• May 10, 2016

Inviting Hackers Inside: The Risks in Routers

How secure is your home router?

Last year, dozens of organizations were hit with distributed denial of service (DDoS) attacks. The culprit? Home routers infected with malware. Hackers marshaled tens of thousands of home routers to weave together a potent botnet to stage attacks. Researchers discovered these routers were set up with gaping security holes in place. Among them, the router’s management interfaces were exposed to the internet using default credentials. Once routers are infected, the malware often runs scripts that scan the internet for other routers with similar vulnerabilities, compounding the potency of the botnet.

As computer security improves, hackers constantly search for alternative pathways into networks. Routers are a virtual welcome wagon. Security is lax and, once hackers are in control, they have easy access to virtually anything—including encrypted information. This can put organizations at risk if employees connect to home networks to conduct enterprise business.

Hacker Paradise in a Box

Call it the soft underbelly of the Internet of Things. Dozens of home devices—from security cameras and televisions to refrigerators and thermostats—communicate to each other through Wi-Fi connections. The hub of these connections is the home router. Yet the typical router is a minefield of security gaps.

Chief among them: firmware, or low-level software that controls the router’s features. Router component makers often don’t update firmware that has well-known security flaws. That means these devices are often sold new with vulnerabilities that have already been fixed, in many cases for years. And many router manufacturers don’t have systems that easily allow users to check for and install firmware updates.

The Wall Street Journal reports that router makers are cutting costs by skipping product security checks and efforts to keep customers informed of updates. Routers are often purchased solely on price and manufacturers have little incentive to make security a priority. Few users scan manufacturer websites to check for firmware updates, and they often keep the devices for years—long after router makers have ceased issuing updates.

That means critical security vulnerabilities that have been known and fixed years or even a decade ago are still present in thousands of routers. Add to this that few users change the default admin passwords, and most manufacturers don’t require they change them during setup. It’s a serious hole in security.

Attacks from the Edge

Yet it’s not only routers that can wreak havoc. The Wall Street Journal also reported that testers were able to hijack email accounts through a refrigerator by attacking the link it used to display the user’s Google calendar on the unit’s touchscreen.

The solution? Enterprises can start by making their employees aware of the critical security vulnerabilities of their home routers. Advise them to change their default router login credentials immediately, replacing them with a complex password string. They should also frequently check for firmware updates for routers as well as devices linked to their network. If their router is more than a few years old, suggest they purchase a new one, preferably from a manufacturer with a solid security track record.

Without diligence, the Internet of Things can easily be transformed into a web of cyber-anarchy. Making sure your employees understand the risks can mean the difference between security and a breach.

Like this story? Read more about securing the Internet of Things.