Home Devices Threaten Enterprise Data

Researchers have warned a lack of security on millions of ADSL routers and other devices used by teleworkers represents a threat to global enterprise information security.

According to Cisco consultants Kyle Lovett and Dor Tumarkin, unscrupulous internet service providers distribute routers that often have many security vulnerabilities.

Most of these vulnerabilities are well-known and well-documented, however ISPs continue to distribute routers without any security evaluation.

Lovett said: "Wide swathes of IP space are being made vulnerable through ISPs in developing countries distributing routers with default passwords that can be easily found on the internet."

Lovett estimated that between 25 and 80 million devices used in small office and home-office environments can be accessed remotely because default passwords are rarely changed by users.

Attackers can locate vulnerable devices using internet scans and websites such as Shodan, which publishes an index of internet-exposed devices.

According to research, over a million ADSL routers with firmware dating from 2007 contains multiple critical vulnerabilities that could allow hackers full control of a device.

Vulnerable routers can be exploited by attackers to carry out DNS redirection attacks or hijack to them to carry out distributed denial of service attacks using DNS amplification.

This means that attackers can alter the domain name systems configuration on these devices to redirect victims to IP addresses and domains controlled by the attacker.

Attackers can conduct man in the middle attacks or redirect victims to anywhere they want.

Other vulnerabilities are introduced by ISPs wanting to enable remote management services, allowing more features than devices were designed to handle.

The problem has been reported by many researchers in the past, however very little has been done about it.

Dor Tumarkin said: "Because of low margins there is no incentive to improve or fix security flaws, and market demand for features and services typically overrides any security considerations."

print this article

Return to internet news headlines
View Internet News Archive

Share with: