Since the inception of Mirai, IoT attacks have diversified, using varying types of attack vectors to gain access to connected devices. Despite the differences, IoT attacks can be loosely classified into three levels: Level 0 (attacking device with no authentication), Level 1 (guessing a weak/default password), and Level 2 (using an IoT exploit to gain access). While it might be expected that level 0 attacks can be easily prevented and such attacks should not be happening with raising awareness in IoT, our findings do not suggest the same.

The IP list for Singtel Wi-Fi gigabit router devices that have their port 10000 wide open can be easily accessed and controlled by potential attackers as we describe below:

The login feature of these devices was set to be disabled, as shown below:

disabled login

When the potential attackers will access Advanced settings ->Administration, they could enable the “login feature” and then get the opportunity to change the router’s login password. Once a new password is set, it might cut off the future connection to the original owner of the device.

We also noticed that most of the affected routers were connected by multiple devices. As a result, the impact is not only on those 975 routers, but also on all devices connected to them. The total number of infected devices is 975*x, where x = average number of devices connected.

Example: information of connected devices as mentioned at “connected_devices.htm” page.

Root Cause Analysis: ForgotDoor

Unauthenticated access through routers’ port 10000 made us suspect of this either being a case of mass gross negligence from the users or it it might have been a backdoor. We informed CERT Singapore of our findings, and then CERT Singapore brought up this issue to SingTel. Interestingly, the root cause proved to be something different than we anticipated. In simple words, the ISP SingTel initiated this port forwarding due to troubleshooting an issue with these routers. After they fixed the issue, they forgot to close the port forwarding. As a result, it became possible for attackers to gain full control of these devices from port 10000. Hence, we coined this as “ForgotDoor”.

Quoting Douglas Mun, Deputy Director in charge of SingCERT at the Cyber Security Agency of Singapore:

The ISP SingTel has disabled port forwarding to port 10000 for the affected routers. Root cause: Port forwarding was enabled by their customer service staff to troubleshoot Wi-Fi issues for their customers and was not disabled when the issues were resolved. ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed.

The Importance of Router Security

IoT devices are not rated equally when it comes to the impact of a breach. While devices like IP camera are usually deployed for DDoS attacks, the scope of abusing a compromised router is wider.

The hacked router can allow an attacker to reconfigure itself to re-route traffic, monitor data packets, or even plant a malware. Earlier in May 2018, it was observed that attackers exploited several Draytek routers and changed their DNS settings to point to a suspicious IP. Such a malicious DNS change can lead all connected devices to visit phishing/malicious/adware related websites and has potential to harm the victim much beyond the usual IoT DDoS attacks (for example, an attacker’s implanted DNS could resolve banking domains to similar looking phishing sites). In April 2018 hackers were already uncovered to hijack DNS settings on vulnerable and poorly secured routers.

Conclusion

This case of routers exposed to the mercy of attackers with no authentication doesn’t seem scarce. Just two weeks ago, NewSky Security observed another level 0 compromise with thousands of routers with no telnet authentication.

Letting your IoT devices connect via non-standard ports might be useful in some cases. For example, setting up SSH on an unusual port can save the device from a lot of brute force attacks that are designed to attack the default SSH port. However, this practice should never be considered as a replacement for basic IoT security. With easily available crawling scripts and services like Shodan, it is easy for attackers to find out such unusual ports being used.

While vendors/ISPs are often considered responsible for holes in IoT security, some actions can also be taken by the end users to avoid most of these threats. The various levels of IoT attacks can be combated with cautious port forwarding, strong authentication, a trustable firewall / other IoT security mechanism and regular updates.

NewSky Security is committed to making the IoT threat landscape safer by contacting ISP/CERTs as soon as we encounter an issue with IoT security.