Most WiFi router vendors have not patched numerous firmware vulnerabilities discovered more than two years ago, according to a report Insignary released on Tuesday.
OEM firmware built into WiFi routers use open source components that contain numerous known security vulnerabilities that can be exploited by hackers, it notes.
Insignary, a startup security firm based in South Korea, conducted comprehensive binary code scans for known security vulnerabilities in WiFi routers. The company conducted scans across a spectrum of the firmware used by the most popular home, small and mid-sized business and enterprise-class WiFi routers.
Although KRACK may be the newest and potentially most harmful WPA2 security vulnerability, router firmware vulnerabilities are far more extensive and dangerous, based on the firm’s findings.
“While KRACK WPA2 is the latest WiFi security vulnerability, it appears to be just the tip of the iceberg, compared to what currently exists in router firmware,” said Tae-Jin Kang, CEO of Insignary.
The company has been monitoring WiFi router issues since the infamous botnet attack in the fall of 2015 brought down the Internet for a couple of days. Many of the vulnerabilities Insignary found in 2016 were present in scans performed last year.
“This is distressing. Many vendors continued to ignore problems that could easily be fixed. These are devices that we use on a daily basis,” Kang told LinuxInsider.
Time to Raise Awareness
The 2015 attack was carried out not by zombie PCs but by 300,000 compromised IoT devices. People had theorized about the possibility of such an attack, and that incident proved it could be done, said Kang.
“So we decided it was time to raise awareness. This is a serious problem. We are talking about well-known security issues that still exist in the routers. These devices can be compromised in many ways. WiFi devices are pervasive,” he warned.
The threat is specific to IoT devices rather than to computers and other mobile devices. However, the Linux operating system also may be in the crosshairs because so many variations of Linux distributions prevent a centralized patch deployment solution, Kang explained.
Windows 10 and the macOS have addressed the security issues to neutralize the router vulnerabilities. An important factor in their doing so is that those OSes are not open source, he said.
“I’m not saying that open source itself is inherently less secure, Kang emphasized. “The Linux community has done a very good job of responding to security issues. The problem is that even with rapid updating of patches, the distribution process is decentralized and fragmented with the Linux OS.”
About the Study
Insignary conducted the scans during the last two weeks of November 2017. Its research and development team scanned 32 pieces of WiFi router firmware offered in the U.S., Europe and Asia by more than 10 of the most popular home, SMB and enterprise-class WiFi router manufacturers: Asus, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.
The researchers used a specialized tool Insignary developed to scan the firmware. They also leveraged Clarity, a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities, and identifies license compliance issues.
Clarity uses a unique fingerprint-based technology. It works on the binary-level without the need for source code or reverse engineering. Clarity compares the scan results against more than 180,000 known vulnerabilities based on the fingerprints collected from open source components in numerous open source repositories.
Once a component and its version are identified through Clarity’s fingerprint-based matching using numerous databases such as NVD and VulnDB. Clarity adds enterprise support, “fuzzy matching” of binary code, and support for automation servers like Jenkins.
The WiFi router firmware sold by the top manufacturers contained versions of open source components with security vulnerabilities, the binary scans indicated. Most models’ firmware contained “Severity High” and “Severity Middle” security vulnerabilities. This means that the deployed products and firmware updates remained vulnerable to potential security threats.
A majority of the models’ firmware made use of open source components with more than 10 “Severity High” security vulnerabilities, based on the examination.
Half of the firmware used open source components containing “Severity Critical” security vulnerabilities, according to researchers.
The report lists the following “Severity Critical” security vulnerabilities found in open source firmware components:
- WPA2 (KRACK) — Key reinstallation attack;
- ffmpeg — Denial of Service;
- openssl — DoS, buffer overflow and remote code execution;
- Samba — Remote code execution.
In many cases, router vendors evidently have not made use of the correct, up-to-date versions of the affected software components, the researchers concluded.
“Vendors rarely support and update routers after the first two years at most,” noted Brian Knopf, senior director of security research and IoT architect at Neustar.
Two more reasons make the report findings noteworthy, he told LinuxInsider. One, router manufacturers spend very little money on security because they tend to dislike cutting into their already-slim margins.
Also, many routers require customers to check for updates. This has been changed on some newer routers, but there are millions of old routers in use by consumers, which can be validated by some simple Shodan queries, Knopf said.
“Device vendors not performing updates is definitely an unnecessary risk,” said Justin Yackoski, CTO of Cryptonite.
Doing it right is non-trivial, and businesses and consumers need to look at the history of updates for a vendor before they make a purchase,” he told LinuxInsider.
However, price often wins out, Yackoski added, leaving it up to the FCC, DHS or an act of Congress to force the ultimate solution on router makers.
All of the firmware leveraged Busybox and Samba by default, the report shows. More than 60 percent used OpenSSL.
Significant security issues arise from OpenSSL. That should prompt vendors to apply the latest patches consistently or use the version of the software that contains the fix, the researchers maintained.
Much of the firmware did not utilize the correct, most up-to-date versions of the OSS components available, the study revealed.
Inadequate Vendor Response
The open source community has created new versions of the components to address all of the previously listed security vulnerabilities. Vendors can employ these versions to prevent data breaches and resulting litigation that can cause significant corporate losses, according to Insignary.
During discussions with various vendors, Insignary encountered one manufacturer that expressed a preference to apply patches manually, line by line. While that method may work, it is still recommended that firmware developers scan their binaries to ensure that they catch and address all known security vulnerabilities.
Insignary’s findings suggest two possibilities for the failure to use the correct component version by WiFi router vendors: 1) the home, SMB and enterprise-class router vendors did not consider the vulnerabilities worth addressing; 2) they did not use a system that accurately finds and reports known security vulnerabilities in their firmware.
Going Beyond Linux
Business and home users remain at risk even if they do not run the Linux desktop or server. Compromised WiFi routers provide hackers with a malicious way to takeover network equipment. It is a critical issue, said Andrew McDonnell, president of AsTech.
“In addition to potentially becoming part of a botnet, the router also grants attackers a beachhead in your environment. They can surreptitiously disrupt or intercept communication along with using it as a launch point to attack other systems on the internal network,” he told LinuxInsider.
Unpatched router firmware is a very serious security issue that opens up vulnerable routers to various nefarious motives, noted Louis Creager, IoT security analyst at Zvelo.
Besides attracting botnets for purposes like DDoS attacks and spam campaigns, it can compromise sensitive user information going through the router.
“Home users and business owners could see their IP addresses end up on lists of known botnet traffic, which can impact their everyday browsing activity as websites and online services block traffic from these sources,” Creager told LinuxInsider.
The Fix: Difficult but Urgent
The patching process depends on who builds the device, where the vulnerability exists, and who is responsible for the fix, noted Neustar‘s Knopf.
Then vendors have to get the SDK for the chipset from the chipset vendor (Intel, Qualcomm, Broadcom, etc.) and add their own Board Support Package utilities, which are the drivers for the chipset, to program the router and the tools used to validate the devices, he added.
“OEMs need to allocate resources to at least maintain awareness of newly discovered vulnerabilities in their systems and then issue updated firmware,” said AsTech’s McDonnell. “It’s also essential to make clear to users that the updates are available so that they are applied.”
If there is a known vulnerability, the end user really can’t do much. The best option would probably be to flash the router with an open source firmware such as DDWRT, OpenWRT or LEDE, he suggested.
“While open source firmware versions are never going to be perfect,” McDonnell acknowledged, “there is a whole community who maintains and fixes issues.”