FortiGuard Labs Telemetry: Round up of 2015 and 2016 IoT Threats (Part 2 Home Routers)

In our last post Round up of 2016 IoT Threats we compared 2015 and 2016 global threat telemetry for IoT devices collected by our FortiGuard Labs.

In this post, we will examine why home routers had a such a huge increase in IPS signature hits in 2016, when compared to 2015.

Home Routers

In 2015, home routers had the most IPS signature hits at around 821,000. But this number exploded exponentially in 2016, to more than 25 billion hits. We can see the exponential increase more clearly when we compare both years using a size comparison chart as shown below (note that 2015 is just a tiny dot compared to 2016’s much bigger circle).

What contributed to this exponential increase in detected hits between 2015 and 2016? Let’s analyze the home router IPS triggers in more detail for both years:

In 2015, the “ASUS.Router.infosvr.UDP.Broadcast.Command.Execution” (http://fortiguard.com/encyclopedia/ips/41006) triggered the most hits (~ 86%) in the home router category. This vulnerability allows a remote attacker to gain control of an affected router via a specially crafted UDP packet. NOTE: A fix for this looks to be available from the vendor. We strongly encourage users running this router to patch their systems to close this vulnerability (see http://fortiguard.com/encyclopedia/ips/41006).

In 2016, “Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass” (http://fortiguard.com/encyclopedia/ips/42781) triggered the most hits in the home router category, accounting for more than 99% of all attacks detected. In fact, it dwarfed all other home router vulnerabilities detected in 2016 by two orders of magnitude. This attack is designed to exploit a single hard-coded password embedded in a vulnerable router's firmware. It allows a specially crafted request sent to UDP port 53413 to open a backdoor to the router. This single vulnerability was the reason why our telemetry showed that home router vulnerabilities in 2016 were exponentially larger than 2015. No fixes are known to be available for this vulnerability yet, which also helps explain why attacks targeting this vulnerability were so extensive in 2016, and are likely to continue throughout 2017.

Let’s look at how widespread the “Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass” vulnerability was in 2016, from a global and regional perspective:

Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass – Top 10 Countries 2016 (Global)

Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass – Top 10 Countries 2016 (APAC)

Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass – Top 10 Countries 2016 (EMEA)

Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass – Top 10 Countries 2016 (Americas)

What do we expect to see in 2017?

Based on our telemetry for January 2017, we are still seeing huge hits on the Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass (http://fortiguard.com/encyclopedia/ips/42781) signature:

As mentioned earlier, no fixes are known to be available for this vulnerability yet; and our January 2017 telemetry infers that this will likely continue to be the top home router vulnerability throughout 2017 (unless a fix becomes available.) It’s also worth noting that while it’s just the second month of 2017, new home router vulnerabilities have already surfaced that allow authentication to be bypassed [ https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521–Bypassing-Authentication-on-NETGEAR-Routers/ ], commands to be injected [ https://blogs.securiteam.com/index.php/archives/2910 ] and that target other vulnerabilities found before 2017 that remain unpatched [ https://pierrekim.github.io/blog/2017-02-02-update-dlink-dwr-932b-lte-routers-vulnerabilities.html ].

Summary

Home routers are the primary gateway to the internet with a publicly accessible IP address. They are also most likely always on, and are seldom checked for security updates. When combined with home router vendors who have minimal security maturity in their products, it’s just a matter of time before a determined threat actor decides to find a vulnerability and exploit these devices. This is clearly seen in our 2016 telemetry, where we document a huge jump in home router IPS hits, mostly targeting the Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass vulnerability. This problem was compounded because no fixes are known to be available for this vulnerability, meaning there continues to be a higher chance of successfully exploiting those affected routers that remain unpatched in 2017.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.