Several models of popular Linksys-brand routers may impacted by a self-replicating worm that can exploit a security flaw in the router’s programming. The exploit allows attackers to install a worm in the firmware which can lead to further security breaches on any device connected to that router’s network. According to Linksys, this exploit requires that the routers have the “Remote Management” feature enabled on the device, a setting that is disabled by default on Linksys routers. Depending on who set up your router, this setting may have been enabled expressly for remote management purposes, and as such your device is vulnerable to the worm, dubbed “TheMoon”.
What this means for you:
Linksys routers are a popular choice for home and small businesses. Unless you know for certain your router is not a Linksys device, I would put an eyeball on your router and check the make and model against the list below. Your network router is a critical point in your network’s overall security, and a compromised router can lead to a variety of problems and significant invasions of your privacy and safety. Even if your Linksys model is not named below, it’s important to check whether or not “Remote Management” is enabled on your device.
As of now, the following model routers are affected: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. Linksys hasn’t confirmed whether this list will grow, as it does not want to reveal other models and make them targets for attacks. Until Linksys can patch the loopholes and issue firmware updates the only workaround is to disable the Remote Management feature, install the latest version of the firmware available, and reboot the router to clear any possible worms.
You’ve seen it in movies and television probably dozens of times: video surveillance systems being hacked into by both heroes and villains and being fooled into showing looped footage allowing said hero/villain to proceed undetected. This time around, life is imitating art as a security researcher demonstrated at the Black Hat security conference held this past weekend. In his presentation, dubbed “Exploiting Surveillance Cameras Like a Hollywood Hacker”, former NSA worker Craig Heffner demonstrated how he was able to research and exploit readily available internet-enabled video cameras commonly used for security surveillance in homes and businesses around the world. Given the well-honed skeptical nature of Black Hat attendees, Mr. Heffner provided a live demonstration wherein he focused a compromised camera on a bottle placed on stage. While the audience watched via the security console, Heffner hacked the camera to display a spoofed image of the bottle (the “Hollywood” part), and then proceeded to “steal” the bottle while the security camera continued to display an unmolested bottle.
What this means for you:
Unfortunately, Heffner was able to exploit cameras from many manufacturers primarily because the device firmwares contained hard-wired passwords and other backdoor mechanisms. Thanks to the internet, Heffner was able to download copies of many camera firmwares and research the vulnerabilities without even owning the actual device. Heffner contends that he has yet to come across a model of internet security camera that he cannot hack, primarily because the manufacturers have been careless in removing the backdoors and weakness, and that the basic operating system varied in only minor ways from model to model. If you are actively using any of the cameras listed in Heffner’s presentation, you may want to consider disconnecting them from the network (which essentially defeats the “Internet-enabled” part), or disabling them completely until the manufacturers patch the obvious security weaknesses.
Image courtesy of Renjith Krishnan / FreeDigitalPhotos.net