
FBI tells router users to reboot now to kill malware infecting 500k devices - dEnigma
https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/
======
zackmorris
Does anyone know why router manufacturers aren't financially responsible for
the exploits that allow their devices to be hacked?

At the very least there should be some kind of policy or standard that allows
someone on the inside of the network to know if the password or software has
been changed. If the FBI can tell from the outside, then how in the world are
people still in the dark about this?

~~~
rgbrenner
If the exploit wasn't put there intentionally, then we're talking about a bug
in the software. Do you really want liability for software bugs? The
consequences of that would be substantial. Imagine if Apache or PHP were
liable for their bugs used on websites across the internet. The projects would
shutdown immediately.. no one could fund the potential liability.

~~~
staticassertion
> Do you really want liability for software bugs?

Yeah, definitely. Especially for infrastructure.

I realize the implications of this are significant.

I don't think the solution is "all bugs cost every company money for every
product", but there's definitely more or less risk involved in some software
and we are _well_ past the point of negligence from router manufacturers - the
vulnerabilities we see from them are absolutely absurd.

~~~
tetha
This is going to be really, really hard without turning into a mess. Software
is complex, and bad software even more so, and an integrated hardware/software
system is even worse. Even finding the vulnerabilities is hard already,
because lots of systems are snowflakes and each needs to be analyzed
individually, and usually in individual ways.

And even assuming we have a definition of 'infrastructure software' and a way
to reliably enumerate a set of vulnerabilities, attribution of liability is
even harder:

\- Is the distributor of the router liable for a vulnerability in a used
library? Surely they could vet and review libraries.

\- What happens if that library is openssl and almost all webservers on the
internet are vulnerable?

\- What happens if the library is used in an insecure way? For example, if you
seed openssl or libressl with weak random numbers, it is possible to attack
algorithms provided by the library.

\- On the contrary, if the author of a library is liable, what's going to
happen if I use a library of a company and build something vulnerable with it
intentionally?

I dislike being so negative about it, but I wouldn't want to get sued for
sticking an MIT license on a silly project 10 years ago someone necro'd and
stuck into a router, so to say.

~~~
bradknowles
Perhaps a “UL Labs” type of solution for software, so that if your software
and organization are certified according to the current standard, then your
liabilities would be reduced?

And yes, organizations and versions of software would have to be recertified
on a regular basis.

You would want software versions to be able to be certified quickly and
through an automated process, but there is already some best practice in this
space — it’s just unevenly distributed.

~~~
v_lisivka
If certification authority said that software is secure and then security
flaws are found, then who is liable?

IMHO, we should have optimistic check: any public network device must have
guarantee from the vendor to fix any remote vulnerability in 30 days after
discovery by independent security organization(s), otherwise vendor liable for
the damage done by his device.

------
djrogers
Headline is a bit incorrect - a reboot will interfere with the malware by
restarting the it’s C&C process, which the FBI now controls. This does not
eliminate the malware, but it will stop it’s data collection and makes it more
difficult for an adversary to activate it on a large scale.

~~~
jlgaddis
So when these devices reboot, the FBI is now going to have control of ~500,000
home routers?

That's, uh, "reassuring".

~~~
ocdtrekkie
Presumably if they intended to use this maliciously, they wouldn't have told
you about it. But in most cases, the FBI having control is still better than a
random malicious actor having control, unless you belong to a certain high
risk segment of the population.

In the long term, you want a fix for your router, or you want a new router.

Mine is _similar_ to one of the affected units, enough so that it's likely
vulnerable. I'm looking at replacing it.

~~~
lisper
> unless you belong to a certain high risk segment of the population.

I don't think we are so far from the day that "high risk" will mean anyone who
opposes the government.

> Mine is similar to one of the affected units, enough so that it's likely
> vulnerable. I'm looking at replacing it.

That's probably wise.

~~~
ocdtrekkie
People in an adversarial relationship with the government they live under
would definitely be that segment of the population, yes.

