Safeguarding Routers: Mitigating IoT Security Risks
While routers are critical to any digitally transformed business, they often remain out of sight which can make them appear out of mind. Routers do exactly what their name suggests: route network requests and responses between connected devices and resources. Between routers’ importance in digital communications and the data they transmit, malicious actors increasingly seek to gain unauthorized access to them. Whether attackers want to gain control of the device to engage in a Denial of Service (DoS) attack or compromise sensitive data traversing the network, they have recognized that routers are a lucrative attack vector.
Simultaneously, routers are difficult to secure. Unlike traditional business devices, they often run on proprietary firmware and low-level programming embedded in the hardware. As organizations seek to mitigate cybersecurity, privacy, and business interruption risks, they should understand router vulnerabilities and how to implement appropriate controls and monitoring.
How Are Routers Vulnerable?
Since they maintain internet connectivity and direct traffic between networks, routers are attractive targets for malicious actors. Since the devices are pervasive across all businesses and industries, attackers increasingly seek to leverage router vulnerabilities as part of supply chain attacks so they can gain unauthorized access to the large wired and wireless network attack surface.
At Black Hat Europe, security researchers reported finding various security vulnerabilities in routers, many arising from open-source components. These vulnerabilities included issues like:
- Hardcoded credentials
- Denial of Service issues (DoS)
- Stored cross-site scripting (XSS)
- Multiple remote code/command execution (RCE) issues
What Are Some Known Router Vulnerabilities?
While attackers may attempt to exploit previously unknown vulnerabilities (zero-day attacks), these attacks require time, skill, and financial investments. More often, malicious actors will seek to use known vulnerabilities listed on the common vulnerability and exposures (CVE) list.
For example, some newer CVEs considered to be Critical or High severity include:
- CVE-2024-30407: Hardcoded SSH host keys on the container enable attackers to perform Man-in-the-Middle (MitM) attacks against Juniper Networks Juniper Cloud Native Router (JCNR).
- CVE-2023-47618: A post-authentication command execution vulnerability enables attackers to craft HTTP requests that could lead to arbitrary command execution on Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591.
- CVE-2024-22773: Exposed passwords in cookies enable attackers to bypass login for Intelbras Action RF 1200 routers 1.2.2 and earlier and Action RG 1200 routers 2.1.7 and earlier.
- CVE-2023-51743: Insufficient validation of user-supplied inputs means remote attackers could perform a DoS attack against Skyworth Router CM5100 version 4.1.1.24.
- CVE-2023-7211: Vulnerability affecting the Administrative Web Interface on the Uniway Router 2.0 enables attackers to initiate remote attacks based on the ability to authenticate using an IP address.
Additionally, according to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the total number of matches for the search “router” has increased as follows:
- 2020: 18,349
- 2021: 20,155
- 2023: 25,042
- 2023: 28,823
The continued increase in references to routers in the NVD correlates to increased identification of vulnerabilities for these devices.
Problematically, when researching router vulnerabilities, the NVD CVE details page often indicates that the vulnerabilities are currently awaiting analysis. For example, in May 2024, an issue was discovered in routers running open-source Linux-based OpenWrt (open wireless router) 18.06, 19.07, 21.02, 22.03, and beyond that malicious actors could be used to hijack TCP sessions as part of a DoS attack.
Organizations using the devices containing these unanalyzed vulnerabilities have no insight into severity, making it difficult to prioritize the next steps. In late May of 2024, NVD committed to putting more resources into this issue to eliminate the backlog.
Why Should You Care About Router Firmware Vulnerabilities?
While routers often seem like black box devices that simply direct network traffic, the reality is that these devices contain sensitive data, making them increasingly attractive to attackers who seek to exploit vulnerabilities.
When considering the potential risk these devices pose to data, networks, and operations, organizations should consider that:
- Routers often contain secrets that attackers can use, like VPN credentials, hashed root passwords, customer information, and IP security data.
- Attackers continue to deploy malware attacks against routers, especially nation-state actors.
- Exploiting network vulnerabilities allows advanced persistent threat (APT) groups to compromise routers so they can evade detection and make root cause investigation more difficult.
- Attackers can use router vulnerabilities to disrupt traffic or lose packets.
Why Is Securing Routers Challenging?
Despite their importance to business operations, many companies struggle to secure routers. Organizations have technologies that enable them to monitor traditional devices, like workstations that run well-known operating systems. However, routers typically use firmware, code embedded into the hardware that directs the device’s operations.
The differences in how routers work and their functions in the IT environment create security challenges like:
- Inability to install software, like an antivirus, on the device
- Manufacturers do not always automatically update their proprietary firmware, unlike operating system and software manufacturers
- Inability to identify vulnerabilities hidden in the firmware, especially those arising from open-source components
- Transmitting high volumes of data makes traffic analysis for threat detection difficult
- Firmware flashes for custom builds require the organization to identify vulnerabilities outside of manufacturer updates, like OpenWrt
3 Best Practices For Securing Routers
To mitigate risks from vulnerable routers, organizations need to implement security technologies that enable them to gain visibility into all devices connected to and managing networks.
1. Identify and Inventory Devices
Asset identification, inventory, and management are critical to ensuring that all devices have the appropriate security coverage. With passive network scanners, organizations can identify their routers without having to install an agent. Passive scanners can detect and fingerprint devices, providing information like:
- Hardware: manufacturer, model, serial number
- Software: operating system, version, firmware revisions
- Device type and function
- Security assessment: vulnerabilities and risks
2. Scan for Vulnerabilities
With visibility into the routers on the network, organizations can mature their security program by identifying vulnerabilities, even those embedded in firmware. With a passive scanning solution, companies can:
- Identify exploitable vulnerabilities for each device within the environment
- Leverage threat intelligence to prioritize remediation activities based on real-time exploitability
- Use actional remediation recommendations that may include applying security updates or implementing compensating controls to minimize risk
3. Monitor for Anomalies and Collect Forensic Data
A router’s primary purpose is transmitting data between internet-connected devices. Given the number of connections they make between different servers all day long, identifying risky or abnormal activity is challenging.
By incorporating this data into security monitoring tools, like security information and event management (SIEM), organizations can build high-fidelity alerts that include routers. By collecting and analyzing technical forensic data generated by routers, organizations can gain visibility into normal device activity so they have a way to identify abnormal connections to locations that might be an attacker’s command and control (C2) server. For example, tracking this information might help identify APT groups connecting from risky geographic areas.
When a solution captures network packet data, organizations enhance their incident response capabilities using forensic data like:
- Dropped packets
- Command outputs or network configuration from outside sources, like through TFTP
- SNMP queries
- Queries of unknown origin
- Unexpected configuration changes to GRE tunnels
Asimily Enables Router Vulnerability Detection and Security Monitoring
The Asimily platform is designed expressly with IoT devices in mind. It’s built to monitor traffic to and from IoT equipment, such as HVAC systems, and surface anomalous behavior that might indicate an attack in progress.
Asimily also provides vulnerability information on high-risk weaknesses with our proprietary algorithm that leverages vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. This insight empowers security teams to make efficient prioritization decisions and resolve the riskiest vulnerabilities quickly.
Customers also receive peace of mind from knowing what systems are attached to their networks and which ones need the most mitigations. With this insight, as well as improved monitoring, Asimily customers can better defend their IoT systems and critical information from threat actors.
To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.