CyberWire Daily - Bugs and working from home. [Research Saturday]
Episode Date: October 29, 2022Fede Kirschbaum from Faraday Security sits down with Dave to discuss their research on "A vulnerability in Realtek's SDK for eCos OS: pwning thousands of routers." The team at Faraday found a vulnerab...ility that made it to DEFCON 30, labeling it high severity. With more and more people working from home for their companies, the research team went looking for where there may be vulnerabilities as employees are working from home. The research states that the team was "seeking and reporting security vulnerabilities in IoT devices, which led to the finding of an exploitable bug in a consumer-grade router popular in Argentina." They also stated in the research that it was escalating quickly and shares about how protecting home networks is important while working remotely. The research can be found here: A vulnerability in Realtek´s SDK for eCos OS: pwning thousands of routers Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Our research team was eager to know what the most common routers were actually running.
And when we're talking about routers, we're talking about the Wi-Fi router
you have currently in your home. That's Federico Kirschbaum, CEO and co-founder at Faraday.
The research we're discussing today is titled,
A Vulnerability in Realtek's SDK for ECOS OS, Honing Thousands of of routers.
And that kind of kicked off because specifically in cybersecurity,
we know that IoT devices,
sometimes they're built without security in mind.
But we never thought it would be this bad.
And the idea of researching just a random device
actually turned out with this question is,
who makes your home router?
Because we found out that your vendors
are using a lot of vendors to build that.
And sometimes that's unclear.
That's not really easy to find out.
And that affects a lot of brands
that you didn't even know they could have a vulnerability.
So yeah, it became as a weekend project.
So I guess a lot of the routers that you could buy are OEMed from a central source.
They make this hardware available for other folks to put their brands on.
Can you walk us through how exactly you all centered on this particular provider here and how you got to this high severity vulnerability?
So when we decided to do this research, our team decided to go to, we are based in Argentina
and in Latin America or Amazon, it's called Mercado Libre.
And Mercado Libre basically provides a list of the most-sell devices in the region.
And we found out that there were three brands, different brands, that were the most-selling ones.
And by the way, they were the cheapest.
And we bought them, all three.
Little did we know, these three different brands were actually the same device.
They were actually using the same hardware and they were using the same SDK.
That means that when we found something and said,
okay, this is an interesting finding, and we jumped to the next device,
the device was almost the same. And that
was kind of the moment we realized, if we find something here, we might be affecting thousands
of brands. And the process basically involved opening up, understanding how it works, understanding the supply chain
on how this specific vendor distributed their hardware and software to other vendors.
And then I think besides the problem we found and how we were able to take advantage of
that flaw, I think it all took us by surprise,
the amount of hardware that it's been sold
under different brands,
and it's actually the same exact hardware
and almost exact same software.
So I think that's one of the key things
of the research,
of understanding the supply chain effect
that has this idea of having hundreds of thousands
of routers on the shelves. Well, let's talk about the vulnerability itself. Can you walk us through
that? What exactly are we talking about here? To put it lightly, it's basically a memory
corruption. So that memory corruption allows somebody
from the outside, from the internet,
without credentials, without any knowledge
about how to access the device
to manipulate device memory
and execute arbitrary comments
or insert backdoor or reroute traffic.
So basically it's the worst type of vulnerability you can have
because you can have no control on limiting the impact of that
and you don't have an option that you can turn off
so you are not affected.
And this vulnerability came by default. To be more precise,
the vulnerability was happening in how the router creates mappings when you're using voice over IP.
So the device, it's basically listening all the time for specific SIP packages. And when the device
detects a SIP package, it's going to trigger a specific configuration to create that mapping
between the outside call and the computers that are within the network. The main problem
is that their implementation on how to process that specific package
is not really well done.
And by just sending one package,
it would allow us to, first of all, crash the device,
but that's not interesting,
or our routers crash all the time by default.
But it allowed us to start thinking on
once you get into a router,
what would be the next step for an attacker?
And mainly in these days where we're working
from home and you're accessing
corporate from here, the idea of
having no interaction,
one packet, exploit.
It was kind of what got us going.
And that was kind of the first things that we found on these real tech devices.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
increase in ransomware attacks and a $75 million record payout in 2024, these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific
apps, not the entire network,
continuously verifying
every request based on identity
and context, simplifying
security management with AI-powered
automation, and detecting
threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
So explain to me, if I'm the person who's trying to infiltrate this router, to take it over, what exactly would I have to do here?
And once I do those things, what kind of access do I have?
