Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
PatrickKinsellaComp116
FinalProject
SecuringtheUbiquitous:AnExaminationofRouterSoftwareVulnerabilities
AbstractThisarticleexploresattackmethodsthatabusethefirmwareupdateprocesstoinstallmalicious
codeonroutersandembeddedoperatingsystems.Thesedevicesoftendonotemploy
cryptographicsignaturesonupdates,andauthenticationmethodsfordeployingupdatesare
generallyweakandinsecure.Additionally,thesedevicesoftenlackanautomatedand
streamlinedupdateprocess,andmustbeupdatedmanuallybymotivatedusers,leavingmany
ofthemrunningthesamesoftwareoriginallyinstalledbytheOEMandleavingconsumers
exposed.Attackersmayplacemaliciouscodeonnetworkeddevicesthatsubvertshome
networkactivity,usingthisasanattackvectortogettopersonalcomputers,smartTVs,
allowingdatatobeexfiltratedfromthetargetnetwork.Thisarticlefirstdescribesthecurrent
stateofroutersecurity,identifyingkeyproblemsinthesystemofmaintenanceforrouter
softwarefromdeploymentthroughoutthelifetimeofthedevice.Anattackpathdeploying
maliciouscodethroughabusingthefirmwareupdateprocessontherouteristhenexplored.
Lastly,thisarticleoffersremediationstepsforensuringroutersecurity,providingadefense-in-
depthapproachtoeliminatemajorportionsoftheattacksurface.
PatrickKinsellaComp116
FinalProjectIntroduction
Routersareakeycomponentofnetworksecurityforbothcorporateandhome
networks.Residingonlayer3oftheOSImodel,routersmanageallingressandegresstrafficfor
thenetwork.Becausetheyaretheouterlayerofthenetwork,theyareacommonattack
vector,sincetheyareoneofthefirstdevicesvisibletoremoteattackers.Asacriticalsystem
responsibleforhandlingsomuchtraffic,routersecurityisacrucialaspectofnetworksecurity
asawhole.However,accordingtoastudydonein2015,2.46%ofnetworkdevicesinthe
corporatesectorand41.6%ofnetworkdevicesusedbyconsumershostvarioussecurity
vulnerabilities[6].
Routersarealsooftendistributedusingas-cheap-as-possiblelow-endhardware,made
fromavarietyofvendors,inabusinessmodelthatisdesignedtodeliverafinishedproduct
withverylittletop-downcontrolforflawsindesignorsecurity[7].Becausethereisveryrarely
accuratenotificationwhenupdatesareavailable,andbecausethefirmwareupdateprocessis
notentirelyautomaticandcanbeveryhardtounderstandfortheaverageenduser,routers
withsecurityflawsonreleaseoftencontinuetoexhibitthoseflawsevenyearsafterafixis
available[4].Ifconsolidationofpartsmanufacturerstoprovideatop-down,security-focused
designisnotanoption,thenhardwaremanufacturersandpackagingdistributorsthatmaintain
thesoftwarerunningontheseroutersmustemployadditionalmeasurestosecurethemfrom
remoteattack.
Intermsofsoftware,manyroutersareembeddedsystemsrunningabinaryblobof
LinuxcalledBusyBox[2,5].Thisisamodularbinarythatcanbemodifiedtomeettheneedsof
specificvendors,andsometimesincludesinsecureserviceslikeTelnetandFTP.Sincemany
PatrickKinsellaComp116
FinalProjectvendorsdonothaveaccesstothesourcecodeunderlyingthisbinaryblob,itisoftenveryhard
torolloutapatchforanewlydiscoveredvulnerability[7].Sinceitisaveryrudimentarysystem,
itdoesnotemployoperatingsystemlevelprotectionsagainstmaliciouscodeinjection,suchas
AddressSpaceLayoutRandomization(ASLR)orDataExecutionPrevention(DEP)[2].Limited
measuresareemployedtosecurerouterfirmware,andthesemayrepresentsolutionsto
smallerproblems,buttheydonotprovidethekindofdefense-in-depththatisnecessaryto
ensurethesecurityoftherouterandthereforethesecurityofthenetworkasawhole.
