Router reboots and related VPNware issues

Discussion in 'General Discussion' started by Fell, May 29, 2018.

Router reboots and related VPNware issues

Discussion in 'General Discussion' started by Fell, May 29, 2018.

  1. Fell

    Fell Guild Admin Staff Member

    i haven’t seen a thread pop here yet on this so thought I’d ask since we have a number of security experts: “what’s the deal with this alleged router hacking story out there and fbi asking for router reboots. What are you doing, if anything, in response to the issue? Any good articles you’ve seen that break it down in mere mortal terms?”
  2. Fell

    Fell Guild Admin Staff Member

    https://blog.talosintelligence.com/2018/05/VPNFilter.html

    so i read the above article, which i feel i can get the 80/20 gist of what's happening. Still would love anyone's expert or semi-expert opinions. I have a linksys router, so in theory i could be affected but i'm honestly not savvy as to whether my setup has auto updates or not. So, tonight i plan to "check/update my shit" which advice is often given around here...
  3. HittingSmoke

    HittingSmoke AoA Emeritus

    There are still a lot of unknowns about VPNFilter. You'll see a lot of people blaming default login credentials but in truth it's unknown how wide in scope the initial exploited vulnerabilities are. Default login creds don't explain this widespread of an infection when the router models mentioned don't expose the admin interface to the WAN and have shell access disabled by default. Your best bet for making sure you aren't infected is resetting your router completely back to defaults (not just a reboot), then flashing a freshly downloaded firmware image from the website. If you're running a Linksys you most definitely do not have automatic updates.

    As for my thoughts on exploits like this in general, I've said it here before. Throw out that consumer-grade Best Buy garbage. It's not foolproof. MikroTik makes good routers and they were reported to be infected. BUT consumer routers rarely if ever get firmware updates and when they do they're very small fixes. They don't comprehensively update the packages used on the router to address all security vulnerabilities or even performance bugs. Most consumer routers are just micro Linux distros running the same software that you can install on any old Debian or RHEL server. Except that software is always grossly out of date and riddled with very well known vulnerabilities.

    I usually install Ubiquiti gear. The Edgerouters are popular but can't do automatic updates. A Unifi Security Gateway, AP LITE, and a Controller are a fantastic combination and support automatic updates through the central management interface on the controller. It's a steep initial investment (especially if you need a switch for more LAN ports) at around $250 for the router, AP, and Controller cloud key. Here's how it's broken down:

    Unifi Controller - $75/free: This is a server. Instead of your router interface living on the router itself, it's controlled be a remote server that you can host in your house. The interface is very clean and easy to use despite having some advanced features you won't find on a consumer-grade router. You can buy the Cloud Key for $75 which just hosts your controller on Ubiquiti's servers, you can host your own by downloading it for free to any old computer you have laying around, including a Raspberry Pi, or you can just forget the controller and use the Unifi app. The mobile app works well for home users who don't need advanced capabilities of the server like logging, captive wifi portal, etc. However you'll only be able to control your network equipment with your phone, not your PC. So I usually recommend the one-time initial investment of getting the Controller software set up or buying a cloud key.

    Unifi Security Gateway (UGS) - $100: This is the router. It's like the super popular Edgerouter but instead of having it's own web interface with advanced command line access, it opts for a more approachable interface with the Unifi Controller software. The dumbed-down options are enough for home users and even small offices. It also has intrusion prevention though that feature targets higher end devices so it will bottleneck your connection if you enable it on the base model. You can still use passive intrusion detection though. This router is nice because it brings your wifi and router configuration under one roof instead of two, which is what you usually get with a separate router and access point.

    Unifi AP LITE - $80: This is an access point that will kick the shit out of any off the shelf router's wifi. The UI for configuring the access point in the controller gives you an extreme amount of feedback and control for optimizing your environment. It will optimize your channels not just for other competing wifi, but non-wifi interference which your off-the-shelf crap won't do. It also does band steering to keep your devices on the best wifi band for the signal strength using a single SSID for 2.4 and 5Ghz. They also handle multiple AP's per site so you can bathe your property in a single hotspot without dealing with repeaters or any of that shit. For $130 you can get the pro model with even better MIMO tech if you devices support it for more speed.

    Unifi Switches - >=$100: Since each piece of the network is specialized gear, you're not going to get a lot of ethernet ports on your router. You get one port for your modem, and two LAN ports. Generally a switch is plugged into one for more ethernet ports and an access point is plugged into the other for wifi. You don't actually need a Unifi switch. You can buy any old TP-Link switch for $30 from Amazon if you want. The Unifi Switch could come in handy if you have a ton of LAN traffic and need full gigabit throughput on every port simultaneously. In reality you don't need a managed switch this nice so just use a cheap TP-Link.

    This not only provides better security, but the up-front cost pays off in the long run when a new wifi standard comes out and instead of throwing out your whole router, you just replace your access point and everything else on the network still works. The USG is gigabit capable so technology-wise as long as they keep updating the firmware and the controller software it will last until you feel the need to go beyond gigabit internet. This gear will last you a very, VERY long time.

    This probably sounds like a sales pitch but every chance I get I try to convince people to ditch their shitty Linksys and Belkin routers. I'd post screenshots of mine but I don't use a USG at home so all non-wireless-related options are disabled. You can explore the Unifi Controller software to see how nice and clean it is here: https://demo.ubnt.com. The nav buttons in the top left are statistics and client management. The settings icon in the bottom left will take you to the network settings where you can see how the firewall and other router features are configured.
    Fell likes this.
  4. Fell

    Fell Guild Admin Staff Member

    Holy fballs dude that’s a lot to digest, but I will. After reading that article I posted I actually follow what you’ve said here, at least at first scan. Linksys is claiming certain routers do update, but to your point, the claims they make are likely overblown.

    Sounds like these guys can brick infected boxes so it’s not like a wait and see approach and act only if your shit starts throwing up will work. Your first notice might be a dead router if they choose to burn the network as a defensive move. Or just out of malice.
    HittingSmoke likes this.
  5. Fell

    Fell Guild Admin Staff Member

    This setup doesn’t sound a whole lot more expensive than what I put into my MIMO setup with linksys. I think I paid somewhere between $200-300 for my router. Eliminate the switch, which I only need one downstream port for my smarthome router, and it’s really close in $ outlay. I’m gonna fix what I got for now and really consider the modular solution you suggest. I’m particularly interested in having more tools to monitor what’s happening inside what is now a black box and in having some sense of security that vulnerabilities are being addressed both actively and, where appropriate, passively. Really good info.
    HittingSmoke likes this.
  6. HittingSmoke

    HittingSmoke AoA Emeritus

    Fell likes this.
  7. Fell

    Fell Guild Admin Staff Member

    I couldn't tell from the article if the antenna would be a stage 1 or stage 2/3 installation, meaning, would the software on the antenna survive a router reboot? Maybe I'm not asking the right question, the ars article went just a tad beyond my ability to fully comprehend. As I understood it the router was the primary beachhead, maybe that's the point of the article, that there are other devices that can act as a beachhead?

Share This Page