Connected devices create new security risks

How did you choose your router? Most likely either you chose the default router provided by your ISP, or you chose the cheapest device with the features you needed. Possibly, if you’re a business, you chose a device from the same manufacturer as the rest of your network, to reduce management overhead.

It’s unlikely that security was a driving factor behind the decision. So market forces push device manufacturers towards cheaper, more feature-packed devices. Maintaining old devices isn’t a priority – does your router have a steady update cycle for firmware updates? If so, when did you last update it? More to the point, do you even know how to update it?

The increased difficulty of targeting desktop computers will push attackers towards a new focus; in an increasingly connected age, in most cases the goals of an attacker can be just as well served by targeting routers and intercepting or modifying data in-transit.

There have already been large-scale attacks against embedded devices, including notable attacks in Brazil, in which an estimated 4.5 million home routers were compromised. These compromised routers were then used to redirect user traffic – undetectably – from trusted sites such as Google to malicious sites hosting drive-by malware to steal bank details.

So how can we solve this problem? The answer seems quite straightforward: we can’t expect vendors to switch to a more security-driven development model for free; and even if we could, we’d still be stuck with a huge number of vulnerable legacy routers on the internet. Instead, we need to take into account the weaknesses of those systems in our threat and risk models, and ensure that we can maintain security despite those weaknesses.

It’s been best practice for decades to ensure all sensitive data is transmitted only under transport-layer security, preventing eavesdropping and tampering on data in-transit. Coupling this with widespread uptake of DNSSEC and DNSCurve protocols to protect DNS traffic from tampering and monitoring would mitigate most possible attacks that could be launched from a compromised router. 

Datacom TSS thinks the way to solve problems like this is by bringing the issue into the public consciousness. In the 1990s, endpoint security problems were highlighted by the media and some rather public worm/virus outbreaks. We need the average user to start looking at embedded systems from a more discerning security perspective, like some are beginning to do with laptops and smartphones, before manufacturers are likely to address the issue.

Mark Brand is the senior security consultant at Datacom TSS