~~~
hedora
So, 100% of the US population, based on:

\- the continued militarization of police

\- classifying 66% of houses as constitution-free border crossings

\- holding citizens for years without charges or trial

\- a for-profit prison system that engages in de facto forced labor

\- criminalizing mental health issues and withholding psychiatric care from
insured people.

For the record, these things have all been going on for multiple presidential
administrations, and have enjoyed bipartisan support.

~~~
adventured
> 100% of the US population [has an adversarial relationship with the
> government]

You're going many steps beyond simple exaggeration and pushing into extreme
hyperbolic territory.

> classifying 66% of houses as constitution-free border crossings

You're inventing that, such a thing has not been classified by the US
Government. If the government - local, state or federal - wants to search your
residence in NYC or Los Angeles, they still need a warrant or equivalent court
approval. If you were right, that wouldn't be the case.

> holding citizens for years without charges or trial

Show me the specific figures you have on how many times that has occurred in
relation to the total number of people that have been arrested over a relevant
time frame. It's extraordinarily rare in fact. Using events with very few
instances to argue a premise of widespread occurrence, is an immense logic
fail.

> a for-profit prison system that engages in de facto forced labor

The government prison complex (the supposedly non-profit oriented mass
incarceration machine) is and has been dramatically worse. Over 95% of all
people that have been put into prison in the last 40 years, during the war on
drugs and mass incarceration phase, have gone into government prisons. During
the epic Reagan and Clinton prison boom, the private prison industry had a
single digit share of the prison inmates.

And now the incarceration rate is rapidly declining and has been for a decade.
We're also pursuing the end of mass incarceration policies, with wide bi-
partisan support. And we're also pursuing the end of the war on drugs, via
legalization and decriminalization policies all over the US. If I were to use
your argumentation approach, that means the expansion of private prisons is
causing all of those things and is a good thing: as the private prisons have
expanded their market share the last decade, all of those good things have
finally started to happen.

> criminalizing mental health issues and withholding psychiatric care from
> insured people

What share of the population has suffered from the criminalization of which
mental health issues? How many insured people are being kept from psychiatric
care? Being vague doesn't support your topline premise, it detracts from it.

You've made an extraordinary claim and you didn't support it with much of
anything.

~~~
jessaustin
At some level you imagine that your head will be safe, stuck so deep in the
sand...

------
ge0rg
_Feds take aim at potent VPNFilter malware allegedly unleashed by Russia._

 _[..] to counter Russian-engineered malware that has infected hundreds of
thousands devices._

I'm interested in the evidence for this attribution. Both ars and dailybeast
[0] are pointing to Russia, but the only specific hints are that it's
targeting Ukraine (which might also have to do with the prevalence of
vulnerable devices there, we don't know that), and that it shares code with
the BlackEnergy bot builder toolkit[1], which apparently can be bought on the
black market for a decade already.

Neither of the original articles [2,3] mention Russia or any of the Russian
APTs, so I'm genuinly interested in better attribution data.

[0] [https://amp.thedailybeast.com/exclusive-fbi-seizes-
control-o...](https://amp.thedailybeast.com/exclusive-fbi-seizes-control-of-
russian-botnet)

[1]
[https://community.rsa.com/thread/186012](https://community.rsa.com/thread/186012)

[2]
[https://blog.talosintelligence.com/2018/05/VPNFilter.html](https://blog.talosintelligence.com/2018/05/VPNFilter.html)

[3] [https://www.symantec.com/blogs/threat-
intelligence/vpnfilter...](https://www.symantec.com/blogs/threat-
intelligence/vpnfilter-iot-malware)

~~~
ndesaulniers
Another article mentioned an rc4 implementation that had been tied to a
previous Russian State sponsored cyber attack. (Sorry, am mobile, don't have
the link).

