How does a compromised home router change the threat model?
A sneak peek into our RSAC talk.
Orange Cyberdefense will be attending RSA Conference 2021, demonstrating their cutting-edge research around the risks posed by secure remote access. We interviewed Wicus Ross from the Orange Cyberdefense Security Research Centre, to get a sneak peek on the recent findings concerning issues with home routers and Wi-Fi connections.
Has the threat landscape changed due to the COVID-19 crisis?
Not really. The tactics, techniques, and procedures used by attackers remained fundamentally unchanged during the examined period. Our research show that the lockdown, because of governments response to managing the COVID-19 pandemic, had a marginal impact on the volume and intensity of attacks. In the article titled ‘Hidden impact of COVID’, published in our Security Navigator 2021 report, we note that attackers pivoted quickly to use COVID-19 as a lure but this lasted only a short while before moving on to other themes.
We found that attacks targeting people (e.g. phishing, water holing and scams) have been featuring more often than the year preceding the pandemic, but did not make the news more often during, or because of, the COVID-19 lockdown period. We saw that COVID-19-related social engineering attacks spiked in Q2 of 2020 and then dropped off in Q3, while other significant security events involving ‘the human’ remained constant for that period.
For us, the most relevant is to focus on the impact of the crisis on the systemic factors and the first that comes to my mind is of course the massive adoption of remote working, secured by remote access technologies.
What we see is that there are some security issues with home routers and Wi-Fi connections. Even if they integrate a part of security by design, they still need to be patched and configured correctly, which is, unfortunately not always the case.
Our research shows that a compromised home router changes the threat model. A home router, for example a Wi-Fi- Access Point (AP), or any other IoT device for that matter, is typically a powerful, fully functional Linux computer that is connected to the same LAN as the user’s endpoint and is being ‘trusted’ by the endpoint in several ways. For example, the home router controls or influences network configuration (IP address, routes, DNS settings, network boot settings), web content, connectivity, and more. This puts a malicious or untrusted router in a very powerful position
How does this control over settings translate into a change in the threat model?
Much of our research has to do with reframing concepts that seem obvious through the lens of the attacker. For example, because the AP controls DNS lookups, it can influence where connections from the endpoints go. Because the AP controls routing, it can influence how traffic flows to the enterprise network, and even whether it goes through the remote access tunnel or not. Because the AP controls access to the internet, it can prevent the remote access tunnel from being established or convince the endpoint it is behind a captive portal. Under the right circumstances, an AP could even convince an endpoint to boot up an entirely different operating system, defined and controlled by an attacker. And those are only the elements we’ve been able to think up thus far.
Would you have some concrete examples to share?
We created the following three examples:
- We can use routing configuration, supplied by the APs Dynamic Host Configuration Protocol (DHCP) service, to overwrite the IP routes that determine what traffic goes where (eg. what is supposed to go over the remote access technology). We use this technique to steal credentials from a user’s Microsoft Remote Desktop session.
- We use the control that an AP has over DNS to execute a so-called ‘responder’ attack to steal Windows login hashes when the user tries to access a Windows resource, like a mapped drive or printer.
- We use the AP to act like a ‘captive portal’ (like the kind you encounter when you access the internet from the airport, for example). This causes the remote access technology to pop up a proprietary ‘browser’ window. It locks out all other traffic but is supposed to allow to interact with the captive portal. Instead of requesting login details, however, we ask the user to update their VPN then use a series of tricks to download and execute a remote shell.
I must add that those are rare attack scenarios, but still real. Surely all these problems are mitigated when the user uses a remote access technology to establish a secure connection to the enterprise network.
In our research, we run a set of six threat scenarios against six different remote access technologies in different configurations. The results demonstrate that in a scenario where the attacker has all the power of a compromised AP, only the most rigorously configured secure remote access makes any difference. The learning is simple: the configuration is key and the “standard” mode, like most cases with most technologies, is not enough.
It is important to emphasize that secure remote access technologies do work and are indispensable to protect a network. But these technologies have limits, and good practices also need to be implemented.
To turn this into actionable priorities, don’t miss our talk at RSA Conference 2021 on 19th May. Unfortunately, we are not able give away the details of the research beforehand. During the conference we will release a solution-focused guide including risk scenarios and recommendations to help you prioritize your immediate actions.