Saturday, December 10

Millions of Home Wi-Fi Routers Attacked by Botnet Malware – What You Need to Know

Updated Aug 11 with feedback from Verizon and a rough guide on how to check for firmware updates on your model.

Millions of home Wi-Fi routers are under attack by botnet malware, just a week after a researcher posted a blog post showing how to exploit a vulnerability in router firmware.

The investigator, Evan Grant, is not entirely guilty of this. He is the one who found the defect (catalog number CVE-2021-20090) in January, after taking apart a Buffalo brand router sold in Japan. Buffalo released a patch that fixes the firmware flaw in April, after Tenable, the company Grant works for, Buffalo reported.

  • Your Wi-Fi router can tell everyone where you live, what it can do
  • The best Wi-Fi routers you can buy
  • How to access your router settings
  • Plus: This Mac malware breaks Apple’s defenses – what to do

The problem is that at least 36 other router models distributed by 20 different companies have identical or very similar flaws, and firmware patches may not yet be available for all of them. Few people know that you need to update your router’s firmware in the same way that you need to update your computer or phone.

Some of these routers can be rented to customers by Internet Service Providers (ISPs). If so, ISPs will be responsible for firmware updates.

The routers affected include models distributed by Asus, British Telecom, Buffalo, Deutsche Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon and Vodafone, among other brands, “potentially affecting millions of devices worldwide”, according to Tenable. blog post first published in April and a subsequent Tenable whitepaper.

Router Models Affected by This Failure

Here is a complete list of known affected models and affected firmware:

Salesman Device Found in version
ADB Wireless ADSL IAD Router 1.26SR-3P
Arcadyan ARV7519
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Straight line Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1,24
Buffalo BBR-4HG
Buffalo BBR-4MG 2.08 Version 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1,15
Buffalo WXR-5700AX7S 1,11
Deutsche Telekom Speedport Smart 3 010137.
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399)
Very thin Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC
TelMex VRV7006
Telstra Gen 2 Smart Modem (LH1000) 0.13.01r
Telus Concentrador WiFi (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon G3100 wires
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

As you can guess from the number of phone companies among those brands, a good portion of the affected models are all-in-one DSL gateway combo modems / routers that ISPs lend or lease to customers.

Others use Fios or cellular data connections to get internet access, but almost all are routers combined with some type of broadband modem, not standalone routers that need a separate modem to get broadband access.

All of these routers were manufactured by Taiwanese technology maker Arcadyan and later distributed under other names as part of a “white label” agreement.

The exploit is what is called a “path traversal vulnerability” in which attempting to remotely access certain files on the router’s file system will lead to a file that can be tampered with, giving the attacker control over the router. from afar.

What can you do about it?

Unfortunately, your options are limited if you rent or lease your home router or gateway from your ISP. If that’s your situation, and your ISP is one of the brands mentioned above, check the model number of the router to see if it matches the model mentioned.

Even then though, it’s hard to be sure, because some ISPs won’t put the actual model number on the unit. The best thing to do is to contact your ISP’s customer service and bother them about this.

If you own your router and have some technical skills, you need to go into administrative settings to check the model number and firmware version. Connecting an Ethernet cable from a laptop to one of the router’s Ethernet ports is the fastest way to go.

If your router is one of the models on this list and the firmware is out of date, you will need to check for updated firmware. We have a generic guide on how to update your router’s firmware here, but actually the procedure varies from model to model.

Some newer routers will update themselves and others may have a mechanism within the administrative interface to check for firmware updates. Sometimes you will have to go to the support website of the company whose name is on the router and see if you can download an update from there.

If you’re already on the administrative interface, find and see if you can disable remote access. Disabling it will protect you from almost all router hacks that can be carried out over the internet.

Does the Verizon router have a firmware update? stay tuned

One of the affected models appears to be the Verizon Fios G3100, a $ 300 Fios modem / router combo. We couldn’t find any page on the Verizon website that might offer a firmware update, so we started a conversation with a Verizon support representative.

The support representative sent us to a chat with the technical team, who insisted that “we make sure that our equipment and services are safe at all levels” and that customers whose equipment is affected by any failure are contacted by message of text.

We asked the technician in the chat if the Verizon Fios G3100 firmware had been updated to fix the CVE-2021-20090 flaw. The technician replied that they did not have the “deep knowledge” for the answer and gave us the generic Verizon contact page.

We have sent an email inquiry to Verizon press representatives and will update this story when we receive a response.

To update: A Verizon representative provided us with this statement:

“Our security teams are actively addressing recently reported router authentication bypass issues. Verizon will provide a Fios router software and / or firmware update to address the issue, which affects approximately 2% of our Fios router customers. There will be no action required by the customer to receive this update.

What about the Asus models?

It was a bit easier to find web pages with firmware updates for the four Asus models mentioned by Tenable as potentially vulnerable. Unfortunately, none of the four seem to have received any new updates since at least December 2018.

Here are links to the firmware update page for each model, if you want to check back later: DSL-AC88U, DSL-AC87VG, DSL-AC3100 and DSL-AC68VG.

A serious flaw

Grant published his blog post, which contained information on how the flaw could be exploited, on August 3. On August 6, researchers from the network hardware manufacturer Juniper Networks said a known malware team had incorporated Grant’s methods into its arsenal and was using them to attack Arcadyan-based routers.

The malware team is infecting routers with a variant of the Mirai botnet, which was first detected in the summer of 2016 and sparked some widespread attacks that fall. Once infected, routers will function properly, but criminals can also secretly use them to send spam or launch a distributed denial of service (DDoS).

One of Buffalo’s models, the WSR-2533DHPL2, contains two other firmware flaws, for which Tenable’s blog post included proof-of-concept exploits. Buffalo has also released firmware updates for these.

“The vendor selling you the device is not necessarily the one who made it,” Grant said in his blog post. “If you find bugs in the firmware of a consumer router, they could affect many more vendors and devices than the one you are investigating.”

  • Plus: How to see who is using your Wi-Fi network
  • How to delete a Wi-Fi network on Android and iOS

See also  Google Pixel 6a: 5 things I really want to see

Leave a Reply

Your email address will not be published. Required fields are marked *