In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.
There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.
One of the details of this story hasn’t been reported entirely accurately. The bug is not built into the Broadcom chipset. Unlike Spectre and Meltdown, it’s not actually a hardware fault. Broadcom distributes a Software Development Kit (SDK) that enables device manufacturers like D-Link, TP-Link, and Linksys to quickly develop firmware for routers using Broadcom chips. The vulnerability lies in this code, rather than part of the hardware itself.
UPnP Strikes Again!
The attack vector is the Universal Plug’n’Play (UPnP) protocol. This protocol was first developed by Microsoft for Windows ME. The use case for UPnP is to allow a program on the local network to request an open port for incoming traffic, essentially automating the port forwarding process. Peer to peer traffic like bittorrent, online gaming, and even teleconference applications like Skype require connecting directly to other users. As ISPs began handing out only a single IP address, and NAT routers became more popular, solutions like UPnP were needed to enable these peer to peer applications.
While the idea is a valid one, UPnP has had a storied history full of exploits. In 2013, Rapid7 released a whitepaper looking at UPnP accessible over the internet. They identified over 80 million unique IP addresses that responded to UPnP discovery packets from the internet, and around 20% of those IPs exposed the control port. UPnP is intended for internal network use only, and by definition should not be publicly discoverable. This means that in 2013, 80 million devices were using a broken implementation of UPnP.
After Years in Hibernation
As to why a botnet is only recently capitalizing on this specific vulnerability, DefenseCode realized how large of an issue this could be, particularly in 2013 when the vulnerability was first announced. At that time, there were estimated to be 15 million vulnerable devices across the internet. DefenseCode delayed releasing the full details of the attack until 2017, when they finally opted to publish the full vulnerability details. Once the proof of concept code was available, it was only a matter of time until someone built the self-propagating worm we’re now seeing.
It’s not too hard to find a copy of Broadcom’s SDK that contained this vulnerable code. That SDK was dated 2007, but based on the Linux kernel from 2003, release 2.4.20. This is one of the outstanding problems in the industry. Rather than working to upstream support for a chipset into the kernel, manufacturers release an SDK based on an old fork of Linux. Because this “works”, there is very little rush to use more recent software, even when there are known vulnerabilities in the old code. This widespread sharing of low quality and dated code leads to situations like this one, where over 100 devices are vulnerable to an attack.
Where To From Here?
Some progress has been made on this front, as chip manufacturers have started working more closely with the upstream kernel developers. Qualcomm Atheros, for example, is working directly with OpenWrt to provide higher quality SDKs. Chipset manufacturers are only part of the solution, as device manufacturers must also release timely firmware updates for their devices.
We do have an alternative to relying on vendor firmware updates, in the form of third-party firmware. OpenWrt is the distribution I’m most familiar with, and seems to be the best of the open source firmware replacements.
Even when an updated firmware is released, many users simply aren’t interested in updating their routers when everything is working. While some manufacturers have tried implementing automatic firmware updates, that process isn’t without problems, either. Notable are the devices that have automatically updated to a “cloud enabled” firmware, which introduces an entirely new class of vulnerabilities.
The problem of software vulnerabilities will probably never fully go away. We can insist that vendors like Broadcom do better with their code, but as users, we have some responsibility for our own security. Occasionally checking for firmware updates, being aware of opened ports, and replacing devices when they no longer maintained are squarely our responsibilities. While this botnet is the result of a badly broken UPnP implementation, it’s ultimately up to you to maintain your own network.
“As ISPs began handing out only a single IP address, and NAT routers became more popular, solutions like UPnP were needed to enable these peer to peer applications.”
IPv6 should eliminate the need for all this.
With every host on the network automagically exposed to the internet?! Please do ;) dont think iot is ready for that..
There are still ways to control that with firewalls.
The selling feature is that everything ‘could’ be connected to the internet within a single common addressing scheme…
…no-one in their right mind should want that though as literally everything connected to the internet will get a vulnerability somehow. There is too much code for it to be perfect, and too much hardware for it to run flawlessly everywhere.
so instead of UPNP controlling the NAT, it would control the firewall. How is that going to be any more secure?
Yes, it should, as soon as the entire internet completely adopts it and stops using ipv4 and variations of nat/nat64 and like.
Most of the backbone of the internet is already running ipv6-or-compatible, and things like cellphones and mobile IOT are getting IPV6 natively, so there is less of a need to force the change as there was before.
As long as there continues to be perceived difficulties of adopting v6 whether they be the translation layers, security differences, cost differences, etc there will be inertia keeping providers and end users on ipv4 because it is “known” and “easy”.
I would add that part of the problem is the lack of a clear, useful explanation of how it works and how it can be configured. Here we have some providers that started using ipv6, but it is not a full ipv6, it is a somewhat routed ipv6 , not-exactly ipv6, so one can imagine the confusion in the heads of people that just want to watch youtube or connect to their surveillance cameras at home.
Most of the time, it’s IPv6-via-teredo.
Mapping the correct ports to the correct addresses in the router would solve it without the need for Upnp. It was all a matter of convenience, not necessity.
Exactly. UPnP is just a small convenience that can cost you too much. I generally don’t like idea that any program can create port forwarding without my knowledge. Especially those IOT things that are generally horrible when it comes to security.
Ipv6 aka the Devil’s bargain… “we promise to manage everything if you just let us tag it for you.” Not a fucking chance in hell.
I wonder why (more?) ISPs don’t filter UPnP traffic to mitigate exactly this type of scenario. They sure don’t mind snooping for torrent traffic if blocking email ports. At least in this context there is no legitimate use case for internet bound UPnP that I am aware of.
