Is Your Router Leaving Your Internet-Connected Devices Vulnerable to Hackers?

June 19, 2018 No Comments

By Louis Creager, Security Analyst, zvelo

Ubiquitous as they are in our households, relatively few consumers are conscious of the firmware running on their home router – let alone the urgency of keeping that firmware up-to-date. A study by Ubuntu, an open source OS, has found that only 31% of consumers execute firmware updates on their routers when they become available, and that four in ten never update firmware on their devices at all.

Unfortunately, what these consumers don’t know can indeed hurt them (and others). Router exploits left open by unpatched firmware don’t just put the router itself at risk; rather, a hacked router can easily be used to target and infect any other hosts on that user’s home network from laptop and desktop computers to mobile and IoT devices.

Router vulnerabilities continue to pose an especially simple target for hackers to take advantage of. As we demonstrated in a recent test, an unpatched router can be hacked in less than a minute, without any need for the router’s password or credential authentication whatsoever. In the specific case we investigated, the router’s in-browser “Forgotten Admin Password” page even confirmed the firmware version prior to gaining access, letting a hacker know with certainty that the exploit will work.

Weak routers allow a hacker armed with an advanced exploit kit to simply enter an attack URL containing certain code, and then Telnet into an authenticated shell within moments. From there, hackers can run any command they want. They can make the router non-operational. They can erase router firmware, and replace it with their own malicious code. They can also redirect the domain name service the router uses, and send users connecting to the internet to any fake website they wish (making identity theft an all-too-easy proposition).

However, the arguably scarier risk here is in losing all control of devices connected to the router. As smart home devices fill our lives, it’s not hard to imagine hackers with ill intent repurposing those all-too-convenient connected devices to create haunted house scenarios. Consumers may quickly become a lot more interested in performing router firmware updates when they understand it means preventing strangers from flicking their lights on and off, messing with their thermostats, controlling their kitchen appliances, or perhaps even making smart fitness watches count their daily steps backward – real creepy horror movie stuff.

This kind of mischief aside, a more common (and also a more consequential) scenario is router exploits resulting in at-risk connected devices becoming enlisted in a massive botnet – turned to sinister purposes such as distributed denial of service (DDoS) attacks. The threat of this happening to a consumer’s smart devices is all too real – in an experiment conducted by The Atlantic, a fake web toaster was hacked just an hour after going online.

How do hackers know how and when to take advantage of these devices? The real work of building botnets is done by software that automatically scours the web for unsecured devices. With this malicious software, hackers can gain control over these devices, or even create backdoors to them by secretly installing code that enables future access. Hackers can then treat those devices as sleeper cells prepared to cause future mayhem whenever commanded.

When a hacker activates one of these botnets for a DDoS attack, it can not only cause your compromised devices to ignore their regular duty (making fake toast, etc.), but will also begin misusing your bandwidth – alongside thousands or millions of other hacked connected devices – in an attempt to knock a targeted site or entity offline by overloading it with requests. Amazon, Twitter, and even the country of Liberia have been victims in the past year of such botnet attacks, largely powered by exploited devices.

This is why it’s so important to keep the firmware on routers and other connected devices patched and up-to-date. With threats ranging from identity theft to household danger to losing connectivity in entire countries, failure to do so puts both yourself and others at risk.