~~~
ge0rg
You are right. The not-quite-RC4 implementation is mentioned in the Talos
post, and it is originating from BlackEnergy. Talos is referencing a US-CERT
report of APT28/29[0], which links an F-Secure whitepaper on APTs using
"crimeware"[1]:

 _BlackEnergy is a toolkit that has been used for years by various criminal
outfits. In the summer of 2014, we noted that certain samples of BlackEnergy
malware began targeting Ukranian government organizations for information
harvesting. These samples were identified as being the work of one group,
referred to in this document as “Quedagh”, which has a history of targeting
political organizations._

The only way I see how anybody could conclude from "APT uses a black market
toolkit" to "Anybody using this toolkit is that APT" is: clickbait.

[0] [https://www.us-
cert.gov/sites/default/files/publications/AR-...](https://www.us-
cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf)

[1]
[https://www.f-secure.com/documents/996508/1030745/blackenerg...](https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf)

~~~
jessaustin
Clickbait is among the more innocent explanations. Reporters who dutifully
parrot what the TLAs tell them get more opportunities to do so. Reporters who
don't, in short order aren't writing this sort of article. This is such a
basic situation, repeated hundreds of times, yet the resolutely naive will
bitterly deny that it _ever_ occurs.

------
degenerate
"There's no easy way to determine if a router has been infected. It's not yet
clear if running the latest firmware and changing default passwords prevents
infections in all cases."

Antivirus provider Symantec issued its own advisory Wednesday that identified
the targeted devices as:

Linksys E1200

Linksys E2500

Linksys WRVS4400N

Netgear DGN2200

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

QNAP TS251

QNAP TS439 Pro

TP-Link R600VPN

~~~
jlgaddis
Mikrotik devices were reportedly affected as well, although I haven't seen any
specific model identified (they all run pretty much the same software,
although various models are based on different CPU architectures).

~~~
TeMPOraL
I've read three articles about this today (this one included), and they all
specified the same Mikrotik models:

\- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

~~~
jlgaddis
You're right, I just got down to the bottom of the article and those models
are listed there.

I don't recall what article I read a day or two ago, but I don't believe it
mentioned the specific models.

~~~
dboreham
As GP says, MT boxes all run the same software. The latest release (6.42.3)
dated May 24 has suspiciously few bugfixes listed in the changelog. Probably
worth updating on the basis the vulnerability fix is in there too.

------
ronjouch
What's a good affordable router well supported by Tomato/OpenWRT, these days?
(put differently: 2018's version of the Linksys WRT54G :)

From what I understand, alternative firmwares like Tomato & OpenWRT are not
inherently safe from VPNFilter, but it seems to me the rate at which they are
maintained make them less easy targets (?). So this new flaw made me think now
is a good time to replace my crappy router and its unmaintained vendor
firmware with something more solid running Tomato/OpenWRT. Disagreements?

~~~
wrycoder
Just search for WRT54GL on Amazon. It's selling for $34.99, which is pretty
affordable. N.B. the WRT54G doesn't work with Tomato.

~~~
haldean
The WRT54 is dog slow by today's standards. My residential Comcast service is
faster than it can handle; my max down almost doubled when I swapped my
WRT54GL for an AC3200

~~~
8bitsrule
A few years ago I used my 54G to DL a 15GB file at (a reported max of) 60Mb/s.
Obviously took a while ... without hiccups. I'm guessing most US customers
aren't getting service that fast ... so there's still plenty of use for them.
(Still use one all day at 25Mb/s.)

------
JeanMarcS
How comes that this kind of information seems to only alerte US officials ? Is
it targeted only on US soil ? I really doubt that.

Why does EU (for example) authorities not warning their citizens ?

~~~
ddtaylor
The US agencies have a very close relationship with router manufacturers. TCP
32764 for example was a backdoor many suggest they used cover ops to create
and exploit.

