MSPs are in a good position to weather one of the most recent security threats to rear its head —VPNFilter. But, the recent hack provides a good reminder to pay attention to an unglamorous, often overlooked part of the IT ecosystem: the lowly router.
Yep, at home, this is the off-the-shelf signal purveyor you buy at Best Buy or order from Amazon. Most people simply plug it in, use the password printed on the device, and they’re done. This lax attitude has made routers ripe for hackers. MSPs generally provide their clients with security features to make routers more secure, which is why the attack has primarily been a home phenomenon. But, small businesses are also being targeted.
Meet VPNFilter (or FancyBear)
The FBI recently issued a warning that Russian hackers have been targeting home and small office routers in the United States for infiltration.
The FBI alert reads, in part:
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.
Reuters gave more backstory about the origins of the hack and the impact.
So you think your router is safe?
Some IT experts have long been concerned that routers represent a weak link in the IT chain.
Patrick Ilboudo, who recently graduated from St. Cloud State University in Minnesota with a masters in Information Systems, wrote a prescient paper about the vulnerabilities of routers for his thesis in 2017. His paper, “So You Think Your Router is Safe?” predicted problems ahead:
“Security vulnerabilities on routers are silent threats that do not get the attention they deserve because news tends to focus on reporting high-profile events such as the Target or the Equifax breaches. Popular media rarely have a segment related to router security, but when they do, the focus is more on Wi-Fi protection rather than a full-blown router security.”
Ilboudo talked to Smarter MSP about some of his research. As noted, the VPNFilter malware is largely targeting “small fish,” such as the home router or the lone insurance agent’s office router.
“These are basic over-the-counter devices that lack some important security features. Enterprise-grade routers, however, can be loaded with security features to help detect and mitigate the threats (intrusion detection, firewall, vulnerability scanning, etc.),” Ilboudo says, adding that competent MSPs will have protocols in place to ward off problems.
Network weak points
Dr. Steven Murdoch is Innovation Security Architect at OneSpan, a security solutions company based in Chicago. Murdoch has also been warning about the vulnerabilities of routers for years.
“Routers do often seem to be a weak point in home and small business networks,” Murdoch says. Routers are the thread that tie a home’s IoT together, therefore leaving a large, frequently insecure, surface for attack.
“This is a consequence of manufacturers mostly competing to build the cheapest device, which frequently comes at the cost of good security design or offering security patches on older products,” Murdoch says.
Murdoch says the security weakness of routers is particularly relevant because some don’t even do the security checks normally performed on internet connections. There’s a false assumption made by manufacturers that all devices on an internal network are trustworthy.
“Someone who has compromised a router can appear as if they are on the internal network and so bypass some security checks,” Murdoch explains.
Solutions for securing clients’ routers
“The most effective way to protect routers are for its firmware to be promptly updated to mitigate known security vulnerabilities, and for it to be securely configured,” Murdoch says. Still, an MSP can only do so much in this regard. The manufacturer has to take the initiative.
“The router manufacturer plays a critical role because they decide when to make updated firmware available and whether to set secure defaults on the configuration,” Murdoch says.
So, Murdoch says one of the most important steps is to ensure that the router is purchased from a manufacturer that does a good job securing their devices and commits to promptly providing security updates for the expected lifetime of the device. (SmarterMSP reached out to some of the major router manufacturers for comment but did not hear back.)
Even with that precaution in place, Murdoch recommends other measures in case the router is compromised. Those defenses would include using encryption and access control even within internal networks. This makes it more difficult for an intruder who has compromised a router to access other devices and data.
Because routers represent an “all-access pass” for successful hackers, attacks on them will continue for the foreseeable future #VPNfilter @SmarterMSP
Because the router represents essentially an “all-access pass” for the successful hacker, Murdoch says the attacks on them will continue for the foreseeable future.
“Routers do have a privileged position within networks as they are the access point to an internal network so are its first level of protection. As such, they will continue to be attractive targets provided internal network controls can still be breached,” Murdoch says