The firewall -- has the "magic" box lost its mojo?
May 3, 2016
The Hidden Danger of SOHO Routers
November 10, 2014
The folks at Threat Brief tweeted a note Yesterday about a serious security flaw in the Belkin N750 router. It seems that the router opens a public web interface by default. To complicate matters, an exploit exists that can allow an external user to gain root access. An external user with root access to a router has access to virtually anything on the inside.
To quote Threat Brief " The good news is that the bug has already been patched by Belkin. The bad news is that approximately nobody installs router firmware updates." This opens a can of worms for SMB (and home users). A huge number of SOHO routers and access points are in use in the US. It is not uncommon for vulnerabilities to be found in these products. Since in some cases, they use open source or purchased code for some of their functionality, one bug can impact a variety of products. One such vulnerability is the infamous Heartbleed bug. While the security vendor Tripwire found that this particular vulnerability is not generally an issue for SOHO products due to the inability of an outside user to exploit it, their follow up comment is chilling: "critical security flaws are endemic to small office/home office (SOHO) routers."
SOHO vendors are generally very good about identifying threats, and issuing firmware updates to resolve them, but as Threat Brief pointed out, almost nobody ever installs them. The typical approach to SMB router installation is:
Do minimal configuration to make it work
Ignore it until it breaks
The logical conclusion there are potentially millions of routers in use by SMBs that have significant vulnerabilities. Because these organizations typically fly below the radar, they do not tend to be targets, and if they have a breach, it is often not discovered or announced. Case in point: Another Tweet by Threat Brief about a dermatologist office in NC that had a breach two years ago they just now discovered.
If you are a SMB, I would like to tell you there is a simple solution. Unfortunately, as in most other areas, there is no free ride. There are some actions that should be taken however:
Start with a good quality, well supported product. Avoid cheap off brands that may not be supported properly.
Spend some time configuring the router, Make sure that the management interface is not open to a public network. Use a strong password, and keep any ports unneeded ports closed.
Turn on logging for your router, and check the logs periodically.
Check frequently for vendor firmware updates for your router. Set a calendar reminder to do this. There are a few models available that can automatically notify you about appropriate firmware updates. One example is the Cisco RV215W
If your vendor officially stops supporting the device, meaning no further firmware updates will be issued, replace it.
Consider buying an enterprise-class device, instead of a SOHO device. You will pay more up front, but you will get a more secure product that will be supported much longer.
Have external network penetration tests (known as a Pentest) performed periodically. This will help to identify ports open to the Internet that could be exploited. Vulnerabilities are useless to an outside hacker if he/she cannot get to the device in the first place. A good Pentest will also identify any known vulnerabilities.
As I said, the above steps are not exactly easy or quick, however, they necessary and essential. If you are not convinced, I suggest you contact a certain dermatologist in NC .