If someone sold you a dodgy device, you’d probably get pretty mad; but if someone knowingly sold you a dodgy device that’s a whole new level of uncool. Some ISPs are being accused of distributing ADSL routers that they knew had security vulnerabilities, and although taking the higher ground is best, letting the world know what they’re up to and making a stand also seems pretty fair. However, there are ways that you can help protect yourself where they’ve failed to; and then to help make sure this ridiculousness doesn’t happen again.
Cisco consultants Kyle Lovett and Dor Tumarkin told the CrestCon & IISP Congress 2015 in London that some Internet Service Providers (ISPs) have knowingly been giving out routers with low or zero security. What’s worse is that around 80 million of these vulnerable devices could be compromised because users don’t change the default passwords. Plus – if that wasn’t enough good news – there are sites out there that also list which devices can be easily messed with.
“Wide swathes of IP space are being made vulnerable through ISPs in developing countries distributing routers with default passwords that can be easily found on the internet,” said Lovett.
Vulnerable routers could then be exploited in a number of ways, including DDoS and DNS redirection attacks. DDoS (Distributed Denial of Service) attacks flood sites with traffic until they can’t cope anymore and crash; and DNS hijacking is where attackers change a site’s domain name system details, redirecting users from the intended address to their own sites, where they could hit them up with a man-in-the-middle attack, nab personal details or infect them with malware.
Frustratingly, not much has been done to fix these problems, and it’s even leaving enterprises at risk as home and teleworkers may connect on these potentially dodgy connections. Attackers are realising this and increasingly focusing their efforts on this group.
“Because of low margins there is no incentive to improve or fix security flaws, and market demand for features and services typically overrides any security considerations,” said Tumarkin. “We are seeing teleworkers being increasingly targeted because they offer a potentially lucrative door into their employer organisations.”
Apparently security researchers are less likely to test home or small office connections, but good security should be a priority even for small businesses. Initiatives like BASEfund can help provide safeguards like pen testing, and it’s always important to have an experienced security team and be constantly looking for potential holes in your system. A strong BYOD plan if staff are using their own devices or taking them outside the office is also a good idea.
The guys say that the best hope is for ISPs, device manufacturers and distributors to get on it and that “Suppliers should ensure devices are sourced, designed, developed and audited as if they were to be deployed in an enterprise environment.” As users you can ensure that you practise good security, like regularly changing passwords, and keep software up to date with patches.
As with any other aspect of security – as we’ve seen over the last year – the more users make a noise about good security and hold the community to account, the better things will become. Last year saw some pretty awful security blunders – and mistakes will always be made – but it also saw the average user realise how important security was, how vulnerable they were, and that they could make a big difference to the safety of their data.
For more information on our security solutions take a look at our website or give us a call on 0208 045 4945.