Thispaperexplorestheoptionsavailableforattackersseekingtoexploitrouters,given
thecurrentstateoftheindustry.Firstitidentifiescommonattackpaths,resultingfromolder
defaultsoftwareandgenericaccounts,andthenmovesontothemoresophisticatedoptions
thatarealsoavailabletoadeterminedandpersistentattacker.Itthendescribestheeffects
thatanattackcouldhaveonunsuspectingvictims,andoffersremediationtechniquesthat,if
implementedacrossthespectrum,offeramoresecurealternative.
PatrickKinsellaComp116
FinalProjectTotheCommunity
Homeroutershavedriversandoperatingsystemsthatarebinaryblobsamountingto
snapshotsofthestateofLinuxplusthelowestendcommoditychipsthatwereextantat
thetimeoftherouter'sdesign.Linuxhasmovedon.Devicedrivershavemovedon.
Sambahasmovedon.Chipsetshavemovedon.ButwhatissoldatBestBuyorthelike
isremarkablycheapandremarkablyold.Withcertaintybornoflongengineering
experience,Iassertthatthosemanufacturerscannolongerbuildtheirdeployed
softwareblobsfromsource.
- DanGeer,BlackHat2014keynotespeech[3]
In2016,theWallStreetJournalcommissionedsecurityresearcherToddBeardsleyfrom
Rapid7totestsecuritymeasuresemployedby20brand-name,newlypurchasedrouters[4].
Thestudyfoundthathalfdidn’tletuserseasilycheckfornewsoftware,14werenotdelivered
withcurrentsoftware,allhadeasilyguessednetworksettings,and18/20hadeasilyguessable
passwordsettings.Inoneinstance,asoftwarecompanyhadpublishedafix,butthatfixwasnot
beingincludedinnewlyshippeddevicessincethecomponentmakerhadn’tbeenincludingitin
thepartstheyhadshippedtotheroutermanufacturer.
Thisindicatesthatcurrently,theenvironmentisnotveryfriendlytotheaverageuser.
Thereareanumberofhurdlestoovercomeifasecureconfigurationisdesired.Ifthevendoris
securitydriven,thenitmaystillbeachallengedeployingtherightsoftware:accordingtoBruce
Schneier,sincethesoftwareonroutersisabinaryblob,oftenthedevicemakersdon’thave
actualsourcecodetoworkwithandcan’tnecessarilypatchavulnerability[7].
Whenupdatesaremadeavailablebythemanufacturer,usersareoftennotnotified,
andtheprocessforapplyingthemisnoteasy.Usersmustcheckdevicemanufacturer’swebsite
PatrickKinsellaComp116
FinalProjectforfirmware,anddownloadanythatisavailable.Theprocessasitiscurrentlyimplementedis
generallynotautomatic,andonlysometimescanbeperformedthroughtherouter’sWeb
administrationpage.Thecombinationofrareupdatesfromthemanufacturers,alongwitha
tediousandsometimescomplicatedprocessforfindingtherightupdates,createsasystem
whereupdatesarerarelyapplied.
Thisisimportantbecause,accordingtoaSeptember2015studypublishedintheACM
byKüçüksille,Yalçinkaya,andGanal,themajorityofthesecurityvulnerabilitiesusedby
attackersinexploitingroutersnowadaysareconfiguration-basederrors[6].Defaultpasswords,
portsleftopen,anddefaultservicesareprimesuspectsforattackerslookingtogaineasyaccess
tothenetwork.Accordingtotheirpaper,themajorityofconfigurationerror-basedsecurity
vulnerabilitiesexploitedbyattackersarefoundonTelnet,SSH,andSNMPprotocols.Thesegive
attackersmoreoptions,andthefollowingexampledocumentsanattackpaththatcouldtake
advantageofthesevulnerableservicestodeploymalicioussoftwareontherouter.
