Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers - Polidicks

[quote]On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.” [t]http://motherboard-images.vice.com/content-images/contentimage/40224/1481045574667527.png[/t] A screenshot of BestBuy's ACS showing a partial list of targeted routers. None of the security researchers I contacted, however, could find one of the hacked routers in the wild[/quote] [url=http://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers]Source: motherboard.vice.com[/url] Router security is such a joke, that I almost believe what this person is claiming.

This is an extremely flimsy claim... if such a huge vulnerability were to exist, they sure as hell wouldn't boast about it. Plus, the "You can't do anything to stop it!!" smells like b.s There's no solid proof here. Sounds like a scare article.

[QUOTE=Te Great Skeeve;51496236]This is an extremely flimsy claim... if such a huge vulnerability were to exist, they sure as hell wouldn't boast about it. Plus, the "You can't do anything to stop it!!" smells like b.s There's no solid proof here. Sounds like a scare article.[/QUOTE] As you're aware, it always starts with.. denial.

How would I protect myself from something like this?

[QUOTE=SGTNAPALM;51496257]How would I protect myself from something like this?[/QUOTE] There's probably a few different opinions on this matter, but here's what I think: If you're on ADSL (or related copper derivatives), avoid using an AIO modem/router - there's just too much that the end user has no control over, including but not limited to Telnet backdoors and [url=https://facepunch.com/showthread.php?t=1544537&p=51497132&viewfull=1#post51497132]TR-069[/url]. Have a modem in full bridge mode, which goes to a router with custom firmware such as [url=http://www.dd-wrt.com/site/index]DD-WRT[/url], [url=http://tomato.groov.pl/]Tomato[/url] or [url=https://openwrt.org/]OpenWRT[/url]. If you're on Cable, same idea if you can: full bridge mode. FTTP: just use a router with custom firmware. Make sure to have a non-default login username and password, make sure they're not accessible outside your external LAN, and don't make services available to the world that you haven't hardened yourself (EG: HTTP, SSH, Telnet, etc).

[QUOTE=SGTNAPALM;51496257]How would I protect myself from something like this?[/QUOTE] What the hacker mentioned in the article may be referring to the ISP administration/update ports that ISP-provided routers have open(and lots of non-ISP ones too). An important thing to do is close those ports to secure them against telnet. (Or at least close them to non-LAN connections) Mirai has used port 7547 to telnet into routers.

I'd like to say I've been able to confirm that some Huawei routers have been hacked. No custom firmware has been uploaded to them rather just software that joins them into a botnet. [editline]7th December 2016[/editline] I've done a ton of research on ARRIS cable modems as well, they're incredibly vulnerable to malicious attacks. I can access all of the cable modems my ISP uses.

[QUOTE=WaLLy3K;51496286]There's probably a few different opinions on this matter, but here's what I think: If you're on ADSL (or related copper derivatives), avoid using an AIO modem/router - there's just too much that the end user has no control over, including but not limited to Telnet backdoors. Have a modem in full bridge mode, which goes to a router with custom firmware such as [url=http://www.dd-wrt.com/site/index]DD-WRT[/url], [url=http://tomato.groov.pl/]Tomato[/url] or [url=https://openwrt.org/]OpenWRT[/url]. If you're on Cable, same idea if you can: full bridge mode. FTTP: just use the router. Make sure to have a non-default login username and password, make sure they're not accessible outside your external LAN, and don't make services available to the world that you haven't hardened (EG: HTTP, SSH, Telnet, etc).[/QUOTE] We already actually do all this so :v:

Also, you can't patch out the ability for firmware changes on most cable modems due to the DOCSIS standard -- ISPs can upload whatever firmware they want on them and can blacklist them if they don't actually change (which is what would have to happen)

[QUOTE=~Kiwi~v2;51496310]There's also the option if you can and want to go full insane FTTP/FTTH and do what I wanna do in NZ, hook yourself up to an ONT on a spare machine. Grab a quad NIC. Install PFSense/Run PFSense and you'll have the best and the most overkill router ever.[/QUOTE] geez multi nics have tanked in prices since last I've checked

[QUOTE=SGTNAPALM;51496303]We already actually do all this so :v:[/QUOTE] You should be fine then! Just don't put "black boxes" on your network that you don't have superuser (root) control over, if you can help it. You wouldn't plug in a random USB drive that you picked up off the street, and you wouldn't plug in a Raspberry Pi without first formatting the SD card because you've got no idea what they're set up to perform. [QUOTE=~Kiwi~v2;51496310]There's also the option if you can and want to go full insane FTTP/FTTH and do what I wanna do in NZ, hook yourself up to an ONT on a spare machine. Grab a quad NIC. Install PFSense/Run PFSense and you'll have the best and the most overkill router ever.[/QUOTE] I've got FTTP here in Australia, and my ASUS RT-AC68U with Tomato firmware is pretty damn overkill in terms of processing power - low power usage though, which is perfect for my needs.

