Is your router rooted?
Have you ever thought about the security of your routers? Or do you assume that, because you have written a good router configuration in line with best practice, it's secure? Such complacency could cost you dear. Malware and viruses are popping up in all sorts of places; even old techniques such as master boot record viruses are back in fashion.
Networking equipment vendors are increasingly moving their production to Far Eastern markets. Some of these locations are known to be less than friendly to Western powers, and there is evidence that hackers in these countries are indeed attacking Western government and commerce.
So, if the vendor is now manufacturing routers in the Far East, it would not be difficult for an insider to install or write malware into the firmware of these devices during the manufacturing process; firmware that could be altered to create a backdoor.
Is this trivial speculation? Well, there is already evidence of interference in these IT production processes. You may have seen reports over the Christmas period of online shoppers purchasing peripherals such as USB sticks, MP3 players and digital photo frames, all infected with malware.
Given that consumer-targeted products are being infected at point of manufacture, it's likely that higher-end network components such as switches, routers and firewalls can or will be compromised. Indeed, fake Cisco equipment was recently found on the market, so it's quite possible that someone in the production process leaked the information required to forge the products.
Unlike malware written on to the hard drive or flash memory of a device, infected firmware is hard to detect. Traditional malware and viruses can generally be detected by scanners, although custom-written code is much harder to spot. But infected firmware bypasses the operating system layer altogether, with the device itself acting as the malware. Anti-virus or malware scanners are therefore unable to detect it as they cannot scan to this depth.
Even the most security-aware organisations do not routinely screen new infrastructure devices. The assumption is that they are fresh out of the box and untampered with. Testing is generally done at an OS or network level, which may or may not find a backdoor. The Government would be unlikely to spot firmware-based malware because the existing accreditation process doesn't cover switches, routers and other devices at a low enough level. There is a very real chance that backdoors may already be in place on critical network infrastructure in government and corporate networks.
Exploiting the infection wouldn't be that hard. The target client takes delivery of the router, then installs and configures it. One might exploit IPSEC, L2TP, PPTP or other protocols to create an encrypted tunnel outbound to your controlling server, giving you remote access into the target network. The communication could easily be encrypted and would bypass any existing filtering techniques.
So what can you do about this? I would certainly upgrade the firmware of any router taken out of the box to the latest version from the vendor website. Even then, it wouldn't be that hard to write your malicious firmware in a way that prevented the later firmware from being successfully uploaded. Router vendors need to give serious thought to the integrity of their firmware distribution process. The vast majority of firmware downloads have no integrity checking at all, let alone a checksum or digital signature that one can verify. That said, if intercepted during production, that too could be manipulated by placing a firmware "rootkit" underneath it.
It seems that no-one is giving any significant thought to firmware security issues. I suspect that it will take another TJMaxx or HMRC-style data loss to be attributed to infected firmware for anyone to take it seriously.
Ken Munro is managing director of SecureTest. He can be contacted at firstname.lastname@example.org.
From the - April 2008 Issue of SCMagazine UK »