The Internet of Problems
by RG
Recently I received a new LTE router in hopes of boosting Internet speed at home. If you aren't familiar with LTE routers, they are effectively a combination between a traditional home router and a cellular hotspot device. The Internet is provided via cellular towers and then served to end users as an Ethernet or Wi-Fi connection. These devices have become more common for users in industries such as construction and for rural Americans who don't have access to many Internet service options.
Curious as always, I wondered if the device had any obvious security flaws. Many home routers are not secure by default and require additional configuration to minimize vulnerabilities. To work, the device utilizes a SIM card and is given a public IP on the carrier network. This is standard for cellular devices. However, the device also served up a configuration interface over port 80 on its public IP address by default. To make matters worse, the default username and password combination for the device was "admin:admin".
According to a survey by Broadband Genie, only 14 percent of the 2,205 survey respondents have updated their router's firmware and only 18 percent have changed the device's default admin account password. This survey was taken in 2018 and has since been widely referenced. While the education provided to many users working from home during the COVID-19 pandemic may have lowered these numbers, it is likely that many routers are still vulnerable. For instance, the previously mentioned survey also cited many users being confused by their router settings. Anecdotally, I've known plenty of people who are unable to distinguish the difference between their wireless password and the administrative console password.
Knowing that this device was by default unsecured, open to the web, and came with no documentation, I wanted to see how many similar devices were out on the open Internet. To do this, I first went to shodan.io and logged into my account. There are several options for web scanning, but Shodan is my preferred tool. I then performed the following steps:
1.) Since I already knew my IP, I simply searched for it. This returned useful information about my device. Specifically, it grabbed the HTTP banner and then hashed it. Additional information on pivoting with property hashes can be found here: help.shodan.io/mastery/property-hashes.
2.) I took the banner hash for my device and searched for it. This search returned all devices similar to mine. In total, there were 31 devices. Based on our numbers from before, we can assume potentially 25 of these devices are accessible with default credentials.
3.) 31 seemed low for the number of LTE routers on the open Internet, so I tried a few different scans. One particular scan for: "Server: GoAhead-Webs port:80 country:"US"" returned roughly 30,000 results. GoAhead is a simple web server used for devices without much memory and appears to be heavily used by lightweight LTE routers.
What can be done with this type of access? Look no further than Duran's article in Vol 38, No. 4 of 2600 where they describe methods for finding and manipulating routers. It would be easy to lock users out of their devices, potentially upload tainted firmware, or even in some cases gain direct access to their network. This is not an invitation or encouragement to break the law, of course, rather the intent is to show the severity of the situation.
As previously discussed, many users do not understand how to properly configure their devices and manufacturers often do not provide sufficient security documentation. This combination of unsecured by default devices and no documentation puts the onus of security on the end user. In this case, manufacturers are passing off the cost of security. Currently, it's difficult to know which manufacturers are providing a better product when it comes to secure devices. Due to this lack of visibility, companies often are not incentivized to take this cost on as they see no competitive advantage in doing so. This is a major problem plaguing IoT devices. I've asked questions about this issue in a few webinars with security professionals and additionally have done research on the policy angle. The consensus seems to be something along the lines of an Energy Star rating equivalent for IoT devices. Executive Order 14028, "Improving the Nation's Cybersecurity," has required NIST to create a pilot program to do just this. NIST is currently in the process of defining the criteria of this program. While this may or may not be the best long-term solution, it's important that this topic is discussed and that the problem is continuously worked.