With increased home working seemingly here to stay it’s more important than ever that companies mandate strict guidelines to their employees, especially those that have private remote access to critical company assets.
Default Passwords are still everywhere!
Phishing emails are still the number one attack vector for cyber criminals but incidents resulting from router hijacking have seen a massive increase in recent times. Research by the American Consumer Institute last year found that 83 per cent of home and office routers have vulnerabilities that could be exploited by attackers, including popular brands such as Linksys, NETGEAR and D-Link.
One of the biggest issues is that people simply never change their default admin password on their home router. 10 years ago almost all routers shipped with very simple default IP addresses and login credentials as seen in the table below.
|Linksys Default Login||http://192.168.1.1||admin||admin|
|Belkin Default Login||http://192.168.2.1||admin||admin|
|Asus Default Login||http://192.168.1.1||admin||admin|
|Netgear Default Login||http://192.168.0.1||admin||password|
|Synology Default Login||http://192.168.1.1||admin||admin|
While this problem is being addressed by most manufacturers now, researchers at comparitech found that 6.4 percent of the most popular home wi-fi routers sold on Amazon today still use the manufacturer’s default administrator credentials.
Manufacturers like AsusRT and MikroTik do not allow access to the internet via their routers unless the default password is changed to a strong password, but Netgear and XFinity are happy leaving network security up to the user with nearly 1 in 6 of their routers sold in 2021 still having default password access.
The Product Security and Telecommunications Infrastructure (PSTI) Bill
Currently at 2nd reading in the House of Commons the PSTI Bill aims to regulate cyber security for home networks and IoT devices.
Amongst other things the bill will mandate that:
- Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default.
- Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed.
- Security researchers will be given a public point of contact to point out flaws and bugs.
Manufacturers found in breach of this new legislation will face fines of up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.
Does forcing users to change the default password to a user defined one solve this problem?
Yes and no. Clearly, not having your password as admin or password is going to make life more difficult for hackers, it doesn’t necessarily mean your home network is secure.
Israeli security researcher Ido Hoorvitch spent a few days walking the streets of Tel Aviv with a laptop, a network card and a basic antenna. His goal was to ‘sniff out’ as many WiFi networks as possible and then see if he could crack the password. Astonishingly he was successful in over two thirds of the 5,000 cases with a simple open source brute force program.
Firstly, he used 8 digit numbers as many people in Israel use their mobile phone number as their password. This means trying 100 million combinations for each WiFi network which sounds a lot, but for a modern PC this is fairly simple. He was able to access 2,200 networks or 44% of the routers he attempted.
Once he had finished with this method he then followed the same technique but using the freely available RockYou list which contains 14 million commonly used passwords, starting with:
This list unlocked a further 1,350 (26%) networks, leaving only 30% that he wasn’t able to access.
How can you protect against this type of threat?
The router password is the simplest place to start. All companies should have a corporate password policy and this should be expanded to include all device passwords on home networks where home working is allowed.
In the example above, the 8 digit numeric password generated 100 million combinations which can be cracked by a dedicated machine in under 1 second.
By switching to a random alphanumeric password with both upper and lower case characters that same 8 digit password will contain 6 quadrillion permutations which would take nearly 35 days of dedicated brute force without detection to be broken.
Increasing by just one extra character to 9 alphanumeric and the time to break jumps to over 9 years!
|Type||Combinations||Time to Decrypt|
|8 Character, Numeric Only||100,000,000||0.5 Seconds|
|8 Character, Alpha Only, Upper OR Lower case||208,827,064,576||1 Minute 45 Seconds|
|8 Character, Alpha Only, Upper AND Lower case||53,459,728,531,456||7.4 Hours|
|8 Character Alphanumeric, Upper OR Lower case, plus Special Characters||457,163,239,653,376||2.6 Days|
|8 Character Alphanumeric, Upper AND Lower case, plus Special Characters||6,095,689,385,410,816||35.3 Days|
|9 Character Alphanumeric, Upper AND Lower case, plus Special Characters||572,994,802,228,616,704||9.1 Years|
What are the risks to a corporate network?
Sophisticated hackers aren’t generally interested in accessing an individual home network or employee’s computer. The big prize comes from lateral and vertical movement within a company network with a view of causing either major disruption or large financial gain.
By gaining control of a legitimate user’s machine and credentials it’s very simple to access a corporate network and then use a variety of tools to escalate privileges until the payload goal is reached. This process can take minutes, or might be delayed for months for maximum impact and can be very difficult to detect and contain even with sophisticated tools.
It’s not all about the passwords
There is clearly a big problem all around the world with home networks being protected by weak passwords, but that isn’t the only problem facing employers of home workers. Outdated routers that no longer receive security updates and modern routers running old firmware are both very commonplace and are exploited regularly by cyber criminals.
A recent example saw a firmware vulnerability CVE-2021-20090 being exploited which can lead to an authentication bypass and ultimately to device takeover. This is used in the Arcadyan OEM firmware which powers DSL routers from some of the worlds largest telecoms companies including Asus, Verizon, Vodafone, British Telecom, O2 (Telefonica), Orange, Hughesnet, Deutsche Telekom, Telstra and Telus.
It is essential that home routers are kept as up to date as other software systems and operating systems within the corporate network.
For enhanced protection from attacks via home worker machines Kaspersky suggest that you should:
- Opt for forced tunnelling instead of split. Many corporate VPN solutions allow forced tunnelling with exceptions (by default passing all traffic through an encrypted channel, with specific resources allowed to bypass the VPN);
- Disable Preboot Execution Environment in the BIOS settings;
- Fully encrypt the computer’s hard drive using full disk encryption (with BitLocker in Windows, for example).
If you would like some help with your home worker policies, or if you’d like to find out about how our EDR and SIEM solutions can help detect and remediate these types of attacks please get in touch.