~~~
bsamuels
that's quite the stretch since the TCP 32764 issue was unique to sercomm
routers, which is a Taiwanese router ODM. they write the firmware and create
the hardware, then rebrand the UI for however linksys/netgear/whoever wants
it.

------
wpdev_63
Does anyone know if this affects routers flashed with LEDE/DD-WRT?

~~~
mikehotel
Forums don't have anything definite yet, but you can check existing network
connections (netstat/iftop) and block the known CC domains.

[https://forum.lede-project.org/t/cert-advisory-vpnfilter-
des...](https://forum.lede-project.org/t/cert-advisory-vpnfilter-destructive-
malware/14766/5)

A comment on another forum suggests OpenWRT/LEDE is not affected due to file
system layout differences:

[https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-
a-m...](https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-
timebomb-lurking-on-your-router/#comment-5082031)

------
ravenstine
I'm amazed at how many people here think that a company should be default
responsible for what is essentially a third-party tampering with their
product. Unless the problem is a result of negligence, it's unreasonable to
say that a company should be automatically responsible, except perhaps if they
decide not to address the problem in in future products.

~~~
ggm
What are bugs, if not negligence?

------
riffic
Consumer routers should be self-updating, along the lines of the CoreOS Update
Philosophy:

[https://coreos.com/why/#updates](https://coreos.com/why/#updates)

~~~
tehlike
All connected devices should be similar. IoT included.

~~~
remir
Absolutely. How many smartphones, Smart TVs, old routers, etc, are out there
running insecure software? A shit ton.

This is insane.

~~~
tehlike
There is a _huge_ business opportunity for the entrepreneurial mind. Auto
update of firmware with proper monitoring and health checks as the roll out
continues.

~~~
exikyut
Yes, _technically_ ; the reason it doesn't exist is that "proper monitoring"
would highlight how atrocious everyone's development practices are. Oh, and
this would accidentally plug all the holes "everyone" variously uses when
they're found helpful... generally you want to _attract_ military funding, not
scare it away :D

~~~
tehlike
Heh, probably. I don't know if i agree on your point about companies'
development practices. Basic monitoring is very simple to add.

I thought what'd a very basic monitoring & release for a self driving car
would look like:

Below could be measured as A/B experiment - (control 1% on old release,
experiment 1% on new release).

1\. Number of miles driven 2\. Number of user intervention. 3\. Score rating
(assuming users give a rating for their comfort after reach ride). 4\. Number
of rides completed. 5\. Average/median speed driven 6\. Average/median G
change (like too much breaking would cause a change in G-force user is
enforced to). 7\. Average/median time-to-destination etc.

The data is already available and collected, what's missing is a way that's
plug&play for these companies to push the data and necessary dimensions and
integrate them into their roll outs.

You can find such metrics for almost all internet-connected device.

Make a dashboard out of this, give a way to slice data, give visualization
tools and a way to query it out, and this is a winner.

------
SG-
Is it strange that I'm now feeling it would be acceptable for FBI to counter
hack these devices with the seized staging domains and somehow patch them?

------
ashleyn
If you're infected, you need a new router. Period. Telling people that they
can resecure their routers with just a reboot is irresponsible.

~~~
userbinator
I wonder how the cost-benefit analysis goes between creating yet more e-waste,
and letting some malware persist...

~~~
ashleyn
It'd be a lot better of a situation if router boards were designed to accept
firmware upgrades at a low level. After an attack, you often need to use the
software updater to reset it. That can no longer be trusted if it's
compromised. Consumer-level routers have been very low-quality for quite a
while.