So normally when we talk about routers and vulnerabilities, normally they are
affected by services they expose. So by the vast majority of these devices, when you buy them,
when you connect them to the internet, they are not exposing anything. They are not exposing an
admin interface. They're not exposing any other services because normally their customers
or their clients are on the other side of the network.
They're on the LAN side.
And if you are able to find a bug in these routers, you normally cannot attack them through
the internet.
And that's the key difference from our finding.
These routers were listening to all packages, but basically processing a specific
type of package. So if you're an attacker and you're able to send a multiformat OIP package
to a router, that router, when it processes the package, is going to be executing attacker's code.
And that specific piece of code will, first of all, allow the attacker to turn on a remote
admin device, for example, Telnet, which is disabled by default.
So first of all, he's able to access the device where there was no services.
And that gives them admin access to the device.
And that's quite an accomplishment because you can change
DNS, so you can reroute the client's traffic to somewhere else
and you can start thinking. But
having a shell, it's just one of the first steps.
And our research team found that the device itself
had the ability to write arbitrary piece of data in the flash,
and they were able to write a specific comment
that allowed us to create tunnels.
So basically create a mapping between an internal house and an external port,
but also to port scan.
Just the idea of showcasing the ability of an attacker of what happens when
they have control.
And when they have control, they can modify any
option, they can create new options or new tools, and they are able to find more targets to attack.
So this would be kind of arriving to a beach and trust trying to invade the most part of the network. So these are awesome ways to get in.
And to be more precise,
this specific type of vulnerability
was not easy to find and to detect
because the service is embedded
in the networking stack of the device.
So the only way to know if that device was vulnerable was actually attacking it.
And since it's UDP, you could, if you're somebody who wants to have a lot of access,
can easily spoof that UDP package and basically mass scan the internet.
And in the beginning, we thought it was just an issue for a couple of routers.
Yes, it was an OEM.
Yes, it was real tech.
But when we started digging more deeply
before our lecture at DAFcon,
we found out that some devices in some countries,
they were configured differently
and they were exposing some versions.
So we were able to understand how much
and how many they were on the internet.
And just on a non-default setup
was around 70,000 devices from all over the planet.
And we're talking about the most different configuration we saw
from all the routers that we tested.
So if you're an attacker and you're thinking on how to attack next,
you're always looking for the easy way in.
And having access to the most important device
on your network that can alter how your computer behaves,
it's something quite rewarding from the attacker perspective
and can give the attacker a perspective
that it's difficult to detect.
It's easy to gain access to other computers once you're in.
And you get a perfect scenario for them.
Listening, sniffing, or just modifying traffic.
Now, how has Realtek responded to this?
Is there a patch available?
Yes.
So when we discovered this finding, at that time, we didn't understand how
bad it was. We actually submitted like four CVs. And the team at Realtek was quite responsive.
We had the classic conversation between a vendor and security researchers. For them, it was not severe.
For us, it was.
The only way to prove it is by exploiting it
and showcasing how bad it was.
And with a little back and forth,
they were able to submit a patch.
And this is, I would say, one of the interesting things.
If they supply the patch,
also the vendors who are using that SDK
need to apply that patch.
And when we're talking about other vendors,
we're talking about the customers of Realtek.
Because at the end of the day,
they are the ones who purchase the hardware
and the accompanying SDK to make their own router.
And that small difference, it's, I think, the main problem we would have with IoT.
Once you build it, no one will maintain it or have that in mind.
That was one of the things.
So yes, they supplied the patch. Many vendors applied it.
But I think many others will never do it.
And Realtek was kind enough to
provide us with a back bounty. Do you want to know
how much was the back bounty?
Yes.
was the back bounty.
Yes.
So we were honored and they paid us a thousand Taiwanese dollars.
And on the beginning,
like,
okay,
that ain't bad unless you do the conversion rate and you go to $34 for this bug.
The good thing is that we can,
we could pay 75% of the router we bought for, for the bug. The good thing is that we could pay 75%
of the router we bought for the research.
Huh.
So, I mean, just to be clear here,
I mean, so Realtek is an OEM supplier.
You inform them of this issue,
they come up with a patch for it.
But then, as you mentioned,
I mean, it's up to
the folks that they provide this hardware to, the other people who put their names on this OEM
product to have that, to apply that patch. But I suppose the bigger issue is that there are tens
of thousands of these out there that are likely never going to be patched. The users probably aren't aware that they have an issue,
and there's no way to automatically push a patch to them, right?
Exactly, because the patch that Realtek provided,
it's not exact in fashion for their framework that other vendors are using.
