(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.
Last week, the FBI released a statementthat shocked many — reset your home or office router immediately upon threat of cyberattack. To throw some additional urgency to the matter, the threat was traced back directly to a group connected to the Russian government.
It sounds like an easy fix for a major threat, but is resetting your router really going to prevent a major cyberattack?
Vulnerabilities in routers can be a huge problem, but rebooting the router flushes the short-term memory, and most attacks with it. However, there’s reason to think the recent scare won’t be so easy to solve.
According to the FBI, a specific kind of malware called VPNFilter was used, which infected the firmware of routers across the world. The FBI’s statement didn’t much detail as to whether this multi-stage malware might survive the suggested reboot, and that raised the alert of the cybersecurity expert we spoke to.
“Until now, we haven’t seen malware on IoT that could survive the reboot,” said Liviu Arsene, senior analyst at BitDefender. “If this malware survives the reboot, it’s a pretty big deal.”
The malware exists in three stages, the second and third of which aren’t persistent — meaning a reboot will mitigate the problem. The problem is the initial stage.
“They do say that the main purpose of stage one is to gain a persistent foothold in enabling the deployment of malware,” Arsene said. “The FBI did say that you need to reboot your devices to flush out any connection. But they did not say if the firmware is effective or if after rebooting, you’re vulnerable or not. They didn’t say if the malware survives and attempts to dial back home.”
A follow-up statement from the Justice Department provided some clarity, saying that a reboot would eliminate second-stage malware and cause first-stage “to call out for instructions.” The statement continued, saying that while devices will remain vulnerable to reinfection, “these efforts maximize opportunities to identify and remediate the infection worldwide.”
Because it’s unknown how the routers were even infected to begin with, it’s also unknown whether a reboot or factory reset would do the trick. If VPNFilter turns out to exist beyond a reboot, this is a breed of malware that we haven’t seen before — and one that will be much more difficult to stamp out.
There’s another reason why VPNFilter is serious enough to merit an FBI warning.
“The big deal is that for the code these analysts found in VPNFilter have overlapped with some other threats that was used a couple of years ago in Ukraine with the cyberattack that took down their power grid,” said Arsene. “Once you see that, it’s usually a pretty good sign that that botnet is going to be used. When you compare that with the code that was previously used to attack Ukraine, the most obvious conclusion is that they’re gonna use this botnet to attack some other critical infrastructure.”
The cyberattack on the Ukraine in December of 2016 wasn’t a great disaster. The power went out for around an hour at midnight in the capital city of Kiev. By morning, most people hadn’t noticed it occurred.
Upon digging into the incident, however, researchers discovered a more frightening potential under the surface. Security firms ESET and Dragos Inc. concluded the hackers were only testing their possibly world-shaking malware. The piece of hostile code used allows hackers to automate and control physical systems (such as the power grid). That’s not good.
The same code was also famously used in Stuxnet, a worm which is believed to have damaged Iranian nuclear systems around 2010. The prospect of that code appearing in an attack on 500,000 routers is troubling to anyone worried about cybersecurity. That’s likely why the FBI went public with its findings.
“Router companies need to pay more attention to the security aspects of their firmware,” said Arsene. “This is not the first time we’ve seen routers with backdoors, with vulnerabilities, or open Telnets ports that are accessible from anywhere you are on the internet.”
Router companies don’t have the best reputation for cybersecurity. Many leave firmware updates up to the individual user, and router security isn’t easy to understand. “Whenever someone buys a router or any other IoT device they simply plug it into their network,” Arsene said. “They don’t usually take time to change default extensions. Whenever you have a router with default credentials connecting to the internet, you’re kind of asking for it. Security should start with your router.”
BitDefender has a new product called Box that gives you a clear view of all of the smart devices in your network — and where the vulnerabilities are. While it’s a good solutionfor the tech-savvy among us, the average person doesn’t care enough about personal cybersecurity to invest in such a product. Arsene insisted that the largest vulnerability is the lack of awareness among the average person.
“People usually enable remote management so that they can dial in from work or from wherever you are. It is a big issue, especially if the router has hard-coded credentials or default passwords. You should disable remote access if you don’t use it. You should disable telnet if you don’t use it. You should disable SSH if you don’t use it. You should update the firmware as often possible and change default credentials. But how many people do that? Outside of tech savvy people, it doesn’t happen. My parents don’t do it.”
Now you know. Router security isn’t fun but if it’s serious enough for the FBI to issue warnings, it’s serious enough to be worth your time.