Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit (arstechnica.com)

Posted by msmash on from the security-woes dept.

More than 45,000 Internet routers have been compromised by a newly discovered campaign that's designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers say. From a report: The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don't reveal precisely what happens to the connected devices once they're exposed, Akamai said the ports --which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed -- provide a strong hint of the attackers' intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play -- often abbreviated as UPnP -- to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets.

38 of 73 comments (clear)

  1. Who has power by Anonymous Coward · · Score: 1

    I'm not an American but I thought in a democracy everyone can vote to just abolish the NSA, for example. With how shitty the NSA has been the last two decades, what's the deal on that?

    1. Re:Who has power by Anonymous Coward · · Score: 1

      It's supposed to be a representative democracy. We elect the people (congress) that have the power to abolish the NSA. Once they get elected, they no longer have the desire to abolish the NSA... hmmm...

    2. Re:Who has power by pgmrdlm · · Score: 3, Interesting

      Why would I want to abolish an agency that is part of my national defense. And able to intercept attacks before they happen by monitoring communications? Look at any war that has occurred. Interception of communications has always been a national defense strategy by all nations?

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    3. Re:Who has power by jpaine619 · · Score: 1

      The US is a Democratic Republic, sometimes referred to as a Representative Republic. Citizens vote for those who govern them, but not on laws.

      Pure democracy doesn't work out too well. Mob rule isn't a great way to do things.

    4. Re:Who has power by jpaine619 · · Score: 2

      Why would you want to keep an agency around that doesn't just spy on our enemies, but also spies on us?

    5. Re:Who has power by shoor · · Score: 2

      As others have pointed out, it's a representative democracy. When the USA was started, neither the telegraph nor the railroad had been invented yet. Counties would elect representatives to go off to State Capitals, and States would elect representatives to go off to Washington, D.C. because that was the only practical way to get things done. We still have that system which was put in place with the adoption of our Constitution.

      However, the real problem is with human nature itself. You've probably heard expressions like "Power corrupts, and absolute power corrupts absolutely", or "Who watches the watchers." We have several TLA (Thee Letter Acronym) Agencies that we have to deal with; the FBI, the CIA, and the NSA are the biggest and best known, and each has plenty of scandals in its history. To some extent they watch each other, or maybe it's mostly the FBI watching the CIA. Check out Aldrich Ames for example https://en.wikipedia.org/wiki/Aldrich_Ames

      Governments feel like they need these agencies, and maybe they do, but even if they start out with nothing but highly competent honorable people, they are bound to gradually go from being what historian Carroll Quigley called 'instruments' into what he called 'Institutions'.:

      transformation of social arrangements functioning to meet real social needs into social institutions serving their own purposes regardless of real social needs

      (Quote is from the wikipedia entery on Quigley.)

      There's no easy simple solution to the problem because the problem is in human nature. The first amphibian that evolved to walk on dry land probably couldn't walk very well. The first bird that evolved flight probably couldn't fly very well. We're the first species to come up with this thing we call 'civilization'. How good do you think we are at it?

      --
      In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
    6. Re: Who has power by jd · · Score: 2

      Except that they have never successfully prevented any attacks. A congressional enquiry got the NSA to admit a 100% failure rate.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    7. Re: Who has power by Anonymous Coward · · Score: 1

      And yet all our neighbors have routers that are now NSA infected...
      I can put 2 and 2 together, if you can't that's your problem.

    8. Re:Who has power by AHuxley · · Score: 1

      The US had its Army and Navy do that to a great standard before the NSA.

      --
      Domestic spying is now "Benign Information Gathering"
  2. More Backdoors, more backdoors...!! by ripvlan · · Score: 2

    We need the government to request and be granted access to Back Doors !!!! Because we know that they will keep it secret and none of us will ever be affected by rogue hackers figuring them out. Better yet - the No Such Agency can be in charge of keeping the secrets.

    Government secrets !! yay team !

    1. Re: More Backdoors, more backdoors...!! by Z00L00K · · Score: 1

      I agree here. I would like to abolish UPnP entirely and ban it.

      In addition to that also kick the inventor in the nuts.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re: More Backdoors, more backdoors...!! by mikael · · Score: 1

      That would be https://en.wikipedia.org/wiki/...

      He was the person who designed the Atari home computer SIO bus. For many peripherals, the device driver was actually contained within the device itself. Upon connection by the interface cable, the device driver would be uploaded. When the interface cable was removed, the device driver was removed.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  3. UPnP by JBMcB · · Score: 4, Insightful

    The first five or six wave of horrendous uPnP vulnerabilities weren't enough to convince people that uPnP on your router is a bad idea?

    --
    My Other Computer Is A Data General Nova III.
    1. Re: UPnP by BlueStrat · · Score: 2

      Of course they fucking talked about them, each time. If you had UPnP running after 2002 YOU ARE A MORON.

      They talked about them on tech sites and blogs. Not in places where mom, dad, or grandpa & grandma would notice. The most they would have seen is some newsreader mentioning something about NSA leaks and exploits by "hackers" in a fact- and detail-free one or two line blurb/filler in between the local news and the weather forecast.

      The vast majority of non-tech-savvy "normies" have still never heard of any of it. The MSM doesn't try to inform anyone because such tech-heavy articles with enough info to be useful don't drive many advertising views or clicks on articles.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    2. Re: UPnP by BlueStrat · · Score: 1

      No excuse for your illiteracy.

      LOL! Found the NPC!

      I build my own shit, including the computer and an old PC that serves as a router with NETBSD and PF.

      Strat
      (signed just because it annoys NPCs like yourself)

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    3. Re:UPnP by St.Creed · · Score: 1

      It certainly stops everything inside your network from opening ports at will through the UPnP protocol. It's the first thing I disable on any router I control. If I open ports, it's because I want to do so, not because my TV or fridge decided it was a nice day to open up the gates.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    4. Re:UPnP by Anonymous Coward · · Score: 1

      ... So obviously turning UPnP off makes it so that UPnP cannot be exploited.

      Just like disabling WiFi on an iPhone. Oh wait...

    5. Re: UPnP by Trogre · · Score: 1

      Do you support your grandparent's network hardware with that mouth?

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  4. Thanks by phalse+phace · · Score: 1

    Thanks, NSA

  5. Is there a list? by Anonymous Coward · · Score: 5, Insightful

    I don't care about badly written vague explanations of how the exploit works. Is there a list of routers affects so I can search for mine?

    1. Re:Is there a list? by msmash · · Score: 2, Informative

      There isn't one. Here's what Akamai advises: "The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it's NAT table entries. There are a handful of frameworks and libraries available in multiple languages to aid in this process. Below is a simple bash script used during this research. It is capable of testing a suspected vulnerable endpoint by attempting to dump the first 10,000 UPnP NAT entries from the devices exposed TCP daemon."

    2. Re:Is there a list? by SEMLogistics · · Score: 5, Informative

      Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m...

    3. Re:Is there a list? by Anonymous Coward · · Score: 1

      Probably every single router with UPnP enabled. That's the whole point of UPnP, to allow applications a universal way to request an open port forward from the router. There is absolutely no way to authenticate that the application that requested the port to be opened is the application that is actually listening to that port on the client deivce, and likely there is no way to even authenticate that the device that requested the open port is even the device that the port forward is pointing to, seeing as it is quite trivial to spoof packets within a typical home network.

      Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

    4. Re:Is there a list? by Cowardly+Lurker · · Score: 1

      Good old "Shields Up" has a UPnP exposure test.

      Gibson Research --> https://www.grc.com/x/ne.dll?b...

    5. Re:Is there a list? by emil · · Score: 1

      The examples at the end of Akamai's (rather old) document use curl, and require a URL to the uPnP server.

      I have loaded the upnpc binary on my copy of Raspbian, and it will probe the local network for the server. I think this is how you can obtain the URL:

      # upnpc -l | awk '$1=="desc:"'
      desc: h ttp://192.168.0.1:5000/rootDesc.xml

      Note that I added the space above in the URL to prevent slashdot from mangling it.

      I am running an Arris modem with 2013 firmware, but there is nothing from my manufacturer on Akamai's list.

    6. Re:Is there a list? by ewhac · · Score: 1

      Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

      This is why I long ago started referring to UPnP as Universal Penetrate and Pwn. UPnP support is one of the first things I shut off when configuring a new router/firewall.

      --
      Editor, A1-AAA AmeriCaptions
    7. Re:Is there a list? by pope1 · · Score: 1

      I redid the test script Akamai wrote so it executes without error under macOS: http://rkdn.app/upnp.sh

      Combined that with the home brew build of upnpc and rooted out one ASUS Wifi router at work that needed a firmware update.

      It would be interesting to see what others are finding on their own LANs.

      Those of us who can manage our own tech are a rounding error compared to the number of vulnerable devices out there,
      but at least we can protect ourselves from this mess.

      Universal Plug and Play was the penultimate example of trading security for compatibility,
      and it should have died a long time ago..

      --
      /* * pope1 */
    8. Re:Is there a list? by TheFakeTimCook · · Score: 1

      Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m...

      Another reason to bemoan the discontinuance of Apple Routers: They are NOT on that list!!!

    9. Re: Is there a list? by emil · · Score: 1

      I like upnpc, as it is an easy way to get the router's external IP address without going outside my internal network. I wonder if registering the two exploit ports to a nonexistent internal IP would prevent any firmware flaws from being exploited. It might actually be useful to register them all with a nightly crown job.

    10. Re: Is there a list? by pope1 · · Score: 1

      Forward the ports to 0.0.0.0 and you don't have to worry about someone allocating that internal IP for a future project years from now.

      --
      /* * pope1 */
  6. But you said crossing the streams was bad... by the_skywise · · Score: 1

    My understanding is that uPnP is necessary to open up dynamic ports to the outside world from other devices on the network like Xbox or for chat programs, running bittorrent, etc; Which is the only reason I've left it on on my router.
    Is this no longer the case?

    1. Re: But you said crossing the streams was bad... by Anonymous Coward · · Score: 1

      What you say is true, although there are other ways a router can be signalled to open ports.

      However, if you know what your devices inside of your network are doing you can just only manually forward specific ips and ports. It really depends how much you have going on in your network.

    2. Re:But you said crossing the streams was bad... by jeff4747 · · Score: 1

      you can manually do that for known port ranges like Xbox or most things

      If you only have one on your network.

  7. Read the ULA by AndyKron · · Score: 1

    Will the NSA be paying for this? Thought not.

  8. isnt eternal blue g8zw4r3? by yfeefy · · Score: 1

    Why would anyone be running billy bathgates on a ROUTER?? article seems to makes no sense

  9. It would not be hard by jd · · Score: 1

    To make a router that couldn't suffer such security failings. There would be a few disadvantages - first, it would be bulkier, second it would be more complex to administer, thirdly you'd face massive opposition because nobody really wants security. If they did, such devices would be the norm.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:It would not be hard by sremick · · Score: 2

      Like pfSense?

      https://www.pfsense.org/

      I wouldn't say it's "bulkier"... you can run it on pretty tiny hardware, like I do (mine is a tiny Jetway box, smaller than most peoples' routers, chassis is metal and functions as the heatsink). Definitely "more complex to administer" but it's right up my alley.

    2. Re:It would not be hard by sad_ · · Score: 1

      i doubt it would be the norm.
      it's still cheaper to ignore security, and in the end money wins.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.