A few years ago, it was common practice for ISPs to set Customer Premises Equipment (CPE) admin passwords that were known, simple and easy to remember strings. This way, whenever a representative of the ISP went to the customer’s premises to perform any maintenance procedure, it would be simple to figure out the CPE password.
This may have been a good practice 20 years ago, when Internet penetration was low and security was not a priority. It offered a reasonable trade-off between security and the operational burden. But currently, this practice opens the doors to a massive pharming attack and all kinds of Man-In-The-Middle opportunities.
Today, vulnerabilities are being reported regarding weaknesses affecting routers and IP cams which may expose ISPs and their customers to a wide range of risks, from articulation of distributed denial-of-service (DDoS) campaigns to DNS poisoning.
Some of the large ISPs in Latin America are facing a threat that has been exposed via Github. The attack aimed to reconfigure some models of their cable modem, with the potential exposure of re-flashing the device and compromising end user security. This issue can lead to multiple scenarios, ranging from privacy violations to financial fraud.
Although the author of the GitHub repository shares only a small proof of concept that lets you test whether your modem is vulnerable or not, it would be easy for a skilled attacker to tweak this code and deploy a massive attack, potentially affecting millions of users. The author shares a list of typical passwords for several ISPs and also gives some hints on how passwords are built using well-known data and simple mental heuristics. Therefore, deploying an informed brute-force attack is simple and the chances of success are high.
Once the attacker has managed to figure out the password for a large batch of modems, they are set to deploy a targeted attack. At this stage, the criminal can proceed to identify the most popular banks in the region of the compromised devices and alter the Domain Name resolution Servers (DNS) setup to point to servers under their control, so every user attempting to visit their online banking site will be silently redirected to spoofed web sites.
This is a hole that’s been opened for some years now, but the emergence of these kinds of repositories like Github provide criminals with valuable information, and will likely bring undesired incidents to the fraud landscape.
The same applies to news about weakness on Internet-enabled devices. Security researches have reported the spread of a sophisticated piece of code named Wifatch that turns home routers and other devices into zombies connected to a peer-to-peer network of infected devices. Several characteristics of this attack are pretty interesting, but the most unusual thing about this threat is that author seems to be trying to secure infected devices instead of using them for malicious activities.
Wifatch is written in Perl, and even when it would have been easy to obfuscate, the author is not particularly worried about others being able to inspect the code. It won’t take long before the world gets a hold of this code through shared forums, and crooks are able to add some nice tricks to their arsenal.
We already know how fast criminal gangs can include leaked malicious codes and hacking tools into their own kits. Just imagine a new variant of Zeus including the ability to infect or manipulate home routers. We would witness the advent of new levels of spreadability and stealthiness never available before for a banking trojan.
Unless we pay more attention to locking down all devices across an IoT network, we will end up in a world where we won’t be able to know if something coming from the Internet is legitimate or just a malicious content altered by a malware resident in our own devices.
ISPs must rely only on infrastructure management suites to administer their CPEs, IoT vendors must apply the best security practices available, and customers must increase their awareness. If security is not embraced as a priority at all levels, we won’t be able to trust Internet to continue to improve our lives.