More than 3 million home routers may be at risk after a hacker claimed to have infected them with a malicious firmware...
update that cannot be removed.
The hacker, known as BestBuy, claimed to set up an Access Control Server that automatically connects to the targeted routers and pushes out the malicious firmware update. This allows the hacker to have persistent access and the ability to lock out the routers' owners, internet service providers and manufacturers, essentially creating a permanent backdoor to the routers.
There have yet to be any affected routers found in the wild so the claim remains unverified, but BestBuy shared a link to the live statistics with Motherboard. Based on that evidence, security experts contacted by Motherboard agreed that the hacker's claim is possible, but it's difficult to execute an attack like this correctly.
BestBuy's resumé includes claiming to have a botnet of 400,000 internet-connected devices infected with Mirai malware for rent, as well as being the creator of the GovRAT malware that targeted U.S. government organizations. BestBuy also claimed responsibility for the service disruptions to nearly one million customers of Deutsche Telekom in Germany. The service disruptions were caused by an upgraded version of the Mirai botnet that was also attacking routers around the world -- possibly as many as five million.
More internet-connected devices with issues
These router infections are the latest in a string of problematic IoT devices.
Eighty models of Sony internet-connected CCTV surveillance cameras were found to be susceptible to malware through a backdoor. The backdoor was discovered by Stefan Viehböck of Austrian security company SEC Consult in October, though Sony only found out about it, disclosed it and released a firmware update fixing the flaw in early December.
The backdoor was found in Sony IPELA Engine IP cameras that are used widely by enterprises and government authorities. A blog post from SEC Consult explains the backdoor as allowing "an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you."
Sony recommends users install the firmware update in affected devices immediately, while the SEC Consult recommends not using the cameras "until a thorough security review has been performed by security professionals."
While Sony has fixed the problems discovered in its cameras, researchers with Cybereason say they found similar vulnerabilities in internet-connected cameras two years ago that vendors have yet to patch. However, the researchers haven't specified which cameras have the vulnerabilities, and have only confirmed they are in IP cameras across multiple vendors. In a post, one of the researchers, Amit Serper, wrote, "in just six hours we managed to tear apart an IP camera [Yoav Orot] purchased from eBay and discovered two zero-day vulnerabilities."
Serper described the vulnerabilities and expressed concern over the lack of patching. "As for the two zero days we discovered, they're still unpatched. While others have researched the same flaws we're going to talk about, we've discovered even easier ways to exploit them and use them to cause even greater damage."
Yet neither Serper nor Orot have explicitly said which vendors' products are vulnerable. "We estimate that this exploit affects hundreds of thousands of cameras worldwide and don't want the bad guys to use our research to attack people or use these cameras in future botnet attacks."
In other news
- The Dirty Cow vulnerability that has plagued users for almost a decade is finally patched. While a patch for the vulnerability has been available for Linux and the kernel since October 2016, Android users have had to wait. Google released the Dirty Cow patch on Dec. 5 in its monthly Android Security Bulletin -- one of 11 critical flaws addressed in the bulletin. Google put out a partial patch for the flaw last month, but it still left most Android devices vulnerable. Dirty Cow -- so called because the vulnerability was in the copy-on-write or COW feature of Linux -- was introduced in 2007 but not discovered until October 2016 when it was publicly exploited. Android users can now breathe a sigh of relief that attackers can no longer use Dirty Cow to gain root access to their devices.
- In the U.K., law enforcement officers have resorted to stealing iPhones from suspects while they're in use. This new tactic developed after a string of incidents in which law enforcement couldn't access potentially crucial information stored in suspects' iPhones because the phones were locked. After an incident in the U.K. in which a suspect's phone was grabbed by the Metropolitan Police while the suspect was using it and subsequently provided evidence in the credit card fraud case against him, this practice is now legal. As a result, law enforcement can now bypass any encryption protections a phone may have so long as the phone is unlocked at the time of procurement.
- Senator Lindsey Graham (R-S.C.) said he would head the investigation into Russia's alleged interference in the U.S. presidential election and hacks on the Democratic National Committee. Graham told CNN he would partner with Senator John McCain (R-Ariz.) for the investigation, and even travel to Eastern Europe to look deeper into Russia's alleged meddling in elections. This talk follows a letter the week before from seven other senators who called on President Obama to declassify information regarding Russia's involvement in the U.S. election.
- In his "State of Homeland Security Address" on Dec. 7, Chairman of the Homeland Security Committee and Congressman Michael McCaul (R-Texas) spoke about the dangers facing the U.S.'s "digital frontiers." McCaul highlighted the various threats facing the country's cybersecurity stature, citing the attack on Dyn that took down major websites, Russia's recent hacks on the U.S., as well as malicious code infecting the power grid. McCaul's proposed solution involves cybersecurity becoming a priority for the Department of Homeland Security (DHS) in 2017. "We've got to get serious about playing defense," McCaul said. "A 19th century bureaucracy cannot protect us from 21st century threats. So I have proposed a major reorganization and consolidation of our domestic cyber efforts into a single, strong cybersecurity agency at DHS. This will be one of my highest priorities in 2017. In addition, we will do more to help state, local and private sector stakeholders protect their own networks and share cyber-threat data."
- The U.S. government is potentially facing even more cybersecurity threats as the National Security Agency reports that many of its most talented employees are leaving for the private sector. Former NSA director Keith Alexander said it likely has to do with low morale at the agency, as well as competitive salaries in the private sector. According to a report from CyberScoop, the rate at which the cybersecurity employees are leaving the NSA has been increasing for several years, but worsened in 2016. Burnout in the security industry isn't new, but the talent drain comes at a time when the U.S. government is contending with major cyber threats from nation-state attackers. The exodus from the NSA could be good news for the staffing shortage in the private sector, but certainly raises some concerns for the federal intelligence community.
Learn the three steps to better enterprise IoT security
Find out how to tell the difference between a security backdoor and a vulnerability
Discover how to solve deeper IoT challenges