Why does a router need malware signature files? It has no business monitoring my traffic, except in accordance with the firewall rules that I set myself.
From the article:
> not keeping my firmware up to date
I've had this (non-Asus) router for three years. I've never updated the firmware.
I've never updated the firmware on any of my routers, and I'll be happy to give you a million dollars if you can prove that it's part of a botnet. This pathethic holier than thou attitude is obnoxious, you really think 95% of routers are part of a botnet? Or that they're even accessible from the internet?
> you really think 95% of routers are part of a botnet? Or that they're even accessible from the internet?
It's probably not 95%, but it's certainly significant. And yes, most consumer routers are obviously accessible from the internet, that's how they work (they're generally not behind a firewall, they are a firewall, and can have vulnerabilities). You might want to read up on it [1, key quotes below], and I know I certainly wouldn't be willing to wager my consumer router wasn't infected, because how would I ever have any idea?
> Out of the box, most routers suck when it comes to security. Vulnerable firmware is an easy target. Backdoors have been discovered in just about every brand of router... It's possible you will never even know your device is infected...
> When we're talking about routers, these aren't the enterprise-level gear made by the likes of Cisco, Sonicwall, or Palo Alto... We're talking about what you would get off the shelf at Wal-Mart or Best Buy — the D-Links, Netgears, and Linksyses of the world.
> The problems start with the cheap, antiquated MIPS architecture used by a lot of these devices' processors... One substantial problem comes from a security flaw that goes back to 2001. Per one deep yet fascinating paper, the chips lack basic defensive abilities against malicious code execution. Combine this with manufactures commonly implementing out-of-date, vulnerable Linux kernels in their devices, and then putting this device on the edge of your network completely exposed to the internet.
But to sum up -- not updating your router's firmware is a terrible idea. It's not something to be proud of.
Don't think so. The management interfaces are only exposed on the local network. If you could hack into my local network some other way (e.g. through Apache), you could probably attack the web interface on the router; but in fact no local network services are exposed to the internet.
It's a device that's directly exposed on the public Internet. Anyone in the world can send any package they want to it. It's not that uncommon for people to find bad bugs in network protocol stacks. An attacker wouldn't have to go through a web interface.
There are a multitude of ways to trick consumer routers into letting an external request log into the web interface. That's also ignoring the multitude of ways to botnet them without using the web portal, as manufacturers suck at their job and often ship known exploited libraries and utilities. Some have had genuine back doors even.
If you don't expose any external services of the router then it's a bit hard for botnets to take advantage of your router.
Most of these routers are likely becoming part of the botnet for enabling external web management and/or using default creds (especially if SSH is exposed externally).
Security isn't exceptionally hard, if you actually put some effort into it.
There have been plenty of router exploits that begin with a pivot from a web browser to a poorly secured admin panel on the local network. Firewalling incoming traffic from the Internet to the router's management interface is no security panacea.
Not sure you'll see this, with HN's lack of notifications, and so much time elapsed but here's the answer:
Most consumer routers do not support disabling the web interface on the local network, as it's the primary (only?) means of administration for them. This attack relies on getting users to browse to an address with default creds by some means, with a URL prepended that will cause the desired action to occur. More often than not a popular action is to modify the DNS servers used, so that DNS traffic can then me manipulated to point to malicious servers used for the ultimate attack.
Don't forget the biggest botnet being ASUS who didn't disclose the scanning... or whatever else they happen to be doing without the explicit consent of the owner.
Issues like this don't happen across such a wide area by accident.
Basic professional practices have any updates tested beforehand on physical hardware at multiple stages before any push happens, and they leave it up to the user because pushing an update without the owner's explicit consent to a device they own, runs afoul of the same hacking abuse laws. The legal exposure is massive.
It also doesn't account for the fact that firmware was attempted to be updated on devices which were set to not update. ASUS has a lot to explain. They didn't release any kind of statement so the lawyers and computer forensics people will likely need to get involved to get to the bottom of it.
I look forward to eventually hearing about what really happened.
Botnet operators are careful to not mess with my internet connection. If they want to use my router for other stuff while it’s not in use by me, who am I to complain.
Hopefully that clears up the first question of "why does it need malware signature files?"
As for your router firmware? You should seriously update that. New exploits get found all the time.
Hackers use compromised routers as parts of a botnet, a intermediary route, or as an access point with which to steal data with Man in the Middle attacks.
> Hopefully that clears up the first question of "why does it need malware signature files?"
Not really. The article doesn't mention signature files. It describes the operations of a certain malware once it has been executed on a router. But first it has to get onto the router; and the only way new software can get onto this router is via a firmware update.
>the only way new software can get onto this router is via a firmware update.
That has never been the case. Software from consumer routers is often still in the "a trivial buffer overflow lets a malformed packet insert a payload into ram and convince the PC to jump to it." phase of software security. They are very much still wormable systems, like Windows 2000 style. Ever have your router glitch out and stop working and you have to reboot it? That's probably an exploitable bug.
When I hear “signature file” I think of a list of signatures of known viruses and malware.
These types of signature files aren’t meant to guard against exploits, SSH brute forcing, etc, even if the router applies them to inbound traffic in addition to forwarded traffic. To do that, you typically need a WAF or some clever fail2ban-like filtering rules. Even up-to-date signatures won’t prevent a router from getting 0wn3d if the ssh daemon has a security hole for example.
As sites move to HTTPS, routers can’t even really filter networking traffic anymore. I don’t see why a router needs signature lists at all
> Hopefully that clears up the first question of "why does it need malware signature files?"
The malware signature files really don't help prevent your router joining a botnet.
Firmware updates, maybe, maybe not. It is quite possible for other routers with less generally sloppy and advertised-feature-rich firmware to actually be more secure even without updates for 3 years. It's quite possible that they have no api endpoints available for super-easy mobile app integration remote management etc, just ssh from local subnet or physical serial console.
There have been multiple cases of market-leading antivirus engines (symanted, mcaffee, etc) having sloppy code running with the highest possible privilege, parsing any files appearing on the system anywhere, and e.g. crashing a mail server that would otherwise be unaffected by the PoC samples being emailed through it by researchers.
So, I also take some issue with people who have no understanding of how all this software around us is designed and built (in routers, in windows, on web servers) and thinking that just updating everything all the time and running antivirus is the best you can do. You really can do a lot better if you know what you're doing.
There can be driver specific remotely exploitable issues that might not be widely communicated. Until operating systems are written more robustly, just having admin level stuff set up robustly isn't always enough. Of course, updates can add bugs too.
Why does a router need malware signature files? It has no business monitoring my traffic, except in accordance with the firewall rules that I set myself.
From the article:
> not keeping my firmware up to date
I've had this (non-Asus) router for three years. I've never updated the firmware.