February 19, 2014, 9:38 AM — If you're using network-attached storage, video surveillance equipment, or remote router management software, beware of dodgy firmware--it's become ground zero for hacker exploits, as recent debacles with Asus and Linksys routers emphatically illustrate. The message is clear: In 2014, vulnerable routers, NAS boxes, and other connected devices are leaving our home networks wide open to attack.
Worst-case scenario? Strangers from anywhere in the world can access your files, slip malware into your network, or use your own security cameras to spy on you--all without ever laying a finger on your hardware.
Some older Linksys E-Series routers and Wireless-N routers and access points are vulnerable to a malware infection--dubbed TheMoon--that leaves a self-replicating worm behind. On Tuesday, Ars Technica reported a story of people finding disturbing letters on USB storage devices attached to their Asus routers, left there by apparently non-malevolent but unquestionably uninvited guests. The letters serve as dire warnings of how insecure their networks are. PCWorld Norway raised a red flag about this weakness nearly two weeks earlier.
Using the Shodan search engine, Clas Mehus--an editor at our sister site--discovered a shocking number of routers, NAS boxes, security cameras, and other network devices left wide open due to buggy firmware and/or poorly designed user interfaces. I've replicated Mehus's findings and can report that these vulnerabilities aren't limited to Asus and Linksys hardware.
If you're running an Asus router with a USB storage drive attached, download and install the latest firmware from Asus's website (do not simply use the router's web interface to check for a new version, as it might not download the most recent version).
As for Linksys, company spokesperson Karen Sohl told us Linksys is aware of the issue. "Customers who have not enabled the Remote Management Access feature [on these devices] are not susceptible to this specific malware," Sohl wrote in an email. "Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."
Asus and Linksys are hardly alone when it comes to security vulnerabilities. Netgear's ReadyNAS product line suffered something similar just a few months ago. Weak industry password-setup practices have made it a virtual certainty that there will always be IP devices unintentionally exposed to the Internet.
How it happens
You might not realize you have an Internet address that's as well-defined as your street address. To see your own public IP address, surf to whatismyip.com. Your address will be displayed in big bold letters and will look something like this: 18.104.22.168. In most cases, this public address leads straight to your router, which as its name implies, routes all data traffic between your networked computers, tablets, smartphones, webcams, and to and from the outside world.
If someone gains control of your router, you're in for a rough time. They can open and redirect any sort of traffic anywhere they want. The havoc they wreak can also ruin a whole lot of other people's days with what's relayed through your equipment.
Securing your router with a complex password to prevent anyone from logging on is only a good first step. You must also secure its configuration firmware and the services that run on it. A router directs different types of traffic in and out of thousands of numbered ports.
Picture the router as an apartment building, and its ports the doors to individual apartments. Port 80 is used for HTTP traffic (that's how you access the web). Port 21 is used for sending and receiving files using FTP (file-transfer protocol). Port 443 is used for HTTPS (encrypted web traffic, such as banking or shopping transactions), and port 3369 is used for Remote Desktop.
If a port is open, and they normally all are, the router simply shuffles data back and forth to whatever IP device that the port is directed to. So every device you own that communicates with the Web needs to be password-protected to prevent others from being able to access it via these ports.
The default dilemma
Most routers and many NAS devices come with well-documented default login IDs and passwords ("admin" and "password," for instance). These devices typically have installation wizards that prompt the user to change them before the device is connected to the Internet. But for one reason or another, that step is sometimes skipped and the password is never changed. Other times, the password is updated, but at some point down the line, the user performs a hard reset. This common troubleshooting step often restores the old, weak password without the user's knowledge.
Enabling UPnP on older firmware--a step that most router manufacturers recommend, because doing so simplifies configuration--can expose connectivity to FTP and SMB servers running on the router, enabling any Internet snoop to access every file on an attached storage device. An anonymous group recently posted a list of several hundred IP addresses assigned to vulnerable Asus routers.
You can't afford to wait for the industry to wake up. Take action now to lock down your router, your NAS device, your IP cameras, and every other device on your network that's exposed to the Internet. Unless you want people stealing your bandwidth; your private photos, documents, and movies; and watching whatever your cameras are focused on.
Want to know which of your ports are open? Browse to www.whatismyip.com. On the main page you'll see your IP address, and to the left an option for port scanners. Select that and run the port tests. Unfortunately, some Internet gateways--such as the Motorola NVG510 that AT&T provided me--won't let you do this locally. You'll have to note your public IP address and try it from the coffee shop or from a friend's house.
Your action plan
One thing you can check immediately is whether your FTP service on your router or NAS box is enabled, and whether it allows anonymous access. Anonymous access doesn't require a password, so unless you're sharing files with the world, you don't want it enabled. FTP can be found in your router's HTML configuration pages, which may be accessed from your browser at 192.168.1.1, or 192.168.1.254, for instance. You can find the default address for your router in its user manual.
This Wikipedia entry lists all available ports, but the critical ones are those that allow remote access to your files or remote control of your network devices. These include HTTP, FTP, and RDP.
Checking to see if you're password-protected is easy enough. Simply open a browser and then type in your public IP address preceded by the proper header: FTP://, HTTP://, and so on. If you connect, you should be asked for a password. If you're immediately taken to the router, NAS, or IP camera's homepage, you aren't protected--anyone else with a connection to the Internet can access those resources just as easily as you just did.
For maximum security, you can put your router or router/modem into pin-hole mode, where every port is blocked by default and you open only those services you need. It takes a bit of work, but it's very secure.
The good news is that it's relatively easy to protect yourself: Simply password-protect any device that connects to the outside world, even if it's a refrigerator. If you're using older hardware, check periodically to ensure the device hasn't been reset and its default password reinstated. Make a habit of checking manufacturers' websites to ensure you always have the most up-to-date firmware (don't rely on the device's user interface to check for firmware updates--those tools don't always work the way they should).