Emerging threats: Attacks via MIPS devices
First of all, if something has already been invented and has been seen in-the-wild more than once, it’s very likely to occur again and again, especially if the attacks were profitable for the cybercriminals.
As we recall from history, the beginnings of malware for each platform seem to be similar. For example, right now the numbers of malicious files for mobile and 64-bit platforms are still minute compared with x86 malware, but no one can deny that they are growing fast and will probably dominate the malware market once the older architectures fade away.
Prevalence – most people have such a device in their homes, be it an ADSL modem provided by their ISP or a Wi-Fi router which allows them to share their Internet connection between desktops, laptops, tablets and other devices;
Stealth – network devices are an ideal place for malware to lurk as no one gives a second thought to their security. Installing malware on a router instead of on a PC or Mac means that it will not be detected by contemporary desktop antivirus solutions;
Easy access – with lots of vulnerabilities and a lack of awareness among most users, MIPS devices are just what the cybercriminals have been looking for;Constant access – routers usually run all the time and are rarely rebooted or powered down – ideal for the bad guys!;
Constant control – by taking control of a router, an attacker can transparently monitor all the traffic on a network and search for packets containing sensitive information;
Mass DNS redirections – one of the most lucrative prospects for the cybercriminals: changing the IP addresses of DNS servers results in completely transparent redirection to malicious or phishing sites of all the hosts in the network.
What can be done to reduce the security risk?
Users should ensure that they use strong passwords, check their security settings and update their firmware and any relevant software regularly – at present, these are the only things they can really do.
The rest is squarely in the hands of the vendors – the only people who can change the devices’ designs. The first step should be to implement randomly-generated default passwords, unique for each single device. Some vendors already do this.
Also, some newer devices have many more secured settings than their predecessors – which do not allow remote access with default credentials. However, there is still a lot of work to be done. UPnP implementation needs to be rewritten and SNMP should be used in its secured version only. Greater emphasis should be placed on firmware vulnerabilities and firmware security, so every device should be thoroughly security tested before being released.
Author: Marta Janus, Kaspersky Lab Expert.