Posts Tagged: UPnP


28
May 18

FBI: Kindly Reboot Your Router Now, Please

The Federal Bureau of Investigation (FBI) is warning that a new malware threat has rapidly infected more than a half-million consumer devices. To help arrest the spread of the malware, the FBI and security firms are urging home Internet users to reboot routers and network-attached storage devices made by a range of technology manufacturers.

The growing menace — dubbed VPNFilter — targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage (NAS) devices, according to researchers at Cisco.

Experts are still trying to learn all that VPNFilter is built to do, but for now they know it can do two things well: Steal Web site credentials; and issue a self-destruct command, effectively rendering infected devices inoperable for most consumers.

Cisco researchers said they’re not yet sure how these 500,000 devices were infected with VPNFilter, but that most of the targeted devices have known public exploits or default credentials that make compromising them relatively straightforward.

“All of this has contributed to the quiet growth of this threat since at least 2016,” the company wrote on its Talos Intelligence blog.

The Justice Department said last week that VPNFilter is the handiwork of “APT28,” the security industry code name for a group of Russian state-sponsored hackers also known as “Fancy Bear” and the “Sofacy Group.” This is the same group accused of conducting election meddling attacks during the 2016 U.S. presidential race.

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in a warning posted to the Web site of the Internet Crime Complaint Center (IC3). “The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”

According to Cisco, here’s a list of the known affected devices: Continue reading →


17
Jan 18

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important. Continue reading →


10
Mar 17

Dahua, Hikvision IoT Devices Under Siege

Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.

dahuaOn March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.

That server requires the user to enter a username and password, but Bashis found he could force all affected devices to cough up their usernames and a simple hashed value of the password. Armed with this information, he could effectively “pass the hash” and the corresponding username right back to the Web server and be admitted access to the device settings page. From there, he could add users and install or modify the device’s software. From Full Disclosure:

“This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices

“This is like a damn Hollywood hack, click on one button and you are in…”

Bashis said he was so appalled at the discovery that he labeled it an apparent “backdoor” — an undocumented means of accessing an electronic device that often only the vendor knows about. Enraged, Bashis decided to publish his exploit code without first notifying Dahua. Later, Bashis said he changed his mind after being contacted by the company and agreed to remove his code from the online posting.

Unfortunately, that ship may have already sailed. Bashis’s exploit code already has been copied in several other places online as of this publication.

Asked why he took down his exploit code, Bashis said in an interview with KrebsOnSecurity that “The hack is too simple, way too simple, and now I want Dahua’s users to get patched firmware’s before they will be victims to some botnet.”

In an advisory published March 6, Dahua said it has identified nearly a dozen of its products that are vulnerable, and that further review may reveal additional models also have this flaw. The company is urging users to download and install the newest firmware updates as soon as possible. Here are the models known to be affected so far:

DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DHI-HCVR51A04HE-S3
DHI-HCVR51A08HE-S3
DHI-HCVR58A32S-S2

It’s not clear exactly how many devices worldwide may be vulnerable. Bashis says that’s a difficult question to answer, but that he “wouldn’t be surprised if 95 percent of Dahua’s product line has the same problem,” he said. “And also possible their OEM clones.”

Dahua has not yet responded to my questions or request for comment. I’ll update this post if things change on that front.

This is the second time in a week that a major Chinese IoT firm has urgently warned its customers to update the firmware on their devices. For weeks, experts have been warning that there are signs of attackers exploiting an unknown backdoor or equally serious vulnerability in cameras and DVR devices made by IoT giant Hikvision. Continue reading →