And again, we are using the most cheap router you can find.
It's something that when you see it, it's like, I wouldn't buy that.
But that's the problem.
If you or myself would buy a router, we wouldn't buy those.
But what we found out is it doesn't matter.
It's the same pricing for several brands.
It could be double, triple the price,
but actually the hardware and what's running inside,
it's the same.
So we're talking about people who may have the option
of buying a router and they decided to buy the cheapest router.
Or we're talking about ISPs that bought routers by a thousand
and they apply their branding on top.
So for example, Brazil, it's a country that got pretty affected by a thousand and they apply their branding on top.
So for example, Brazil,
it's a country that got pretty affected by this vulnerability.
And the differences between the original firmware
and theirs, normally it's customization
around specific config on their provider
or just branding logos.
And I'm not sure those devices are available
to apply the patch directly.
They need an overview from the vendor
who customized that SDK.
Because at the end of the day,
Realtek is providing the hardware,
most of the connectivity around their system of a
chip, and they are giving you the code so you don't have to rewrite the web server, the WPA2
config. But there is another part of that. It's made by the vendor. And I think as a
security researcher, it gives me a lot of interest in understanding how supply chain works and how real tech is going to take care of their customers on their behalf.
And I think that's the most challenging thing this problem has.
Yeah.
Yeah. So suppose that I'm the person at an organization who's responsible for security, and I have a whole lot of my employees who are working from home.
Maybe they're using their own devices here or going through, as you say, their ISP.
Is there a way that I can scan or have them check to see if they're using this hardware? Yes, there is a way.
And I'll put two scenarios for everyone's taste.
The first scenario, which I think is the most friendly one,
would be sending a piece of code to your employee's computer
and test what router is running at their home.
That could be basically found out through their MAC address or just capturing the admin
interface from the router.
That could be the easiest way, but you would need collaboration or you would need some
sort of admin access to their computers so you can execute a piece of code that can give you an answer.
That would be a great idea to understand how many of my employees are running a router that might have this vulnerability or maybe others.
If we go to the specifics of the vulnerability that our research team found, we have GitHub where we supply all the information on the OS that is running this specific Realtek device.
And we also provide a piece of code that is a proof of concept that unless you're using a specific device that is the one that we use,
it's just going to crash that device.
And that would be a test as well.
Basically getting all your users
from the VPN concentrator IP addresses
and start one by one,
just crashing the routers.
If they lost internet, they're vulnerable. That would be the easiest way. I wouldn't say it's the most political one, just crashing the routers. If they lost internet, they're vulnerable.
That would be the easiest way.
I wouldn't say it's the most political one.
Right, right.
But it works.
It works, exactly. And if you're in a hurry,
that's a problem.
But to be honest,
the main problem
happens afterwards.
If an employee is vulnerable,
you have two options.
You can patch, or you can try patching,
or you need to submit a new router.
And that's kind of the difference.
The companies that we try to protect
end up taking more responsibilities
on the hardware that the employee has in their home,
what type of setup, what kind of investment.
And sometimes that's a little bit overseen.
It's a really good point.
I mean, you know, we spend hundreds or thousands of dollars on setting up our employees with laptops or computers and so on and so forth.
setting up our employees with laptops or computers and so on and so forth.
And here, there's a high possibility of compromise through an inexpensive router that is sitting there doing its job
and not drawing attention to itself, but could be the real problem here.
Indeed. And I think there is a second takeaway from our research.
The type of vulnerability that was found
was not interesting. And when I mean it was not interesting, I mean
this is the exposure of a big failure.
They were using insecure C
functions. They were using insecure C functions. They were
using just a string copy in the wrong place
in the wrong time.
The problem is not that. The problem
is that it's 2022, and this problem
has been there since
the 90s. We have the tooling,
we have things that you
can detect on the pipeline
when you're building.
It's like having a misspelling in the front cover of a major newspaper.
There are things in control that are there that, A, they're not being respected, or B,
they're being ignored, which is even worse.
So that's the second takeaway that I I like to share with you, Dave.
This idea of the problems that we face from the security are not you.
And that's the main problem.
It still affects millions of devices.
And it's because somebody decided to ignore a warning from their static security
analysis tool. And that's what worries me. I wish problems were a little bit more complicated
sometimes. And having this scenario creates a lot of doubts on all the devices that I currently own.
Our thanks to Federico Kirschbaum from Faraday Security for joining us.
The research is titled A Vulnerability in Realtek's SDK for ECOS OS,
honing thousands of routers.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.