Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Technology

Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit (arstechnica.com) 73

More than 45,000 Internet routers have been compromised by a newly discovered campaign that's designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers say. From a report: The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don't reveal precisely what happens to the connected devices once they're exposed, Akamai said the ports --which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed -- provide a strong hint of the attackers' intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play -- often abbreviated as UPnP -- to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets.

This discussion has been archived. No new comments can be posted.

Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit

Comments Filter:
  • by Anonymous Coward

    I'm not an American but I thought in a democracy everyone can vote to just abolish the NSA, for example. With how shitty the NSA has been the last two decades, what's the deal on that?

    • by Anonymous Coward
      It's supposed to be a representative democracy. We elect the people (congress) that have the power to abolish the NSA. Once they get elected, they no longer have the desire to abolish the NSA... hmmm...
    • Re: (Score:3, Interesting)

      by pgmrdlm ( 1642279 )
      Why would I want to abolish an agency that is part of my national defense. And able to intercept attacks before they happen by monitoring communications? Look at any war that has occurred. Interception of communications has always been a national defense strategy by all nations?
    • Comment removed based on user account deletion
    • by shoor ( 33382 )

      As others have pointed out, it's a representative democracy. When the USA was started, neither the telegraph nor the railroad had been invented yet. Counties would elect representatives to go off to State Capitals, and States would elect representatives to go off to Washington, D.C. because that was the only practical way to get things done. We still have that system which was put in place with the adoption of our Constitution.

      However, the real problem is with human nature itself. You've probably heard

  • by ripvlan ( 2609033 ) on Thursday November 29, 2018 @01:59PM (#57721544)

    We need the government to request and be granted access to Back Doors !!!! Because we know that they will keep it secret and none of us will ever be affected by rogue hackers figuring them out. Better yet - the No Such Agency can be in charge of keeping the secrets.

    Government secrets !! yay team !

  • UPnP (Score:5, Insightful)

    by JBMcB ( 73720 ) on Thursday November 29, 2018 @01:59PM (#57721546)

    The first five or six wave of horrendous uPnP vulnerabilities weren't enough to convince people that uPnP on your router is a bad idea?

  • Thanks, NSA

  • Is there a list? (Score:5, Insightful)

    by Anonymous Coward on Thursday November 29, 2018 @02:02PM (#57721556)

    I don't care about badly written vague explanations of how the exploit works. Is there a list of routers affects so I can search for mine?

    • Re: (Score:3, Informative)

      by msmash ( 4491995 ) Works for Slashdot
      There isn't one. Here's what Akamai advises: "The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it's NAT table entries. There are a handful of frameworks and libraries available in multiple languages to aid in this process. Below is a simple bash script used during this research. It is capable of testing a suspected vulnerable endpoint by attempting to dump the first 10,000 UPnP NAT entries from the devices exposed TCP daemon."
    • Re:Is there a list? (Score:5, Informative)

      by SEMLogistics ( 1114137 ) on Thursday November 29, 2018 @02:25PM (#57721680)
      Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m... [akamai.com]
      • by emil ( 695 )

        The examples at the end of Akamai's (rather old) document use curl, and require a URL to the uPnP server.

        I have loaded the upnpc binary on my copy of Raspbian, and it will probe the local network for the server. I think this is how you can obtain the URL:

        # upnpc -l | awk '$1=="desc:"'
        desc: h ttp://192.168.0.1:5000/rootDesc.xml

        Note that I added the space above in the URL to prevent slashdot from mangling it.

        I am running an Arris modem with 2013 firmware, but there is nothing from my manufacturer on Akama

        • by pope1 ( 40057 )

          I redid the test script Akamai wrote so it executes without error under macOS: http://rkdn.app/upnp.sh

          Combined that with the home brew build of upnpc and rooted out one ASUS Wifi router at work that needed a firmware update.

          It would be interesting to see what others are finding on their own LANs.

          Those of us who can manage our own tech are a rounding error compared to the number of vulnerable devices out there,
          but at least we can protect ourselves from this mess.

          Universal Plug and Play was the penultimate ex

          • I like upnpc, as it is an easy way to get the router's external IP address without going outside my internal network. I wonder if registering the two exploit ports to a nonexistent internal IP would prevent any firmware flaws from being exploited. It might actually be useful to register them all with a nightly crown job.
            • by pope1 ( 40057 )

              Forward the ports to 0.0.0.0 and you don't have to worry about someone allocating that internal IP for a future project years from now.

      • Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m... [akamai.com]

        Another reason to bemoan the discontinuance of Apple Routers: They are NOT on that list!!!

    • by Anonymous Coward

      Probably every single router with UPnP enabled. That's the whole point of UPnP, to allow applications a universal way to request an open port forward from the router. There is absolutely no way to authenticate that the application that requested the port to be opened is the application that is actually listening to that port on the client deivce, and likely there is no way to even authenticate that the device that requested the open port is even the device that the port forward is pointing to, seeing as it

      • by ewhac ( 5844 )

        Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

        This is why I long ago started referring to UPnP as Universal Penetrate and Pwn. UPnP support is one of the first things I shut off when configuring a new router/firewall.

    • Good old "Shields Up" has a UPnP exposure test.

      Gibson Research --> https://www.grc.com/x/ne.dll?b... [grc.com]

  • My understanding is that uPnP is necessary to open up dynamic ports to the outside world from other devices on the network like Xbox or for chat programs, running bittorrent, etc; Which is the only reason I've left it on on my router.
    Is this no longer the case?
    • What you say is true, although there are other ways a router can be signalled to open ports.

      However, if you know what your devices inside of your network are doing you can just only manually forward specific ips and ports. It really depends how much you have going on in your network.

  • Will the NSA be paying for this? Thought not.
  • Why would anyone be running billy bathgates on a ROUTER?? article seems to makes no sense
  • To make a router that couldn't suffer such security failings. There would be a few disadvantages - first, it would be bulkier, second it would be more complex to administer, thirdly you'd face massive opposition because nobody really wants security. If they did, such devices would be the norm.

    • by sremick ( 91371 )

      Like pfSense?

      https://www.pfsense.org/ [pfsense.org]

      I wouldn't say it's "bulkier"... you can run it on pretty tiny hardware, like I do (mine is a tiny Jetway box, smaller than most peoples' routers, chassis is metal and functions as the heatsink). Definitely "more complex to administer" but it's right up my alley.

    • by sad_ ( 7868 )

      i doubt it would be the norm.
      it's still cheaper to ignore security, and in the end money wins.

Genius is ten percent inspiration and fifty percent capital gains.

Working...