~~~
jlgaddis
Many of them (judging from those supported by OpenWRT, at least) can be
"flashed" / upgraded / restored via TFTP by interrupting the boot process.

~~~
ashleyn
The security of this feature depends on whether or not it runs from code in
mask ROM.

------
hmd_imputer
My router started acting weirdly about three weeks ago (intermittent
disconnections, slow connection etc. ) and then stopped working all of a
sudden. I asked for a replacement from the provider and they changed it last
week. Now I am freaked out, because if the device was compromised I will need
to change all my passwords which is a real pain in the a _

------
kfrzcode
How can I verify some malicious code is actually present on my router? What
does this code do? Could the FBI put their own malicious code on the router,
via this supposed exploit? Why should I trust the FBI?

Excuse my ignorance but I'm not _not_ going to ask these types of questions.

EDIT: After reading a bit - it seems the control is somehow "transferred" to
the FBI rather than the malicious actor - any other external agent controlling
my software and hardware should be considered a malicious actor from a
defensive standpoint, right?

Also, I don't buy the "FBI is better" argument, because I'm a skeptic.

EDIT 2: Moved the 'Why should I trust the FBI?' question to the end of my
opening paragraph because I just want to know more about how a layman should
approach verification of this vulnerability other than just "trust the powers
that be"

~~~
ggm
Explain how the FBI would leverage an advantage by telling you to reboot.
Explain in a way, which doesn't depend on an unprovable.

The best I can come up with is a false sense of security, which given they
actually expect you to also patch and upgrade and proffer advice to patch and
upgrade, is a bit weak. Basically, I cannot construct a scenario where there
is a significant, could-not-be-found-by-white-hat reason they'd do this, to
secure some advantage.

I.E. Occams razor works for you, in this case.

~~~
kfrzcode
I suppose I just don't know what exploits could be implanted -- are there
forms of rootkits that can go undetected? Or have all of these infected
firmware been reverse engineered and the exploit in question cataloged?

According to ArsTech in this article ([https://arstechnica.com/information-
technology/2018/05/hacke...](https://arstechnica.com/information-
technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-
with-malware/)) the VPNFilter exploit can survive a reboot - so how can a
simple reboot disinfect if the only delta is the owner of [one of] the second
stage callback IP addresses? I haven't seen any mechanics explained that would
actually disinfect the router.

I appreciate your response with actual critical thinking tips and not just
flippancy - I don't know where else to have these types of discussions.

~~~
ggm
The attack had three components: infection, sign-in with an initiator head-
end, and then second/third stage download.

As I understand it, from reading around: The FBI took over an "initiator"
headend which bootstraps a simpler infection into the actual threat/attack
code.

The low level infection can't be removed simply, that demands new code from
the maker or an OpenWRT type source. The FBI took over the domain namer behind
a service which acts as the sign-in site. The attack mode code is not in your
firmware, it has to be re-downloaded. If you block the initiator login, you
aren't "clean" but you cannot complete download of attack code to mount the
DDOS

If you reboot, the low level infection tries to sign in, and is blocked, and
so can't get the second/third stage downloads.

~~~
kfrzcode
Ok, so it's kind of like burning a line in a forest fire - the fire is still
fire, but it's controlled and used in such a way that it _should_ stop the
bigger blaze from crossing said line?

Thanks for this insightful response. I know a lot of readers would just tell
me to do my own research but this was really enlightening.

~~~
ggm
Nah.. I don't like that metaphor. I think I like this one better.

Back in the day, cable TV was crypted, and people had to have cable TV decoder
cards with a key to fit a slot in the receiver. So, in the UK, somebody worked
out how to decode the keypair, and you could buy a keycard in the pub for like
GBP50, instead of paying the cable company GBP100/mo. But the cards, they have
a fixed life. They don't last forever, you have to keep coming back for more.

The real fix is obviously to fix the crypto, but there are a million receivers
out there. Nobody has time to go round each one. So what the cops did, is find
where the faked out keycards are being printed and shut down the print house,
so imagine... if you then get the city electric company to power cycle every
house, when its receiver reboots, it needs a new keycard, but they can't get
one any more, 'cept from the cable company. Fixed? No, but you cut the problem
off at the knees.

