Are SYNful Knock-style router attacks set to become the new normal?

In the wake of the SYNful Knock attack on its routers, Cisco should re-engineer its devices to prevent future attacks, says Raimund Genes.

Raimund Genes, CTO of Trend Micro
Raimund Genes, CTO of Trend Micro

Cisco has been having a rough time of it lately. It emerged that an attack group – thought to be state-backed – managed to reverse engineer router firmware to flash a new malicious image, giving it admin-level access. The volume of affected IP addresses numbered 200 at the time of writing, located in 35 countries around the world. It's safe to say this has now gone beyond the realms of a minor attack. In fact, this is something that researchers have demonstrated for some time now.

The question is, what's likely to happen next? Can we expect Cisco and others to re-engineer their kit in response? Don't count on it.

From theory to reality

As Cisco mentioned in a blog post explaining what had happened, network-based attacks up until now have largely been confined to denial of service campaigns. Attacks involving the reverse engineering of code with the end goal of reflashing a chip's firmware image have remained in the realms of the theoretical. Yet, if it can be achieved it represents a significant win for the attacker.

To show just how powerful this kind of attack can be, let's consider the work of Charlie Miller and Chris Valasek. Reflashing the firmware image of a key on-board chip helped them infiltrate the electronic nerve centre of a 2014 Jeep during a headline-grabbing hack, in which they managed to remotely gain control of the vehicle's steering and brakes.

The SYNful Knock backdoor – in which attackers effectively installed a malicious IOS image on the firmware – had less serious immediate repercussions than taking remote control of a vehicle. But the backdoor will have given attackers persistence, and allowed them to gain a highly privileged level of access – with the ability to monitor all the traffic flowing in and out of a compromised router.

To be fair to Cisco, SYNful Knock didn't exploit a vulnerability. In fact, it was only possible because the attackers knew or could easily crack the passwords of the targeted routers. If these were all default passwords, then the managers of said routers can only blame themselves. Best practice advice for any kind of IoT or internet-connected device should be to immediately change the factory default passwords to complex credentials. Employees should be well trained to be able to spot attempts at social engineering via email, social media or messaging platforms. And organisations should have effective anti-phishing and anti-malware tools running at all times to further reduce information theft.

What next?

But the fact remains – the firmware was remotely updateable. And that's a problem for Cisco and all the other major router manufacturers out there to ponder. Too many hardware makers up until now have relied upon the concept of “security-by-obscurity” – that age-old precept which holds that it's generally too difficult for hackers to reverse engineer and attack proprietary kit. If nothing else, this attack campaign should tell the world once again that this is an outdated approach to security.

I'd argue that routers need a physical update switch built into them. Remember how USB sticks used to have a “read only” mode? Well, how difficult would it be to stick one on the back of a router? Simply press once to enable “read only” before an update and then again to disable after. Crucially, it would mean hackers need physical access to a device. It might not be practical for every organisation, especially when they want to update remotely, but it would be a good option for those in highly regulated industries to have.

But more than this, router manufacturers need to sign the firmware with strong encryption which is then checked by the chipset beneath. This anchors that vital “root of trust” which ensures that only firmware created by Cisco will be allowed to boot up. It would have prevented the SYNful Knock attacks because when the new modified image was inserted and the router restarted, it would have checked for the digital signature and proper encryption (preferable an elliptic curve digital signature algorithm and RSA – and this combined with SHA), not found it and refused to accept the firmware update.

Will the hardware vendors respond? Well, until enough customers complain, probably not. So the question CISOs have to ask themselves is, “Is my corporate data at risk?”

In the meantime, it would probably be judicious to follow Cisco's advice on hardening these devices.

Contributed by Raimund Genes, CTO of Trend Micro.