“Embedded devices like home routers are an obvious choice [as new targets for attackers],” Eiram said via email. “They’re used by ‘everyone,’ the code maturity from a security perspective is usually terrible, and they have no real security mechanisms in place, making exploitation easier.”
Device manufacturers are far behind when it comes to secure programming, he said. “The vulnerabilities being found are often very basic issues straight out of the 1990’s like buffer overflows and OS command injection. We’ve even seen reports of blatantly obvious back-door like ‘features’.”
Many vendors are also unprepared to deal with security issues and don’t seem to have any real security program in place, either for the development process or for handling vulnerabilities reported to them, Eiram said.
The standard networking equipment provided by ISPs to their customers can increase the threat of large-scale attacks because any critical vulnerability discovered in such devices can result in millions of potential targets with uniform configurations that are easy to attack.
These vulnerabilities are not uncommon. On Tuesday a researcher released details about vulnerabilities found in the standard ADSL/Fiber Box devices supplied by French ISP SFR to its customers and in January, a different researcher found critical vulnerabilities in the standard EE BrightBox router supplied by U.K. ISP EE. SFR has a broadband customer base of 5.2 million, according to its website, and EE, a joint venture between Deutsche Telekom and Orange, claims that its fiber broadband service reaches 15 million U.K. households.
Ilia Kolochenko, the CEO of Geneva-based security firm High-Tech Bridge, believes it’s not only manufacturers that are to blame for the poor security of routers. Many users are often the bigger problem because they don’t even change the default admin password on their devices, leaving the door wide open for attackers, he said via email.
However, Kolochenko agreed that updating and configuring routers can prove difficult for non-technical people and thinks that ISPs should educate their customers about the importance of configuring their routers in a secure way, just like they advise them on securing their PCs.
“Right now, it would be good if people at least realized that their home routers should also be secured, as they are not just ‘devices to plug-in and forget about’,” he said. “Then they can hire IT consultants from their ISPs — many offer telephone consulting and guidance for free — or ask IT-savvy friends to check if their router is secure.”
“The majority of installed embedded devices — not just routers, but TVs, storage devices and anything else you place in that ‘Internet of Things’ bucket — do not automatically update,” Ford said. “This means they do not automatically install important security fixes that address issues like these.”
Eiram believes that the absence of automatic updates is exactly the reason why embedded devices should have better code maturity and secure configurations from the beginning.