December 2, 2016

Routers behaving badly

Thumbnail image for zyxel-router-cropped.jpgLate on Saturday night, a small laptop started having trouble connecting. This particular laptop sometimes has these issues, which I put down to the peculiarities of running wired ethernet into it via a USB converter. But the next day I realized that the desktop was timing out on some connections, and one of the other laptops was refusing to connect to the internet at all. An unhappy switch somewhere in the middle? Or perhaps a damaged cable? The wireless part of the network, which I turned on as a test, worked much better, which lent credence to the cable idea.

By Monday morning, I had concluded the thing to do was to restart the main router. Things were fine after that. On Tuesday morning, some bounced emails from my server alerted me to the fact that my IP address had been placed on one of the three blacklists Spamhaus consults. It was only then that I realized my router was one of the ones affected by the 7547 bug. If my network had been spewing botnet messages, the router was infected.

I found the patched firmware on the Zyxel site, read several sets of incomplete instructions (the ones you need are now here, and patched the router. GRC informed me the port, which had previously tested as open, was now closed. But did that mean, as the SANS instructions suggested it might, that the router was still infected, or not?

And now, a new problem: I couldn't log into the router to change its password (a consequence of not having the right instructions. Another symptom of infection, or a bungle in the vendor's patch? This was going to mean more effort than I had time for: a factory reset and complete reconfig. Fortunately, I had a spare, already-configured router to swap in, which is what I did.

Yes, I made a mistake: I should have tested the port, reset it, tested it again so I'd know whether it was infected, disconnected it, changed the password, and *then* patched it and tested it a third time. I plead that good, step-by-step instructions were hard to come by. The assumption is that the only people who are doing this kind of thing are those who already know how to do it.

The proximate cause of this particular bug is that the manufacturer of my router - Zyxel made the bizarre assumption that these routers would mostly be installed by ISPs and that therefore they should contain a facility for remote management so the ISP could push out updates as needed. There are, of course, many ways Zyxel could have done this. Especially, they could have left the port closed by default. They didn't.

They have now, of course.

Worse, on the manual page for the remote management functions, the instructions clearly say you can disable them by clicking on a radio button labeled "disable". That button is not present on any of my remote management screens. So I can't tell whether those functions are still listening on standard interfaces like www, telnet, ftp, and so on.

Thumbnail image for Thumbnail image for Hello-Barbie.jpgThis is the future we're facing. I bought the router in good faith from my ISP, which is a small, knowledgeable network consultancy run by two people I actually know personally to be smart and hard-working. They recommended it as a good, reliable router when I was switching to fiber. I did the right things: I configured the firewall to block all unnecessary ports, and changed its admin password. Reliable it has been, but neither they nor I could have guessed at its future as a security hole. So the problem, soon to be exacerbated by the Internet of Things, is not just that ignorant people buy poor-quality devices that prove to be a danger to themselves and others, but that knowledgeable people who take care to lock things down are being actively prevented from doing any better.

kieren-mccarthy-smiling-square-300px.jpgIn the world the Investigatory Powers Act made legal this week, GCHQ has the power to discover a hole like that, exploit it for their own purposes, and keep it secret. They could even, as Kieren McCarthy writes at The Register, order Zyxel to create the vulnerability and, again, keep it secret.

As we've seen, secrets like these get out. Time was when the enterprising would-be hacker had to dive into dumpsters to locate admin passwords and equipment manuals. Today, we all know all this information is easily findable on the internet.

Meanwhile, I still don't know what to do about my Zyxel router, which I'd like to put back into place because the other router is less reliable. Factory reset, full reconfig, sure. But then what? How do I know whether I can trust it? What other flaws are lurking in the gap between what its manual says and what its interface actually enables? It's easy enough to avoid most aspects of the Internet of Things. Just. Don't. Buy. Stupid. Gadgets. But the only way for me not to have a router is to choose isolation and sign off the internet.

And then what would I write net.wars about?

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.