Ifwedonottakestepstofixtheseproblemsforrouters,wewillbeenablingwidespread
misuseofoneofthemostcommonInternetresources.Additionally,wewillnotbesetting
coursecorrectlyforwhatistobeamassivedevelopmentinInternetconnecteddevices–often
thosethathaveverysimilarhardwareandsoftwaretothatofrouters.Thisisanopportunityto
bothcloseacurrentgapinsecurity,andsetbestpracticestandardsforfuturegenerationsto
follow.
PatrickKinsellaComp116
FinalProjectApplications
Thefollowinganalysispresentsanexampleattackpath,assumingadeterminedattacker
workingremotely,andisprimarilyadescriptionofanattackmethodologypresentedinthe
SANSwhitepaperExploitingEmbeddedDevices,2012.Thefirststepinattackinganinsecure
networkistosearchforopenportsandrunningservices.Thiscanbedonewithannmapscan
oftherouter:
nmap –sS –A –p 0- -oN routerports.nmap 192.168.0.1
Figure1:sampleoutputoftheabovenmapcommandonlocalhost
PatrickKinsellaComp116
FinalProject
ThiscommanddoesaTCPSYNscanagainstthetargetIP,whichislistedhereasa
commondefaultIPforhomerouters,anddumpstheresultsintoafilenamed
routerports.nmap.Ifthereareanyknownvulnerablerunningservices,likeTelnetorFTP,these
canoftenbeexploitedwithgenericaccounts,bruteforcing,orexploits.EvenSSHisvulnerable
asamoresecureprotocol,sinceitisoftenleftimproperlyconfiguredandrunningwitha
genericaccount.Inonenotoriousexampleofmalwaretakingadvantageofdefaultcredentials
onrouterservices,theMiraimalwarescannedforrouterswithport23openedandloggedinby
tryingonly62differentdefaultcredentialpairs[5].Ifaccesscan’tbegainedthroughthese
methods,thenextstepistoattempttonetcatagainsteachserviceavailablefromtherouter,
searchingforabannertobereturnedbytherouterandattemptingtomakeaconnection.
Atthisstagetheattackermayalsocheckknownvulnerabilitydatabaseslikeexploit-db
[9].Afterfingerprintingservicesavailablefromtherouterfromprobesandbannersreturned,
theremaybeversionsofservicesrunningthatoffertheabilityforscriptedexploitstobe
deployed.ThesecanbedeployedwiththeMetasploitframework.
Onceshellaccessisobtained,theWebdirectorycangenerallybefoundbythe
commandline.Itisusuallyinthe/mnt/directory[2].Thereareavarietyofmethodsforgaining
accesstotheWebserverontherouter.Ifapasswordhashfilecanbefoundcontainingthe
credentialsoftheadministrativeuserfortherouter,thenthesecanbecrackedusingaGPU
thatsupportCUDAorOpenCLandrunningthehashesthroughhashcat[10].Another
mechanismforgainingaccessintheeventthatthepasswordfilecannotbecrackedistotake
PatrickKinsellaComp116
FinalProjectadvantageofclient-sideJavaScriptfilteringbyusingBurpSuiteasaproxyandtamperingwith
therequestpassedtotheserver[11].
Ifaccesstotheadministrativeaccountsontherouter’sWebservicecanbeobtained,
thenmaliciousupdatescanbeappliedinthisway.Ifphysicalaccessisavailable,thereare
furthermethodsthatexploreaserialconnectionthroughtheUniversalAsynchronous
Receiver/Transmitter(UART)interfacethatthispaperwillnotexplore.
Next,downloadacopyofthedriverintendedfortherouterfromthemanufacturer’s
Website.Thiswillbeusedforanalysisbeforemaliciouscodedeployment.Forthispaper,I
downloadedafirmwareupdateforaD-LinkDIR-130router.Thebinaryblobcanbeanalyzed
usingaprogramcalledbinwalk.ThefollowingissampleoutputfortheD-Linkfirmwareupdate
foraD-LinkDIR-130router:
Figure2:sampleoutputofabinwalkcommandtoviewafirmwarepackage.Thefilesystemislistedlast.
