity,usingthisasanattackvectortogettopersonalcomputers,smartTVs,

allowingdatatobeexfiltratedfromthetargetnetwork.Thisarticlefirstdescribesthecurrent

stateofroutersecurity,identifyingkeyproblemsinthesystemofmaintenanceforrouter

softwarefromdeploymentthroughoutthelifetimeofthedevice.Anattackpathdeploying

maliciouscodethroughabusingthefirmwareupdateprocessontherouteristhenexplored.

Lastly,thisarticleoffersremediationstepsforensuringroutersecurity,providingadefense-in-

depthapproachtoeliminatemajorportionsoftheattacksurface.

PatrickKinsellaComp116

FinalProjectIntroduction

Routersareakeycomponentofnetworksecurityforbothcorporateandhome

networks.Residingonlayer3oftheOSImodel,routersmanageallingressandegresstrafficfor

thenetwork.Becausetheyaretheouterlayerofthenetwork,theyareacommonattack

vector,sincetheyareoneofthefirstdevicesvisibletoremoteattackers.Asacriticalsystem

responsibleforhandlingsomuchtraffic,routersecurityisacrucialaspectofnetworksecurity

asawhole.However,accordingtoastudydonein2015,2.46%ofnetworkdevicesinthe

corporatesectorand41.6%ofnetworkdevicesusedbyconsumershostvarioussecurity

vulnerabilities[6].

Routersarealsooftendistributedusingas-cheap-as-possiblelow-endhardware,made

fromavarietyofvendors,inabusinessmodelthatisdesignedtodeliverafinishedproduct

withverylittletop-downcontrolforflawsindesignorsecurity[7].Becausethereisveryrarely

accuratenotificationwhenupdatesareavailable,andbecausethefirmwareupdateprocessis

notentirelyautomaticandcanbeveryhardtounderstandfortheaverageenduser,routers

withsecurityflawsonreleaseoftencontinuetoexhibitthoseflawsevenyearsafterafixis

available[4].Ifconsolidationofpartsmanufacturerstoprovideatop-down,security-focused

designisnotanoption,thenhardwaremanufacturersandpackagingdistributorsthatmaintain

thesoftwarerunningontheseroutersmustemployadditionalmeasurestosecurethemfrom

remoteattack.

Intermsofsoftware,manyroutersareembeddedsystemsrunningabinaryblobof

LinuxcalledBusyBox[2,5].Thisisamodularbinarythatcanbemodifiedtomeettheneedsof

specificvendors,andsometimesincludesinsecureserviceslikeTelnetandFTP.Sincemany

PatrickKinsellaComp116

FinalProjectvendorsdonothaveaccesstothesourcecodeunderlyingthisbinaryblob,itisoftenveryhard

torolloutapatchforanewlydiscoveredvulnerability[7].Sinceitisaveryrudimentarysystem,

itdoesnotemployoperatingsystemlevelprotectionsagainstmaliciouscodeinjection,suchas

AddressSpaceLayoutRandomization(ASLR)orDataExecutionPrevention(DEP)[2].Limited

measuresareemployedtosecurerouterfirmware,andthesemayrepresentsolutionsto

smallerproblems,buttheydonotprovidethekindofdefense-in-depththatisnecessaryto

ensurethesecurityoftherouterandthereforethesecurityofthenetworkasawhole.

Thispaperexplorestheoptionsavailableforattackersseekingtoexploitrouters,given

thecurrentstateoftheindustry.Firstitidentifiescommonattackpaths,resultingfromolder

defaultsoftwareandgenericaccounts,andthenmovesontothemoresophisticatedoptions

thatarealsoavailabletoadeterminedandpersistentattacker.Itthendescribestheeffects

thatanattackcouldhaveonunsuspectingvictims,andoffersremediationtechniquesthat,if

implementedacrossthespectrum,offeramoresecurealternative.