[QUOTE=~Kiwi~v2;51496318]This almost happened with Vodafone and Spark's HG659(they both use the same router and it's the same damn fucking board just different plastic chassis) but you can use either ISP's firmware with Spark or the Vodafone's version of the HG659. Vodafone's version is a real PITA to access the REAL admin page whilst Spark's one is pretty much full rights but fuck you if you wanna run a HTTP/HTTPS webserver. On topic yeah router security has been a joke for a good while and the open source variants have been a lot better compared to ISPs and router manufacturers default firmware. You really have got to be alert about these things. They could potentially be in control of your internet with out you knowing and doing things that would be against your ISP's T&Cs which would be really bad for you.[/QUOTE] Its important to know that anything following DOCSIS has to be overwritable (also there's no public DOCSIS implementing firmware that I know of) [editline]8th December 2016[/editline] (Its also piss easy to get root ssh access into xfinity modems, l a f f o )

[QUOTE=Map in a box;51496356]Its important to know that anything following DOCSIS has to be overwritable (also there's no public DOCSIS implementing firmware that I know of) [editline]8th December 2016[/editline] (Its also piss easy to get root ssh access into xfinity modems, l a f f o )[/QUOTE] Yeah xfinity shit wasn't getting into my house. Just grabbed a Motorola modem and an ASUS router as a hold over until I stop being lazy and finish building a new pfsense box and get a new unifi. [editline]8th December 2016[/editline] Most home routers are absolute trash though. If it's not the many, many companies out there that have massive security problems, it's shit like Belkin who inadvertently brick half their routers with a pushed firmware update with no way to fix it.

[QUOTE=Levelog;51496410]Yeah xfinity shit wasn't getting into my house. Just grabbed a Motorola modem and an ASUS router as a hold over until I stop being lazy and finish building a new pfsense box and get a new unifi.[/QUOTE] Xfinity actually sent us a modem we're not supposed to have. We got an email saying that our new modem was coming, so we called and told us we weren't getting a new modem. We got a new email saying that the new modem was shipping and we called and they said we weren't getting a new modem. The modem arrived and we installed it and got it working and called them and they said we didn't get a new modem. We had to call them to get techs over for some unrelated issue, I forget what, and they said that we weren't supposed to have that new modem. We also know that if we sell the old modem they would probably email us the next day asking us to give them their old modem back. Not exactly a company I would trust with security.

[QUOTE=Levelog;51496410]Yeah xfinity shit wasn't getting into my house. Just grabbed a Motorola modem and an ASUS router as a hold over until I stop being lazy and finish building a new pfsense box and get a new unifi. [editline]8th December 2016[/editline] Most home routers are absolute trash though. If it's not the many, many companies out there that have massive security problems, it's shit like Belkin who inadvertently brick half their routers with a pushed firmware update with no way to fix it.[/QUOTE] Your motorola modem is relatively easier to exploit.

[QUOTE=Map in a box;51496446]Your motorola modem is relatively easier to exploit.[/QUOTE] I've yet to find a modem that Comcast will let on that isn't too easy to exploit. At least it isn't an ARRIS.

[QUOTE=Levelog;51496476]I've yet to find a modem that Comcast will let on that isn't too easy to exploit. At least it isn't an ARRIS.[/QUOTE] The firmware on it probably is.

So if I have a Motorola Surfboard (branded with the ARRIS logo on the bottom) modem, I'm fucked? I'm a little confused here. I can't access the settings page on it as is, never could. Fantastic.

[QUOTE=Map in a box;51496494]The firmware on it probably is.[/QUOTE] Is it? Honestly not to familiar with cable based shit, never had to mess with it. (Note this is a 7420, not an SB)

[QUOTE=Quark:;51496252]As you're aware, it always starts with.. denial.[/QUOTE] No it doesn't. It starts with them saying that it's a joke.

Does he mean factory reboot? Cause seems to me that it would only be logical for there to not be any kind of digital connection between that option and the rest of the router with the exception of the few moment when the reset to factory setting button is pressed.

ARRIS modem exploits aren't really published (at least, the dangerous ones) So no, you're probably fine. Most of the exploits stem from routers (namely ones in middle east and russia from my digging)

[QUOTE=fredstin22;51496953]You could just unplug the router though[/QUOTE] You can stop any hack from working by not using computers but that's not really the point, is it

[QUOTE=fredstin22;51496953]You could just unplug the router though[/QUOTE] You could stop the powerplants, stops all them hackers instantly... heck, you could turn the earth into glass with nukes, try hacking us now russia...

This is to do with TR-069 ACS which is just a system for ISPs to connect to their gateway routers. The system pushes updates, allows their techs to check information on the device, etc. The only way an attacker can exploit this is if they take control of the ACS from the inside or if they manage to find an exploit in the router's firmware to change the address of its ACS. If you don't trust your ISP on handling this correctly, just simply get a 3rd party router since your ISP can't touch it. This guy claiming stuff seems to be someone who wants attention, but there actually was a scare on this a while back and someone made a defcon talk on it for those interested: [media]https://www.youtube.com/watch?v=rz0SNEFZ8h0[/media]

Why would he post this though?

Well, it's good that I switched to Mikrotik. Backdoors and exploits was found in a lot of home network devices during past few years so it's not big surprise someone has finally scanned the internet and uploaded malicious code to vulnerable devices.

[QUOTE=Blizzerd;51497052]You could stop the powerplants, stops all them hackers instantly... heck, you could turn the earth into glass with nukes, try hacking us now russia...[/QUOTE] Worked in BSG. [I]Hah, try hacking us now Cylons, we don't use networked computers anymore![/I]