Thefilesystemcanthenbeextractedusingddforinspection:
PatrickKinsellaComp116
FinalProject
Figure3:sampleoutputoftheddcommandtoextractthefilesystemshownabove. Now,usingatoolcalledthefirmware-mod-kit[13],wecananalyzethefilesystemto
lookforpotentialmodifications.The/srcfolderinthefirmware-mod-kitpackagegivesustools
toviewthefilesystemfromourextractedbinaryblob,whichwemaytheninspectformalicious
opportunitiestoinstallbadcodeontherouter.
Figure4:sampleoutputofthefirmware-mod-kitpackageuncramfs,whichextractscramfilesystems.
PatrickKinsellaComp116
FinalProject Contentsoftheoutputdirectorycontainingtheextractedfilesystemcanthenbeviewed
forpossiblemodification.
Figure5:contentsofthefilesystemintheD-LinkDIR-130update.
PatrickKinsellaComp116
FinalProject Usingthisinformation,adeterminedattackercouldthenmodifythesoftwareand
redeployittotherouterforwhichaccessisalreadyavailablebytheterminalorWebinterface.
Thefirmware-mod-kitpackageprovidesadditionaltoolsformodifiedsoftwaretoberebuiltand
deployedtotherouter.Itisrequiredthatthesoftwarebecross-compiledcorrectly,whichcan
bechallenging.Oncethecorrectplatformisidentifiedforcross-compilation,themalicious
softwaredeployedcanbereusedforallroutersofthesamemakeandmodel.
IntheSANSpapercitedabove,ExploitingEmbeddedDevices[2],theauthorgoesfurther
toconstructcodetoprovideastageddeploymentformalwareusingacommand&control
server.Thestageddeploymentofmalwaretotherouteroffersaparticularlycompelling
exampleofanattackmethodology,astheattackermaylaterdecidewhatsoftwareshouldbe
deployedtoservetheirend.Theroutercanbeusedasabackdoorforfurtherattacks,allowing
thepossibledeploymentofadditionalmalwareformaliciousactivitiessuchastheextractionof
personalinformationortheuseofthosedevicesaszombiesinabotnet.
PatrickKinsellaComp116
FinalProjectConclusion
Thereareanumberofremediationstepsthatmustbetakentoensurethattherouter
andattachednetworkremainsecurefromoutsideattackers.Thefollowingarethechangesthat
shouldbemade,presentingadefense-in-depthstrategytokeeprouterssecuredespite
challengessuchasafractiousmarketofdevicemanufacturersandanignorantuserbase.
Updatesneedtobemadereadilyavailableandautomaticallydeployed.Onewaytohelp
devicemanufacturersandusersalikecontrolthisproblemistocreateopensourcedrivers.This
wouldallowuniformdeploymentofupdatesthatisideallyalsoautomatic.Therouter
manufacturerscouldencouragecreationofthissoftwarebysubsidizingittogetherasatrade
group,andindoingsotheywouldbepromotingtheirproducts’securityaspects.
Automatetheprocessofdeployingandmaintainingrouterswithsecuresettings.When
therouterisfirstdeployed,auniqueandsecurepasswordforboththenetworkandtheWeb
administrativeinterfaceshouldbeautomaticallyandrandomlygenerated.Currently,many
routersaredistributedwitharandomnetworkpassword,however,theWebadministration
pageshouldnotuseagenericaccount.Thisisprobablycurrentlyemployedbecause
manufacturersaresimplyignoringthefactthattheWebservermaybecomeaccessibletoa
remoteattacker,butthishasbeenshowntonotbeareliableassumption.
Removeunnecessaryservicesandports,suchasTelnet,fromallsoftwaredeployedon
therouter.Thisisarudimentarychangethatwouldhaveaverylargesecurityimpact.
CorporationsthatcanaffordadvancedITprofessionalsofteneliminatethisattackvector
quickly,butunsuspectinguserswillleaveportsrunningvulnerableservicesopenindefinitely.
Sincemostnetworkadministrationproblemsonhomenetworkscanbesolvedwithahard
PatrickKinsellaComp116
FinalProjectresetofthedevice,itisnotnecessarilyusefultohaveadministrativeportsandservicessuchas
theserunning.