PatrickKinsellaComp116

FinalProjectTotheCommunity

Homeroutershavedriversandoperatingsystemsthatarebinaryblobsamountingto

snapshotsofthestateofLinuxplusthelowestendcommoditychipsthatwereextantat

thetimeoftherouter'sdesign.Linuxhasmovedon.Devicedrivershavemovedon.

Sambahasmovedon.Chipsetshavemovedon.ButwhatissoldatBestBuyorthelike

isremarkablycheapandremarkablyold.Withcertaintybornoflongengineering

experience,Iassertthatthosemanufacturerscannolongerbuildtheirdeployed

softwareblobsfromsource.

- DanGeer,BlackHat2014keynotespeech[3]

In2016,theWallStreetJournalcommissionedsecurityresearcherToddBeardsleyfrom

Rapid7totestsecuritymeasuresemployedby20brand-name,newlypurchasedrouters[4].

Thestudyfoundthathalfdidn’tletuserseasilycheckfornewsoftware,14werenotdelivered

withcurrentsoftware,allhadeasilyguessednetworksettings,and18/20hadeasilyguessable

passwordsettings.Inoneinstance,asoftwarecompanyhadpublishedafix,butthatfixwasnot

beingincludedinnewlyshippeddevicessincethecomponentmakerhadn’tbeenincludingitin

thepartstheyhadshippedtotheroutermanufacturer.

Thisindicatesthatcurrently,theenvironmentisnotveryfriendlytotheaverageuser.

Thereareanumberofhurdlestoovercomeifasecureconfigurationisdesired.Ifthevendoris

securitydriven,thenitmaystillbeachallengedeployingtherightsoftware:accordingtoBruce

Schneier,sincethesoftwareonroutersisabinaryblob,oftenthedevicemakersdon’thave

actualsourcecodetoworkwithandcan’tnecessarilypatchavulnerability[7].

Whenupdatesaremadeavailablebythemanufacturer,usersareoftennotnotified,

andtheprocessforapplyingthemisnoteasy.Usersmustcheckdevicemanufacturer’swebsite

PatrickKinsellaComp116

FinalProjectforfirmware,anddownloadanythatisavailable.Theprocessasitiscurrentlyimplementedis

generallynotautomatic,andonlysometimescanbeperformedthroughtherouter’sWeb

administrationpage.Thecombinationofrareupdatesfromthemanufacturers,alongwitha

tediousandsometimescomplicatedprocessforfindingtherightupdates,createsasystem

whereupdatesarerarelyapplied.

Thisisimportantbecause,accordingtoaSeptember2015studypublishedintheACM

byKüçüksille,Yalçinkaya,andGanal,themajorityofthesecurityvulnerabilitiesusedby

attackersinexploitingroutersnowadaysareconfiguration-basederrors[6].Defaultpasswords,

portsleftopen,anddefaultservicesareprimesuspectsforattackerslookingtogaineasyaccess

tothenetwork.Accordingtotheirpaper,themajorityofconfigurationerror-basedsecurity

vulnerabilitiesexploitedbyattackersarefoundonTelnet,SSH,andSNMPprotocols.Thesegive

attackersmoreoptions,andthefollowingexampledocumentsanattackpaththatcouldtake

advantageofthesevulnerableservicestodeploymalicioussoftwareontherouter.

Ifwedonottakestepstofixtheseproblemsforrouters,wewillbeenablingwidespread

misuseofoneofthemostcommonInternetresources.Additionally,wewillnotbesetting

coursecorrectlyforwhatistobeamassivedevelopmentinInternetconnecteddevices–often

thosethathaveverysimilarhardwareandsoftwaretothatofrouters.Thisisanopportunityto

bothcloseacurrentgapinsecurity,andsetbestpracticestandardsforfuturegenerationsto

follow.