Oh wait: we all _wanted_ those sweet stolen keycards. I gotta think of a
better metaphor :-)

------
trumped
Asus is not affected by this but it I still updated the firmware because it
was affected by multiple other vulnerabilities... I wonder if computing we'll
become secure before I die...

~~~
kode4
I was wondering about this so that is good to know, thanks. My Asus router was
also updated for multiple other vulnerabilities. I really think Asus has been
doing a great job with pushing regular updates.

------
kumarski
I find shodan.io terrifying.

It allows people to see the IP addresses of printers, routers, etc.... at
scale.

So if a hacker finds a vulnerability, they can really quantify the amount of
devices they can attack.

------
Fej
Verizon routers not known to be vulnerable? That's a bit surprising, although
not so much if a particular country is being targeted.

------
joshe
I wonder if sometime we'll need to cause a power outage to reboot routers and
internet of things products.

------
el-y0y0s
Just calling out the good guys at Microtik. They patched their router a year
before being notified by Cisco.

~~~
tarellel
As a Mikrotik devote, I love the active development and patches being pushed
for their Packages and RouterBoard. If anyone maintains a Mikrotik router
and/or switches and hasn't heard about the vulnerability and actively patched
their systems, then they're completely at fault and putting themselves and
possibly they're companies at risk.

~~~
jlgaddis
Honest question: how's their GPL compliance these days?

~~~
severine
Some info here: [https://forum.lede-project.org/t/mikrotik-gpl-
source/6750/12](https://forum.lede-project.org/t/mikrotik-gpl-source/6750/12)

Which led to this repo: [https://github.com/robimarko/routeros-
GPL](https://github.com/robimarko/routeros-GPL)

------
partycoder
Now the real question is why you can exploit routers using EXIF metadata.

------
jacksmith21006
Glad now have Google WiFi. Most secure consumer router you can get, imo.

~~~
zrail
I’m very happy with my Ubiquiti UniFi setup. Don’t know if it’s more secure
than a google product but I trust it more.

~~~
plg
What’s your setup? I have an EdgeRouter Lite but I’m looking for one or more
WiFi access points to add to my network.

~~~
zrail
Cloud Key, USG, Switch 8 POE, and two AP-Lites. The UniFi console makes
management easy compared to the edge router UI. I also have one of those but
it’s just sitting right now.

~~~
nvarsj
I'd be wary of any Ubiquiti network kit. I only trust their APs. The ERL for
example is an awful router - it has had a firmware issue for years now where
it causes persistent packet loss due to reordering incoming packets. I
discovered these problems in my own testing, and there is a giant thread on
the forums about it which I helped kick off. The ER-X is the only thing that
seems to work properly. Their switches are bad too (small buffers). UI is nice
and they are cheap, but not worth the poor performance.

I sold most of my Ubiquiti gear and bought a Netgate 2440 a couple years ago,
put Debian on it with Shorewall and auto updates, and haven't looked back.

~~~
namibj
How large do you want the switch to be? Where I am, if I download something
form google drive, I get _major_ bufferbloat on the downstream, I suspect
because everthing except the last PHY link to my laptop (on a LAN port)
handles at least 1Gbit, but the switch is still a little old-ish and won't do
more than fast Ethernet. Please, for god's sake, either drop packets or use
fq-codel or something similar, but don't use a large-ish, blind fifo that only
listens to his expelicit QOS settings. I wan't my mosh session to be
responsive even if there is a large _inbound_ filetransfer. (note that this is
textbook bufferbloat, just in the reverse direction from the usual residential
situation)

~~~
nvarsj
To support a certain bandwidth on a switch you need big enough buffers.
Bandwidth delay product is what you want - latency * bandwidth, you need a
buffer of at least that size to support throughput in the system. Multiply
that by the number of ports to support concurrent bandwidth. The toughswitches
were engineered with very small buffers, such that they couldn't even support
reasonable bandwidth on a LAN with low latency.