Encryptandsignfirmware.Withoutencryptingandsigningupdates,thesoftwarecanbe
veryeasilyanalyzed,modified,anddeployedbyattackers.Encryptionanddigitalsignatureswill
helpensurethatthecorrectsoftwareisdeployed,andeventhoughthisprocesscould
potentiallybeabusedwhenanattackerhasshellaccesstothedevice,sincetheycouldthen
retrieveandusethekeysfordecryptionandsignaturechecking,itwillstillprovideanadditional
barrieragainstattacks.Thethreatofattackersgainingaccesstothesekeyswillalsobe
mitigatedbytheabovechangesthathavehardenedtheattacksurface.
Therearealsohardwaremethodsthatcouldhelpcontrolmaliciousactivityfrom
potentialattacks.Forexample,anewtypeofchipbeingdevelopedatDARPAcalledaCHERIare
designedtosandbox,atthehardwarelevel,dataandinstructions.Thatis,datacannotbe
mistakenforinstructions,andvice-versa.Thismayeliminateawholecategoryof
vulnerabilities.Mimickingthistechnique,thatiscurrentlyinusebysomemodernoperating
systems,makesprogramsmoresecureinaworldwherecurrentsoftwaremodelsask
developerstodothingsfasterattheexpenseofsecurity[1]
Lastly,asafurthersteptowardasecurenetwork,adefense-in-depthsystemhasbeen
proposedbyresearchersMartin,Cao,andBensoncalledPot2DPI.Thissystemintegrates
multiplemeasurestocombatthekindofattackdescribedinthisarticle[5].First,aport
randomizationhandlerensuresthatattackersgetlessinformationfromthereconnaissance
stage,asrandomportsareselectedforfrequentlyoccurringservicesaswellasthosethatare
beingusedbydevicesonthenetworkthatrequireInternetconnections.Next,alimited
PatrickKinsellaComp116
FinalProjecthoneypotisemployedtolureattackersawayfromhighervaluetargetsonthehomenetwork,
anddeeppacketinspectionisemployedtoguardagainstcommonattacks.Thishelpsstop
attacksthatareusingtherouterasavectorforfurthertargetsonthehomeorcorporate
network,suchassensitivepersonalinformation.
Whensoftwareandhardwaremanufacturersmaketheabovechanges,thebenefitfor
networksecurity,andprimarilyhomenetworksecuritywhichisincreasinglyseeinganarrayof
smart-devicesbeingdeployed,willbeenormous.Routershavebeeninusefordecadesand
theirimprovedsecuritycanalsoserveasamodelforthesecureconfigurationofadditional
embeddeddevices.Asmorecriticalinformationismanagedandadditionaldevicesdeployedon
allkindsofnetworks,routersecuritybecomesacrucialfirstlineofdefense,andthe
remediationstepsdescribedhereofferthefirststepstowardacomprehensiveapproachto
solvingtheproblem.
PatrickKinsellaComp116
FinalProjectReferences
1. https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security
2. https://www.sans.org/reading-room/whitepapers/testing/exploiting-embedded-devices-34022
3. http://geer.tinho.net/geer.blackhat.6viii14.txt4. https://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-
security-14531362855. FendingoffIoT-HuntingAttacksatHomeNetworks–Martin,Cao,Benson–ACM
December2017https://dl.acm.org/citation.cfm?id=3160640&CFID=1015686514&CFTOKEN=82161334
6. DevelopingaPenetrationTestMethodologyinEnsuringRouterSecurityandTestingitinaVirtualLaboratory–Küçüksille,Yalçinkaya,Ganal–ACMSeptember2015https://dl.acm.org/citation.cfm?id=2799989&CFID=1015686514&CFTOKEN=82161334
7. https://www.schneier.com/blog/archives/2014/01/security_risks_9.html8. http://graphics.wsj.com/table/ROUTERSTABLE_01169. https://www.exploit-db.com/10. https://hashcat.net/hashcat/11. https://portswigger.net/burp12. https://github.com/ReFirmLabs/binwalk13. https://github.com/cinquemb/firmware-mod-kit-osx