More malware threats loom for routers and IoT devices

Routers have been described as digital “windows to the world” for good reason. They can connect us to just about anybody or anything, anywhere. And others can connect to us.

Which is all good if those are connections we want. But if windows, digital or otherwise, aren’t protected they can be broken. That leaves us vulnerable to connections we don’t want, since criminals who break in can damage us in multiple ways — theft, privacy invasion, identity theft, physical harm, and more.

Those risks were on display again earlier this month when AT&T’s Alien Labs announced that its researchers had discovered malware written in Google’s Golang (also known as Go) open source programming language. It can be used to exploit more than 30 different vulnerabilities in routers and Internet of Things (IoT) devices, potentially giving it access to millions of users. They named it BotenaGo.

According to Ofer Caspi, the researcher with Alien Labs who wrote the blog post detailing the findings, the malware “creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.”

He said SHODAN, a search engine for internet-connected devices, located close to 2 million of those devices that could be vulnerable to an attack through a single vulnerability on the list.

At least 20 of those vulnerabilities (Alien Labs listed all of them in its report) have been assigned Common Vulnerabilities and Exploits (CVE) numbers and severity ratings by the National Vulnerability Database. Half of those that BotenaGo can exploit are four years old or more, going back to 2013.

They affect multiple router brands including DrayTek, Netgear, D-Link, XiongMai, TotoLink, Tenda, ZyXel, and ZTE. And criminals who can exploit them can launch attacks such as gaining access to internal networks, extortion, denial-of-service attacks, and hosting/spreading malware using a victim’s internet connection.

Caspi said the team doesn’t yet know which threat actor is behind the malware, but he said it is still in the beta version and was accidentally leaked.

Backdoors are always bad

That doesn’t make it harmless, however. Tuomo Untinen, software engineer within the Synopsys Software Integrity Group, said “a backdoor is always a bad thing even if the original attacker is not using it. Nothing prevents someone else from using it.”

Caspi also wrote that organizations should expect to see more malware written in Go, in part because of its appeal to programmers, which also makes it appealing to hackers.

“Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems,” he wrote.

He noted that Intezer, which offers a platform for analyzing malware, recently estimated that there has been a 2,000% increase in malware code written in Go found in the wild.

But that doesn’t mean the popularity of a programming language is to blame for an increase in malware. “I don’t think anyone credible or serious would make that claim,” said Travis Biehn, principal consultant within the Synopsys Software Security Group.

Jim Gettys, a network systems and software designer who recently retired as CTO of Muinin, agreed. “Go is just a computer language and a fine one at that,” he said, adding that “starting from a low number, a 2000% increase is a scare number and not interesting at all, even if it’s correct.”

Untinen added that “if Golang didn’t exist some other language would be used for writing that malware.”

BotenaGo is indeed a problem. But the cause is not the language hackers choose to write their malware. It’s the notorious and ongoing insecurity of most routers and IoT devices.

Rotten on arrival

“Most IoT gear doesn’t have a proper update stream or anyone maintaining the code,” Gettys said. “Once such gear ships, most of it just rots in the house. And in my exploration, even brand-new hardware typically ships with firmware based on four-year-old source code. So it’s rotten on arrival to stink up your environment.”

He said there are exceptions — he has seen updates pushed to both the smart thermostat and the router he uses.

“But installing updates isn’t something most consumers could figure out,” he said. “Most IoT gear will never see an update, or it will require manual intervention by users who won’t even know that they should do anything. The idea of your grandmother downloading a new image and installing it on some of this gear is complete insanity. That has nothing to do with the Go language.”

Untinen said the lack of security in routers and IoT devices “is a known issue with almost every vendor. If you download firmware from almost any home router and upload it into a binary scanner, it almost certainly will find a bunch of known vulnerabilities that haven’t been fixed.”

“Another thing is that vendors probably think the product life for home routers is a couple of years and expect consumers to buy a new one after that to gain faster transfer speed,” he said.

Biehn agrees, saying the failure to issue security updates or the failure of users to install updates if they are available, “are both on the vendor.”

“Software has grown up from big, hard-to-apply, manual patches to incremental, just-in-time, and ambient-in-application. IoT device vendors need to copy Google Chrome’s homework here,” he said.

Given that Go is an open source programming language, is there anything the open-source community can do to minimize the risks of this type of malware?

Biehn said there is, but it can be tricky. He said there’s an ongoing debate about “the ethics of writing a counter-worm that simply disables vulnerable devices using the same exploits as other circulating worms,” which would protect users but also render those devices useless, at least temporarily.

Painful incentives

“A couple rounds of disabled devices and maybe consumers will want to ask about their upgradeability,” he said. “This isn’t likely to play out in the open, but we’ve seen ‘defensive’ worms in general purpose and IoT software domains before that follow this rough philosophy.”

But obviously, what Biehn describes would go well beyond something like a router requiring users to change the default password before it will work. “Disabling or disrupting networking hardware carries the risk of significant physical harms, like if you hit some budget-strapped hospital,” he said. “So there are lots of design decisions to be made for the community.”

And what about government playing a role? It’s illegal to sell vehicles without physical safety features like seatbelts, antilock brakes, and airbags. Why not require comparable digital safety features for routers and IoT devices? Or make it easier to sue vendors that sell products that don’t meet basic security standards?

Gettys said something like that is overdue. “It should not be legal to sell devices that will not be maintained for something like a reasonable lifetime,” he said. “And that won’t happen unless vendors have some liability for what they’ve sold. This is a market failure, and looking elsewhere for the fundamental problem is futile. Yes, [better security] will increase their price. But it puts the burden into the right place and puts money into an ecosystem to encourage maintenance. Right now we’re suffering from pollution of the commons.”

So where does that leave the millions of organizations and individual users who are the potential targets of BotenaGo malware?

“Users and organizations can limit what devices have access to public internet,” Untinen said. “For example, NAS [Network Attached Storage] devices don’t need to be publicly visible. One possibility is to build a secondary network for your IoT devices and keep that totally isolated from the internet.”

He acknowledges that “these are probably too complex for regular consumers. But one thing they can do is not buy the cheapest home router. I recommend buying enterprise-level routers — they’re going to get updates more often than consumer devices.”

Biehn said the options for individual users aren’t great. “Consumers can’t do anything except buy routers that are maintained and automatically kept up-to-date,” he said. “Unfortunately, you essentially need a degree to assess whether or not some vendor will do a good job at device stewardship.”

He said if a router ships with a default password, don’t buy it. Or, if you already have one with a default password, change it. “But that’s a bit like painting the Titanic — better to throw it out,” he said.