The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks. This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.
These attacks are fueled in part by an explosion in the number of Internet-connected things that are either misconfigured or shipped in a default insecure state. In June I wrote about robot networks or “botnets” of hacked Internet routers that were all made and shipped by networking firm Ubiquiti. Attackers were able to compromise the routers because Ubiquiti shipped them with remote administration switched on by default and protected by a factory default password pair (ubnt/ubnt or no password at all).
That story followed on reports from security firm Imperva (see Lax Security Opens the Door for Mass-Scale Hijacking of SOHO Routers) which found a botnet of tens of thousands of hijacked Ubiquiti routers being used to launch massive ransom-based denial-of-service attacks. Imperva discovered that those tens of thousands of hacked devices were so easy to remotely control that each router was being exploited by several different extortion groups or individual criminal actors. The company also found those actors used the hacked routers to continuously scan the Internet for more vulnerable routers.
Last week, researchers in Vienna, Austria-based security firm SEC Consult released data suggesting that there are more than 600,000 vulnerable Ubiquiti routers in use by Internet service providers (ISPs) and their customers. All are sitting on the Internet wide open and permitting anyone to abuse them for these digital shakedowns.
These vulnerable devices tend to coalesce in distinct geographical pools with deeper pools in countries with more ISPs that shipped them direct to customers without modification. SEC Consult said it found heavy concentrations of the exposed Ubiquiti devices in Brazil (480,000), Thailand (170,000) and the United States (77,000).
SEC Consult cautions that the actual number of vulnerable Ubiquiti systems may be closer to 1.1 million. Turns out, the devices ship with a cryptographic certificate embedded in the router’s built-in software (or “firmware”) that further weakens security on the devices and makes them trivial to discover on the open Internet. Indeed, the Censys Project, a scan-driven Internet search engine that allows anyone to quickly find hosts that use that certificate, shows exactly where each exposed router resides online.
The Imperva research from May 2015 touched a nerve among some Ubiquiti customers who thought the company should be doing more to help customers secure these routers. In a May 2015 discussion thread on the company’s support site, Ubiquiti’s vice president of technology applications Matt Harding said the router maker briefly disabled remote access on new devices, only to reverse that move after pushback from ISPs and other customers who wanted the feature turned back on.
In a statement sent to KrebsOnSecurity via email, Harding said the company doesn’t market its products to home users, and that it sells its products to industry professionals and ISPs.
“Because of this we originally shipped with the products’ configurations as flexible as possible and relied on the ISPs to secure their equipment appropriately,” he said. “Some ISPs use self-built provisioning scripts and intentionally locking down devices out of the box would interfere with the provisioning workflows of many customers.”
Harding said it’s common in the networking equipment industry to ship with a default password for initial use. While this may be true, it seems far less common that networking companies ship hardware that allows remote administration over the Internet by default. He added that beginning with firmware version 5.5.2 — originally released in August 2012 — Ubiquiti devices have included very persistent messaging in the user interface to remind customers to follow best practices and change their passwords.
“Any devices shipping since then would have this reminder and users would have to intentionally ignore it to install equipment with default credentials,” he wrote. Harding noted that the company also provides a management platform that ISPs can use to change all default device passwords in bulk.