PatrickKinsellaComp116

FinalProjectApplications

Thefollowinganalysispresentsanexampleattackpath,assumingadeterminedattacker

workingremotely,andisprimarilyadescriptionofanattackmethodologypresentedinthe

SANSwhitepaperExploitingEmbeddedDevices,2012.Thefirststepinattackinganinsecure

networkistosearchforopenportsandrunningservices.Thiscanbedonewithannmapscan

oftherouter:

nmap –sS –A –p 0- -oN routerports.nmap 192.168.0.1

Figure1:sampleoutputoftheabovenmapcommandonlocalhost

PatrickKinsellaComp116

FinalProject

ThiscommanddoesaTCPSYNscanagainstthetargetIP,whichislistedhereasa

commondefaultIPforhomerouters,anddumpstheresultsintoafilenamed

routerports.nmap.Ifthereareanyknownvulnerablerunningservices,likeTelnetorFTP,these

canoftenbeexploitedwithgenericaccounts,bruteforcing,orexploits.EvenSSHisvulnerable

asamoresecureprotocol,sinceitisoftenleftimproperlyconfiguredandrunningwitha

genericaccount.Inonenotoriousexampleofmalwaretakingadvantageofdefaultcredentials

onrouterservices,theMiraimalwarescannedforrouterswithport23openedandloggedinby

tryingonly62differentdefaultcredentialpairs[5].Ifaccesscan’tbegainedthroughthese

methods,thenextstepistoattempttonetcatagainsteachserviceavailablefromtherouter,

searchingforabannertobereturnedbytherouterandattemptingtomakeaconnection.

Atthisstagetheattackermayalsocheckknownvulnerabilitydatabaseslikeexploit-db

[9].Afterfingerprintingservicesavailablefromtherouterfromprobesandbannersreturned,

theremaybeversionsofservicesrunningthatoffertheabilityforscriptedexploitstobe

deployed.ThesecanbedeployedwiththeMetasploitframework.

Onceshellaccessisobtained,theWebdirectorycangenerallybefoundbythe

commandline.Itisusuallyinthe/mnt/directory[2].Thereareavarietyofmethodsforgaining

accesstotheWebserverontherouter.Ifapasswordhashfilecanbefoundcontainingthe

credentialsoftheadministrativeuserfortherouter,thenthesecanbecrackedusingaGPU

thatsupportCUDAorOpenCLandrunningthehashesthroughhashcat[10].Another

mechanismforgainingaccessintheeventthatthepasswordfilecannotbecrackedistotake

PatrickKinsellaComp116

FinalProjectadvantageofclient-sideJavaScriptfilteringbyusingBurpSuiteasaproxyandtamperingwith

therequestpassedtotheserver[11].

Ifaccesstotheadministrativeaccountsontherouter’sWebservicecanbeobtained,

thenmaliciousupdatescanbeappliedinthisway.Ifphysicalaccessisavailable,thereare

furthermethodsthatexploreaserialconnectionthroughtheUniversalAsynchronous

Receiver/Transmitter(UART)interfacethatthispaperwillnotexplore.

Next,downloadacopyofthedriverintendedfortherouterfromthemanufacturer’s

Website.Thiswillbeusedforanalysisbeforemaliciouscodedeployment.Forthispaper,I

downloadedafirmwareupdateforaD-LinkDIR-130router.Thebinaryblobcanbeanalyzed

usingaprogramcalledbinwalk.ThefollowingissampleoutputfortheD-Linkfirmwareupdate

foraD-LinkDIR-130router:

Figure2:sampleoutputofabinwalkcommandtoviewafirmwarepackage.Thefilesystemislistedlast.

Thefilesystemcanthenbeextractedusingddforinspection:

PatrickKinsellaComp116

FinalProject

Figure3:sampleoutputoftheddcommandtoextractthefilesystemshownabove. Now,usingatoolcalledthefirmware-mod-kit[13],wecananalyzethefilesystemto

lookforpotentialmodifications.The/srcfolderinthefirmware-mod-kitpackagegivesustools

toviewthefilesystemfromourextractedbinaryblob,whichwemaytheninspectformalicious

opportunitiestoinstallbadcodeontherouter.

Figure4:sampleoutputofthefirmware-mod-kitpackageuncramfs,whichextractscramfilesystems.

PatrickKinsellaComp116

FinalProject Contentsoftheoutputdirectorycontainingtheextractedfilesystemcanthenbeviewed

forpossiblemodification.

Figure5:contentsofthefilesystemintheD-LinkDIR-130update.

PatrickKinsellaComp116

FinalProject Usingthisinformation,adeterminedattackercouldthenmodifythesoftwareand

redeployittotherouterforwhichaccessisalreadyavailablebytheterminalorWebinterface.

Thefirmware-mod-kitpackageprovidesadditionaltoolsformodifiedsoftwaretoberebuiltand

deployedtotherouter.Itisrequiredthatthesoftwarebecross-compiledcorrectly,whichcan

bechallenging.Oncethecorrectplatformisidentifiedforcross-compilation,themalicious

softwaredeployedcanbereusedforallroutersofthesamemakeandmodel.

IntheSANSpapercitedabove,ExploitingEmbeddedDevices[2],theauthorgoesfurther

toconstructcodetoprovideastageddeploymentformalwareusingacommand&control

server.Thestageddeploymentofmalwaretotherouteroffersaparticularlycompelling

exampleofanattackmethodology,astheattackermaylaterdecidewhatsoftwareshouldbe

deployedtoservetheirend.Theroutercanbeusedasabackdoorforfurtherattacks,allowing

thepossibledeploymentofadditionalmalwareformaliciousactivitiessuchastheextractionof

personalinformationortheuseofthosedevicesaszombiesinabotnet.

PatrickKinsellaComp116

FinalProjectConclusion

Thereareanumberofremediationstepsthatmustbetakentoensurethattherouter

andattachednetworkremainsecurefromoutsideattackers.Thefollowingarethechangesthat

shouldbemade,presentingadefense-in-depthstrategytokeeprouterssecuredespite

challengessuchasafractiousmarketofdevicemanufacturersandanignorantuserbase.

Updatesneedtobemadereadilyavailableandautomaticallydeployed.Onewaytohelp

devicemanufacturersandusersalikecontrolthisproblemistocreateopensourcedrivers.This

wouldallowuniformdeploymentofupdatesthatisideallyalsoautomatic.Therouter

manufacturerscouldencouragecreationofthissoftwarebysubsidizingittogetherasatrade

group,andindoingsotheywouldbepromotingtheirproducts’securityaspects.

Automatetheprocessofdeployingandmaintainingrouterswithsecuresettings.When

therouterisfirstdeployed,auniqueandsecurepasswordforboththenetworkandtheWeb

administrativeinterfaceshouldbeautomaticallyandrandomlygenerated.Currently,many

routersaredistributedwitharandomnetworkpassword,however,theWebadministration

pageshouldnotuseagenericaccount.Thisisprobablycurrentlyemployedbecause

manufacturersaresimplyignoringthefactthattheWebservermaybecomeaccessibletoa

remoteattacker,butthishasbeenshowntonotbeareliableassumption.

Removeunnecessaryservicesandports,suchasTelnet,fromallsoftwaredeployedon

therouter.Thisisarudimentarychangethatwouldhaveaverylargesecurityimpact.

CorporationsthatcanaffordadvancedITprofessionalsofteneliminatethisattackvector

quickly,butunsuspectinguserswillleaveportsrunningvulnerableservicesopenindefinitely.

Sincemostnetworkadministrationproblemsonhomenetworkscanbesolvedwithahard

PatrickKinsellaComp116

FinalProjectresetofthedevice,itisnotnecessarilyusefultohaveadministrativeportsandservicessuchas

theserunning.

