Your Home Router May Be Committing Crimes
Why network traffic analysis is so important
A recent flaw in router firmware (software that works with the hardware) affects many routers used by individuals in their homes. These routers may get infected with malware and then added to a botnet by criminals. They then use the infected home networking devices to commit crimes. I posted an article with a list of affected devices on Twitter. Are you following me @teriradichel?
The problem is that often non-technical individuals set up and run home routers. Even if you are somewhat technical, the traffic is on the edge of the network. No one reviewing internal network logs is going to see it. But you can protect your network from attacks that originate from these devices. You can also make sure the software (firmware) on your device is up to date.
Hopefully, ISPs are monitoring their networks for customer modems generating a lot of blocked traffic so they can warn customers that their device may be compromised and help them update it. As I mentioned, it’s hard for end-users to see the traffic since it’s on the edge of the network.
One of the problems the article mentions is that customers may not be able to update or manage routers provided by ISPs. If you’re a bit technical, you can get your own cable modem instead of the one provided by your ISP. You’ll have to pay some money, but you won’t have to pay the monthly rental fee for the equipment they provide.
The other thing you can do is run a cable modem only (not with integrated Wi-Fi) and a security appliance in between the cable modem and your Wi-Fi network device. That way you can inspect traffic from the Internet before it gets to your Wi-Fi router and other home devices. You can set up firewall rules to block known bad traffic.
Read the reviews of cable modems such as those found on Amazon. Personally, this is one item I like to buy from a local store. You can also buy some devices directly from manufacturers or an authorized reseller. The thing you’ll want to avoid is buying this device from an untrusted source such as from an unknown on eBay or Amazon that may have inserted malware into the device before you purchase it. That is a challenging problem to solve, but try to buy from trusted sources.
Install a firewall between the cable modem and your Wi-Fi network device. Look at the ratings for firewalls and, if possible, find out where manufacturing and testing of the product occurs. If you want to use a free, open-source firewall, you can use PFSense. You can install it on your own hardware.
Connect the device running PFSense into the cable modem. Connect your Wi-Fi network device into the machine running PFSense. You’ll need to be a bit technical to figure this all out, but you can also get support and training from PFSense or buy pre-configured devices. I don’t know where the pre-configured devices are manufactured and tested so reach out to PFSense to find out if you want to use that option.
Once you have your firewall set up, start looking at the traffic. I wrote about some traffic analysis I performed on firewall traffic in my post about how scanners lead to scammers. Not all the bad traffic is coming from other countries, either. Block the obviously bad traffic and then learn to dive into the other traffic with Wireshark to figure out what’s getting sent back and forth. I wrote about packet sniffing and WireShark in a separate blog post.
The other challenge you will have is that you won’t be able to get the internal IP addresses of devices on your Wi-Fi network from your firewall appliance since your Wi-Fi router IP address is going to show up in the firewall logs. To get details about the individual IOT devices on your network sending traffic back and forth to the Internet or each other internally, you’ll need to get a Wi-Fi router that also has traffic analysis capabilities like Ubiquiti.
Although I like the traffic analysis capabilities of Ubiquiti, I was not too keen on the fact that the reset switch randomly went out on a fairly pricey device. According to their customer support message board, this happens a lot. The only way to reset is a complicated method using TFTP. Hopefully the newer devices do not have that same problem.
The other issue is that I wasn’t too happy with the functionality and complexity of the cloud key and authentication process. Has anyone else who uses this product tried to set up a zero-trust network to only allow the required traffic on specific ports to specific IP addresses? It’s complicated. Not only for software updates but also on the private network, where you don’t want devices to be able to talk to each other unless they are really supposed to be doing so. I tried to document it and may share it at some point.
Additionally, although I tried to set it up so the product would only run locally, it still somehow switched to sending data to the cloud. I need to get back to it and see if and how I can prevent that. I want nothing from my local network going into the Ubiquiti cloud. I only want to see it on my own controlled devices. Ironic, since I helped another firewall company architect a cloud-based firewall product, I know.
I saw another post about running the Ubiquiti controller in the cloud (your own cloud account). It’s a Java application. Security people don’t love Java applications running on their networks. I may try that option and see how tightly I can lock down the ports and if that is a decent solution or not.
At any rate, you’ll need a way to capture traffic from your Wi-Fi Router somehow to tell if your TV is trying to hack your Toaster. Also, check out my blog posts above to learn how to start finding noisy traffic and weed that out so you can look at the things that really matter.
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2021
Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
For a recap of cybersecurity news last week check out the 2nd Sight Lab Cybersecurity News Blog. Malware, vulnerabilities, data breaches, cost of a data breach, cybersecurity laws, and interesting cybersecurity developments.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts