Sam Stelfox

Smart home cybersecurity news roundup [June 2019 edition]

According to the 2019 Symantec Internet Security Threat Report (ISTR), there are an average of 5,200 attacks on IoT devices per month. To help keep you informed, we're starting a smart home cybersecurity series that discusses, what we believe to be, the top threats and vulnerabilities discovered in the past month's time. This first issue discusses two recent cybersecurity findings: the Linksys Smart WiFi router vulnerability and the Android pre-installed backdoor.

>25,000 Linksys Smart WiFi routers leaking troves of sensitive data

On May 13, 2019, Bad Packets Security Researcher Troy Mursch released a report detailing their findings of a vulnerability found in several models of Linksys Smart WiFi routers.

The vulnerability (CVE-2014-8244) essentially allows for an attacker to gain unauthenticated remote access to sensitive information by simply searching for the router's public IP address, navigating to the developer console, and running the JNAP command.

Bad Packet's scans indicate that 25,617 Linksys routers have been affected and are thus leaking sensitive information. However, what's unique about the information leaked is that it includes historic information and not just what's happening in real-time. Therefore, attackers who gain access are gathering information on any device that's every been connected to the router, including their:

  • MAC Address
  • Device Name
  • Operating System

As if this isn't enough, Bad Packet further states that in some cases, more information was found to be leaked, like: device type, manufacturer, model, and the router's WAN settings, firewall status, firmware and DDNS settings.

Bad Packet provides a full list of vulnerable models and firmware versions, and also shares that nearly half of the vulnerable routers are located in the United States, with the remaining majority found in Chile, Singapore, and Canada.

linksys-smart-wifi-router-website-screenshot

Screenshot taken June 10, 2019 from Linksys website.

In response to Bad Packet's vulnerability submission, Linksys released a security advisory the next day stating that they tested the vulnerable routers using the technique described above and were unable to reproduce CVE-2014-8244. 

"We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls.  Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."

While this conclusion doesn't exactly help those who have one of the listed Linksys models from Bad Packet's research, it still generates awareness to Linksys that such a vulnerability may still exist in their routers (CVE-2014-8244 was said to have been patched back in 2014).

In the meantime, owners of Linksys Smart WiFi routers (and, any router for that matter) can improve their network's security posture by ensuring their router's firmware is up-to-date, disabling the router's remote access feature, and by using strong device credentials.

Google confirms pre-installed backdoor on Android smartphones

On June 6, 2019, Google's Android Security & Privacy Team Member Lukasz Siewierski released a detailed blog about Triada, a trojan that made its first appearance back in 2016. 

smartphone-android-os-in-hand

"Back then, it was a rooting trojan that tried to exploit the device and after getting elevated privileges, it performed a host of different actions. To hide these actions from analysts, Triada used a combination of dynamic code loading and additional app installs."

Siewierski explains that as Google Play Protect became better defended against root exploits, Triada eventually evolved into a system image backdoor. As a result, OEMs were made aware and cooperated by including security updates in their system images that prevented Triada from infecting devices.

The following year on July 27, 2017, anti-virus developer Dr. Web released a report stating that in their security research, they discovered the Triada malware to be pre-installed into the firmware of several Android smartphones. These smartphones— Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20 as stated by Dr. Web— become vulnerable as the Triada malware embeds itself into the processes of all their running applications and discretely runs malicious modules.

Now in June 2019, Siewierski's analysis of Triada includes confirmation of Dr. Web's report and that "Triada infects device system images through a third-party during the production process," as depicted below:

Third-party production process with exploit (Source).

This is an example of a supply chain attack, which is a type of attack that is becoming more common. Referring back to Symantic's 2019 ISTR, we see that supply chain attacks increased a whopping 78% between 2017 and 2018.

Siewierski explains that Google has worked with the affected OEMs to remove traces of Triada, and provides OEMs with advice to prevent supply chain attacks from occurring:

"OEMs should ensure that all third-party code is reviewed and can be tracked to its source. Additionally, any functionality added to the system image should only support requested features. It’s a good practice to perform a security review of a system image after adding third-party code."

If anything, Triada's evolution over the years shows how malware creators can quickly adjust and find new attack vectors.