Encryptandsignfirmware.Withoutencryptingandsigningupdates,thesoftwarecanbe

veryeasilyanalyzed,modified,anddeployedbyattackers.Encryptionanddigitalsignatureswill

helpensurethatthecorrectsoftwareisdeployed,andeventhoughthisprocesscould

potentiallybeabusedwhenanattackerhasshellaccesstothedevice,sincetheycouldthen

retrieveandusethekeysfordecryptionandsignaturechecking,itwillstillprovideanadditional

barrieragainstattacks.Thethreatofattackersgainingaccesstothesekeyswillalsobe

mitigatedbytheabovechangesthathavehardenedtheattacksurface.

Therearealsohardwaremethodsthatcouldhelpcontrolmaliciousactivityfrom

potentialattacks.Forexample,anewtypeofchipbeingdevelopedatDARPAcalledaCHERIare

designedtosandbox,atthehardwarelevel,dataandinstructions.Thatis,datacannotbe

mistakenforinstructions,andvice-versa.Thismayeliminateawholecategoryof

vulnerabilities.Mimickingthistechnique,thatiscurrentlyinusebysomemodernoperating

systems,makesprogramsmoresecureinaworldwherecurrentsoftwaremodelsask

developerstodothingsfasterattheexpenseofsecurity[1]

Lastly,asafurthersteptowardasecurenetwork,adefense-in-depthsystemhasbeen

proposedbyresearchersMartin,Cao,andBensoncalledPot2DPI.Thissystemintegrates

multiplemeasurestocombatthekindofattackdescribedinthisarticle[5].First,aport

randomizationhandlerensuresthatattackersgetlessinformationfromthereconnaissance

stage,asrandomportsareselectedforfrequentlyoccurringservicesaswellasthosethatare

beingusedbydevicesonthenetworkthatrequireInternetconnections.Next,alimited

PatrickKinsellaComp116

FinalProjecthoneypotisemployedtolureattackersawayfromhighervaluetargetsonthehomenetwork,

anddeeppacketinspectionisemployedtoguardagainstcommonattacks.Thishelpsstop

attacksthatareusingtherouterasavectorforfurthertargetsonthehomeorcorporate

network,suchassensitivepersonalinformation.

Whensoftwareandhardwaremanufacturersmaketheabovechanges,thebenefitfor

networksecurity,andprimarilyhomenetworksecuritywhichisincreasinglyseeinganarrayof

smart-devicesbeingdeployed,willbeenormous.Routershavebeeninusefordecadesand

theirimprovedsecuritycanalsoserveasamodelforthesecureconfigurationofadditional

embeddeddevices.Asmorecriticalinformationismanagedandadditionaldevicesdeployedon

allkindsofnetworks,routersecuritybecomesacrucialfirstlineofdefense,andthe

remediationstepsdescribedhereofferthefirststepstowardacomprehensiveapproachto

solvingtheproblem.

PatrickKinsellaComp116

FinalProjectReferences

1. https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

2. https://www.sans.org/reading-room/whitepapers/testing/exploiting-embedded-devices-34022

3. http://geer.tinho.net/geer.blackhat.6viii14.txt4. https://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-

security-14531362855. FendingoffIoT-HuntingAttacksatHomeNetworks–Martin,Cao,Benson–ACM

December2017https://dl.acm.org/citation.cfm?id=3160640&CFID=1015686514&CFTOKEN=82161334

6. DevelopingaPenetrationTestMethodologyinEnsuringRouterSecurityandTestingitinaVirtualLaboratory–Küçüksille,Yalçinkaya,Ganal–ACMSeptember2015https://dl.acm.org/citation.cfm?id=2799989&CFID=1015686514&CFTOKEN=82161334

7. https://www.schneier.com/blog/archives/2014/01/security_risks_9.html8. http://graphics.wsj.com/table/ROUTERSTABLE_01169. https://www.exploit-db.com/10. https://hashcat.net/hashcat/11. https://portswigger.net/burp12. https://github.com/ReFirmLabs/binwalk13. https://github.com/cinquemb/firmware-mod-kit-osx