Wednesday, February 23, 2011

Zombies in your home

by Stephan Mueller

After skimming the headline, are you going to scream and run away or do you want to take your wooden stick and hunt these zombies?

We prefer the latter of the two options.

But where are these zombies and how can you prevent your equipment being turned into zombies?

Yes, you read that correctly; we are talking about equipment - well, that should be expected since this is an IT blog and not your friendly How-to-Voodoo homepage. We all know that our desktops and laptops are nice targets for unwanted visitors. Therefore we all have virus scanners and firewalls in place and try to be cautious about which services we connect to.

However, there are other devices in your home that resemble a general-purpose computing environment for bad guys: your Internet router; your WLAN access point; or, if you have some more fancy equipment, your managed switch. All these devices use a kind of operating system to implement the necessary functionality - and they have a lot of functionality, do they not? Many of these devices use Linux or a BSD variant as the operating system to host the applications that transform that box into the device you love. Although the administrative interfaces do not hint that you could install other software on these devices, the fact that standard Linux or BSD operating systems drive these boxes imply that you can execute any application on them.

That fact is demonstrated by numerous projects that can be found on the Internet. For example, the OpenWRT installs a Linux system on top of well-known home routers. OK, you may say that the firmware on that box must be completely replaced with OpenWRT - so here is another example, one which I used to fudge my own router: Freetz is an extension of the AVM routers that are ubiquitous in Germany. I added the XMail email server, the TOR server, an OpenVPN gateway, the Lighttpd web server, and Samba to this box without replacing the core firmware. All that was left to be done was fetch the source code of these components, cross-compile them to generate ARM binaries, and copy them onto the box, and suddenly, my router could be used as an email server, or a web server in addition to its regular functionality.

After learning that it is not that difficult to extend a router with other types of software, you should also understand that these devices can easily host software that turns them into bots or zombies without impacting their regular operation.

Please re-read the last statement!

You will not recognize that these systems are hijacked. Moreover, when was the last time you scrutinized your router for bad software, applied a virus scan, or checked the firewall setting? Never? Once or twice in the distant past? Welcome to the club of the overwhelming majority of Internet users. So, we can safely say that routers are an interesting target for bad guys because:

  • These systems are not typically monitored.

  • A large number of them provide a general purpose computing environment that allows arbitrary software to be installed.

  • After analyzing the default software on these boxes, it seems that hardly any security measures have been applied. It is common that the default software (including the software listening on the network) executes with root privileges, or device drivers are not protected appropriately.

  • Firmware update mechanisms commonly do not employ protection mechanisms. These mechanisms do not use cryptographic signatures to ensure that the proper firmware is installed. Some of these boxes may have automated firmware installation mechanisms which pull the latest firmware from the vendor server. However, no verification of the authenticity and integrity of the server and/or the retrieved bits is performed.
What solutions are available? Currently, there is not much you can do, unfortunately. The first step is to bring the issue to the attention of the users, and then to vendors.

However, there are some proactive steps you may take:
  • Disable all functionality you do not need.

  • Recheck the firewall settings of your router to ensure that only known ports or connections are allowed.

  • Disable automated firmware updates.

  • Use strong passwords for the administrative user. If possible, rename the administrative user.

  • Update the firmware when your vendor offers new firmware.
If you are technically savvy, you may alter or replace the firmware so that only a truly minimal computing environment is available.

I am currently working on the Freetz project, and I've brought the XMail server as well as the Lighttpd web server to that project. One of the core porting aspects was to have its software executing with an unprivileged user ID. I also provided patches to other existing software in the Freetz project so that it uses unprivileged user IDs or other protection mechanisms like chroot.

1 comment:

  1. Nice insight. Router zombies are not typically in the headlines, not even in security publications


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.