A sneaky new exploit attacks UPnP to create a proxy inside your network and you will never know it’s there until it’s too late.
Most everyone has a Wi-Fi router in their home and their workplace. Wi-Fi is everywhere and it’s how most personal devices connect to the internet: a Wi-Fi router is connected to an internet gateway and your queries and messages zip on through. As detailed in a recent report, however, there’s a good chance someone could hijack that Wi-Fi router, thanks to a new exploit that makes it pretty simple to set up a proxy server inside a protected Wi-Fi network and have it pass internet traffic along from almost any source. In other words, we have an all-new type of botnet to worry about.
How it works
UPnP (Universal Plug and Play) is a protocol that makes it easy for one device to connect and communicate with another. It’s old, and it’s been proven unsafe many times, but because it’s designed to be used inside a protected network, nobody paid much attention to it. The new exploit can expose a UPnP socket on an internet connection to the outside world so a crafty person with the right script can connect, then inject a Network Address Translation (NAT) table and create a proxy server that any other device can use.
UPnP is not secure and is outdated, but it’s not meant to be used over the internet so nobody really cares.
This works just like any other proxy server, which means it’s almost like a VPN. Traffic sent to the proxy can be forwarded and when it reaches its destination, the origin is hidden. The NAT that is injected can be modified to send any traffic anywhere, and unless you have the right tools and are actively looking for it, you would never know if this was running on your network.
The worst part of it all is the list of affected consumer routers. It’s huge, with almost every company and its most popular products on it. It’s so long we’re not going to copy it here and instead direct you to Akami’s wonderfully put together .pdf presentation.
How bad is this?
The sky isn’t falling. It’s bad, but because it needs to query an open internet socket for information several times in different ways, then put the right information into the payload, it isn’t going to spread unchecked. Of course, this would change if someone were able to automate the process and should this become self-replicating and one bot can attack a network to install another bot, things would get really ugly really quickly.
Bots are bad. An army of them can wreck almost anything.
A botnet is a group of small servers installed on separate networks. These small servers are called bots and can be programmed to accept almost any command and try to run it locally or try to run it on a different remote server. Botnets are bad not because of what they do but what they can enable other machines to do. The tiny bit of traffic from a bot connecting to its home is unnoticeable and doesn’t affect your network in any real way, but with the right commands you can have an army of bots doing things like phishing account passwords or credit card numbers, attacking other servers through DDoS flooding, distributing malware, or even brute-force attacking a network to gain access and admin control. A bot can also be commanded to try any or all of these things on your network instead of a remote network. Botnets are bad. Very bad.
What can I do?
If you’re a network engineer or the hacker type, you can audit the NAT tables on your local network and see if anything has been monkeyed with. If you’re not, you’re kind of stuck and can only hope you don’t have a nasty bot changing how traffic is routed through your network to the internet. That kind of advice isn’t very helpful, but there’s really nothing else a consumer can do here.
You need a router from a company that will patch this quickly and automatically.
Your ISP, on the other hand, can nip this particular exploit in the bud by refusing the type of traffic that is meant for internal network communications. Should this become a serious problem I expect we’ll see that happen. That’s good — your ISP should be filtering out this traffic anyway.
The most likely scenario is that the company who made your router will prepare an update that kills it somehow. If you have a router that automatically updates you’ll then be good to go, but many routers require you to manually initiate any updates and there are a lot of people who have no idea how to go about this.
This is why Google Wifi is a great product. It’s not listed as affected by this exploit (though that could change) and if it were a patch would soon be on its way and automatically install itself without you ever having to worry about it. Or even know about it. There are people who do nothing but look for exploits like this. Some are paid researchers who do it to make us safer but others are doing it so they can use them. Network products that come from a company who is proactive when it can be and reacts quickly when it can’t are a must nowadays. Google has your back here.
- Google Wifi review
- Google Home review
- Chromecast Ultra: all you need to know
- Which Chromecast should you buy?
April 11, 2018 at 02:06AM