Chances are you have a wifi router in your home that broadcasts an internet signal so your devices, laptops, smartphones, tablets, video game consoles, and whatever else can use it. If you work in an office, chances are you have a router there too. And if you go to your local coffee shop to surf the web on your own device, chances are you’re using the public wifi router belonging to that business. Wireless routers are everywhere, and we use them all the time, wherever we go.
Dangers of wireless routers are real.
Did you know a cyber attacker can utilize one of those many routers you use every day to further their agenda? Hackers could easily be using your router to conduct many types of malicious attacks, like sending harmful spam to unsuspecting victims or using phishing websites to steal passwords. A phishing website is a cyber attacker’s website which pretends to belong to a legitimate company in order to acquire a user’s trust. It feels safe to enter your Netflix password on Netflix’s website, but an attacker can create a phony Netflix website that looks just like the real thing, even using a domain that looks a lot like “netflix.com”—that is, until you look more closely. Once you do, you’ll see the domain name is actually “ṉetflɨx.com” instead. “ṉ” and “ɨ” are characters which look deceptively like “n” and “i” until you squint. That’s one of the ways a cyber attacker can fool you.
Another thing these hackers can do with someone else’s router is conduct DDoS attacks, which are simply “distributed denial of service” problems that happen when a bunch of computing devices are taken over and used in concert to send massive amounts of data to a server or an internet access point, more than it can handle. And this overwhelming amount of faked data causes the DDoS target to go “out of service” until an administrator puts the device back to right.
Cyber attackers like the idea of using someone else’s router for these spam, phishing, and DDoS attacks, mostly because someone else’s router has a different IP address. For example, an attackers own IP address could be blocked by their target’s firewall, which makes borrowing someone else’s a much better idea. Or, in some cases, the router they are exploiting may be blocked by their target’s firewall after their first attack, and this technique means they only need to find a fresh IP address to launch a new exploit.
Cyber attackers can use UPnP.
In March of this year, security researchers found an exploit of the UPnP feature in many home routers, including possibly yours. They wrote:
Universal Plug and Play (UPnP) is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these flaws are still present on devices, how these vulnerabilities are actively being abused, and how a feature/vulnerability set that seems to be mostly forgotten could lead to continued problems in the future with DDoS, account takeover, and malware distribution. Readers must be aware that this is an active vector currently in use to conceal the traffic of attackers. The location of the origin of the traffic is effectively hidden by using vulnerable devices as proxies. Carriers and ISPs need to be aware of the vulnerability, as end users and customers may appear to be hosting content or the source of attacks when the responsible party is actually behind one or several layers of compromised routers. Law enforcement officers should be advised that, similar to other types of proxies, UPnProxy has the potential to make their jobs harder by adding another layer of obfuscation to traffic from criminal actors.
So, what that means is this: UPnP is a technology in many routers that enables “ease of device and service discovery and configuration of consumer devices and networks.” It’s found in video game consoles and media-playing devices too. In a nutshell, it makes it easy for you to set up a new router in your home, or connect a new video game device to your home network, without having to mess around with some of the technically complicated stuff you necessary to get everything working properly. It is designed to make life easier for non-technical folks.
It is also possible for many routers, video game consoles, and media-playing devices to act as an internet server! Did you know that? So, UPnProxy is all about exploiting vulnerabilities in UPnP’s implementation so that a cyber attacker can use your device as their own proxy server for their harmful missions.
When researchers discovered UPnProxy, many home routers were patched to block attack. That’s why it’s important to set up your router so it automatically installs security patches from Linksys, Netgear, or whichever company produced your router. These are security patches for your network device, not for your Windows or Mac computer.
The new UPnP exploit is EternalSilence.
But UPnProxy is back with a vengeance! In November, researchers discovered a new security exploit. They wrote:
On November 7, while working on a project related to the original UPnProxy discoveries, researchers at Akamai discovered a new family of injections, which they’ve dubbed EternalSilence. The name EternalSilence comes from port mapping descriptions left by the attackers. In addition, these new attacks are believed to be leveraging the Eternal family of exploits… Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.
Remember WannaCry ransomware from 2017? That was malware that infected Windows computers using a Windows exploit called EternalBlue. Microsoft patched EternalBlue after it was discovered. EternalRed is like EternalBlue, but for Linux computers.
Basically, cyber attackers are now using UPnProxy—but instead of using it to hijack a router for their own cyber attacks, they are going through the router to attack the Windows computer or Linux computer that’s connected to it. They are using the Windows and Linux computers as their proxy server for their own cyber attacks, rather than the router itself. This new exploit which combines UPnProxy, EternalBlue, and EternalRed is called EternalSilence.
What you can do.
If you can, disable UPnP on your router—then update its firmware by installing the latest security patches. This can all probably be done from your router’s settings. Also, make sure all your Windows computers have the latest Windows update—and don’t forget to update the security patches on your Linux computers and your Android devices, which both have the Linux kernal.
This is all a matter of router manufacturers and operating system developers keeping on top of the latest security vulnerability discoveries, making security patches—and then you, as the consumer, installing those security patches. It’s a good idea for you to make sure that all of your computers, phones, video game consoles, Internet of Things stuff, and networking devices install the latest security patches automatically.