Why routers are among the most vulnerable devices in the IoT – and what we can do to protect them
By Nitzan Daube, CTO, NanoLock Security
The IoT is a growing piece of the puzzle for daily life in today’s modern technological age, and networks are at the center of this growth. Nowadays, you’d be hard-pressed to find a commercial, residential or even public outdoor area that does not have at least one router on a network. Homes, businesses, cities, and public infrastructure are all using WiFi, and it is not uncommon to see even basic home routers with multiple devices sitting on them at a time. But with millions of new routers being set up daily comes an increased security risk – and hackers and cyber terrorists are taking note.
Routers are notoriously known for their vulnerability and susceptibility to attack. According to a 2018 quarterly report from security firm eSentire, the group found a 539% increase in attacks targeting routers since 2017, and research from the American Consumer Institute (ACI) found that five out of every six, or 83%, of WiFi routers in US homes and offices, leave their users at risk of cyberattacks, due to inadequately updated firmware for security vulnerabilities.
Many attackers will enter unsecured routers by remotely gaining access to the device, often via the CPU, and then installing malware that can then be used to collect data, gain access to additional routers, and cause irreparable damage to the device. In 2018, hackers conducted such an attack on a large-scale with the VPNFilter malware attack that infected over 500,000 consumer routers globally, calling special attention to the damage that can be inflicted when malware is permitted to manipulate the software of a router, rendering devices inoperable and allowing personal data and credentials to be stolen.
The recent TP-Link Router Zero-Day Bug is another example of the hardware and software-based methodology in which hackers are accessing and manipulating routers. In March 2019, a zero-day bug was uncovered in the TP-Link SR20 smart hub and home router. The bug would allow an attacker to execute arbitrary commands on the device, foregoing arbitrary commands on the device. This flaw would allow attackers to remotely gain access to the device’s firmware and manipulate it, while also gaining network access.
Another similar bug that happened within the last few months, called the Thangrycat bug, was found in the Cisco 1001-X series router and allows hackers to gain root access to the router, and once inside, can disable the router’s vulnerable Trust Anchor. A Trust Anchor is meant to be a final layer of security for devices, so any disruption to the Trust Anchor could cause an entire unit to be exposed and become manipulated. The Thangrycat bug is believed to be a physical flaw, and thus cannot be remedied with a simple software fix.
With new bugs and vulnerabilities being exposed on what seems like a weekly basis, it has become clear that router security is among the biggest threats impacting the IoT today. The danger and impact of such attacks are particularly impactful on consumers or small businesses, and infrastructures that may not have the technical knowledge or expertise resourced to identify or understand the threat before it is too late.
This impact also extends beyond the use of personal-use routers to routers used in hospitals, government buildings, and other sensitive environments where the data to be manipulated could have a potentially severe impact. And as smart home devices are increasingly installed in both homes and businesses, that threat can move beyond accessing a password to a website or personal photos; it can also impact the security of cameras or locks that allow hackers to gain physical access as well.
The entire IoT utilizes routers and is increasingly at risk due to newly developed malware and attacks directed at penetrating the CPU of these devices.
In order to ensure that routers are protected at both the software and hardware level, as well as on the network, it is imperative for new cybersecurity solutions to be implemented. It is not enough to protect the memory and the firmware. Unfortunately, firmware comes with bugs and it must be regularly updated to stay secure and working properly. Over-the-air (OTA) updates are equally problematic because the OTA solutions are based on software agents in the ECU and cloud services that deploy the updated images.
One consideration is a cloud-to-flash protection approach, that blocks access to firmware, boot images, and critical code through a hardware-root-of-trust in the flash memory, effectively securing connected edge devices from persistent attacks like VPNFilter or bugs like TP-Link and Thrangrycat. By securing the flash memory and installing cloud-to-flash protection into devices on the factory floor, routers and other connected edge devices are protected throughout their entire lifecycle. This approach is also both processor and operating system agnostic and requires virtually zero processing power or additional energy.
This approach could be installed as the router is developed on the factory floor, building in a security management platform that doesn’t rely on future hardware fixes or software patches to keep devices safe, easing the cost burden for manufacturers further down the line. Even vulnerable end-of-life firmware updates are shielded from attack.
Routers sit at the center of IoT and are critical for its growth. It is imperative for IoT infrastructure manufacturers to address these vulnerabilities before they are exposed, with solutions that allow them to monitor and protect from the moment a device is developed, to when it is operational in the real-world, throughout its entire lifecycle. Hackers and cyber attackers are becoming more sophisticated in their attacks using routers, so it is important that new methods like cloud-to-flash that don’t utilize the CPU and managed security that offers insightful data are implemented into devices before its too late.
The fate of the IoT will rely on it.
About the Author
Nitzan Daube is CTO of NanoLock, where he brings extensive experience in software¸ high-tech business and bridging the gap between marketing¸ project management and engineering. He has worked with companies like Microsoft, National Geographic and Cellepathy in various executive-level software and hardware management capacities. Connect with Nitzan on LinkedIn at https://www.linkedin.com/in/nitzan-daube-729b1/ and at our company website www.nanolocksecurity.com.