Maybe simply because setting up their firewalls costs money?
Sunk cost both in hardware and person already setting up firewall.
I seems that “both” options of ISP here in america could do it but that would require proficiency with the services they peddle. Stuffing users with static IP addresses for over 5 years is also pretty lax as is having your offered streaming services easily eclipsed in terms of reliability by gray hat websites. It is pretty pathetic and I totally agree with you.
“replacing devices when they no longer maintained are squarely our responsibilities”
That is practically the inverse of the problem, it’s their wet dream that you run out and buy another one the instant they stop supporting it, which is 12 months after release most of the time. So they go on churning out landfill bait they don’t intend to support for a reasonable time, and point the finger at the customer for not wanting to replace hardware incessantly. I mean, helluva lot of people only have “ordinary” internet speeds of 10 to 20 Mbit and the hardware from 2005 is perfectly capable of dealing with that. They practically lie to get the new stuff shifted, promising the AC 3×2 MIMO kit will “make your internet faster”, and even the dimmest bulbs are noticing that after 2 or 3 router replacements they’re still getting the same old 15Mbit, which is actually seeming slower now they’re streaming 4K over it. So we’ve had a rather thorough mis-marketing of landfill bait hardware that wasn’t really necessary for most users, only the less buggy software gave benefits.
I think openwrt and the like is the answer there.
openwrt is too complex for many end users. I’d happily pay extra for a basic wired router with only basic functionality *if* it had a guarantee of quick security updates for a number of years.
Google Wifi is a promising such turnkey home router but I’d like to see a less expensive wired connections only version of it.
Ubiquiti Edgerouter X is my pick for a ready-out-of-box wired router.
Ubiquity seconded. Little harder to set up, but by far the best hardware short of multi thousand dollar Cisco stuff.
Edgerouter X is inexpensive, small and wired only – I like that. Some reviews claim it is complicated to set up, though for my not very feature demanding use case the setup guides on the official page seem ok.
Decisive question: what about update policy/lifecycle? A quick search gave no definitive results. I’d ideally want to purchase a product that in advance guarantees prompt security updates for a preset period of time. Similar to the model Android is (finally) getting to with the Android One rules.
Vendors can roll a simpler UI on top of OpenWrt. Some routers are even sold in “OpenWrt” versions
But those are costlier. And people don´t want to pay for that. After the vendor makes a lot of customizations in openwrt, the UI, etc, then updates need to be released by the manufacturer, and we know that they lag in this aspect.
Problem is that people want cheap first, with security being added as a very late third aspect. Then when you offer a good router, with powerful hardware and good processor and software, people balk at the price.
Oh yeah. I recently had to run OpenWRT on a device because it’s not Tomato supported, and I’m so lost. I think of myself as fairly technical but I’m more of the inch-deep-and-a-mile-wide sort, and this thing is greek to me.
OpenWRT is not a reasonable answer for a reasonably broad set of users, not in its current state, anyway.
There used to be a nice one called Tomato that I ran for many years on my Linksys WRT54GL, which was exactly as you describe: stable, maintained, streamlined and easy to configure. Unfortunately over time it was endlessly forked and maintainers came and went, so it is now difficult to track the latest “official” version. I wish some BDFL would come along and adopt it and codify everything into one Github account or something.
You are getting hung up on the word “Replaced”, when you SHOULD be seeing “Maintained”.
It is LITERALLY the responsibility of a user to understand the device they are operating.
If you aren’t going to do proper maintenance on your device, you don’t get to have it. Or at the VERY least you need to replace it as often as maintenance WOULD be necessary.
Is it possible that this exploit exists in pfSense?
> The use case for UPnP is to allow a program on the local network to request an open port for incoming traffic (…)
No, it’s not *the* use case, just one of many.
Do enlighten us, what else does UPnP do?
Is this a serious question? Read the first paragraph of Wikipedia page on UPnP. It describes what UPnP does, yet somehow it doesn’t mention punching holes in routers ;-)
I’ve read it. I just haven’t seen a concrete example of UPnP being useful, aside from opening ports on a router for NAT transversal. I see that it theoretically can do more, but is it actually used anywhere?
Media streaming via DLNA. Networked devices discovery (e.g. WiFi printers). Heck, there was even an article on HaD about controlling smart outlets with Amazon Echo using UPnP.
Gibson Research has a link to see if your router is vulnerable to this issue. https://www.grc.com/x/ne.dll?bh0bkyd2
Nice try, I nearly clicked on that link. :)
Ummm… Why wouldn’t you? GR is legit.
Pfsense 2.4.4 will pass the grc test
Open Source router firmware for the win!
as long as I can either path or disable the service, works for me!
BRCM is not exactly known for the quality of router SDKS, ala their 2.6 series kernels, not exactly top-of-the-line work.
Maybe this is the exploit used by Phineas Fischer to broke into the Hacking Team’s network.
In the story, the hacker says he used an undisclosed exploit in some common piece of hardware.
I don’t know about you guys but I use penetration testing tools on my own wifi. because when I was like 15 (about 9 years ago) I went to my brother’s with a boot-able flash drive with backtrack 3 (a linux distro for hacking) l didn’t even know how to boot it he looked it up got it and got it running on a tower with a wifi card and opened the first program we thought was interesting a wifi cracker and it took all of 30 seconds from opening the program to crack his wifi without a clue in what we were doing so just think about that and I’ll tip my white hat to you and bid you a good day