Yet another misuse of 126.96.36.199 in the figures.
Actually, it was a mistake NOT reserving more human-friendly IP blocks for documentation/example purpose. The three /24 blocks reserved all fail blatantly because nobody remembers them, and they look as unsuspicious as normal blocks.
188.8.131.52/24 would be a much better choice because people would easily remember them and know it's not "real", just like you would not take a phone number 123-4567 on a filled form as "real" (even though it might be).
Next time you make anything, please remember to design for human.
I thought my home network was secure. Last week, I turned on my Surface and its lock screen had a "remote session active" screen. Before I could do anything, it turned itself off. When I turned it back on, it showed "low battery" and turned off. I have no idea if this was a bug or somebody remotely accessed it. I had everything updated to the latest software/firmware. Remote desktop itself was disabled on the surface (though it had "allow remote assistance" enabled"). I didn't have router web administration enabled. Router admin password as well as wifi password were unique, 15-20 chars long and I never used them anywhere else. Same thing for my Microsoft account that I use for Windows login. Wifi also had MAC address filtering enabled. There was only one more person using my network, and its unlikely they would do this because I don't think they know my password. And I don't think they are that technically knowledgeable other than to use a PC for browsing. I also had a Synology NAS with OpenVPN. Router was configured to forward the VPN port, but Synology's firewall was configured to allow connections only from 2 IP ranges that my phone gets when on mobile network. Strangely, after this incident, I turned off the VPN and now my NAS goes to sleep properly. It never used to sleep before. I sit right next to the NAS and I could hear the HDDs reading/writing all the time, although slowly. I always used to think may be someone was slowly copying files from my NAS.
I had earlier setup a pfsense box purely for ad blocking and to keep out Google/Microsoft creepware. But I had stopped using it because of the learning curve. Now, I am learning how to properly configure it.
Its kind of amusing if you think about it. In olden days, people had to worry about physical attack of their house. Nowadays, I am more worried about these virtual attacks.
To save some googling, as neither this article nor the Akamai report defined “APT”:
Why is UPnP even a thing? I mean, with NAT hole punching you can do P2P, and if you are hosting anything (web server or even bit torrent), manually forwarding a port should be within your reach.
I've been using an OpenBSD based router for years with no UPnP support and never had any issue (like unable to play online games or anything). I'm really curious why it's present on all home routers.
Ok. What specific steps should we be doing to ensure a home router is configured safely?
Please assume a consumer grade router given by the ISP and _maybe_ another one bought off the shelf at a box retailer. Also assume unable or unwilling to flash firmware.
The full Akamai report linked from the article also outlines that this technique (accessing UPnP from the Internet while pretending to come from the LAN) allows to expose the router's LAN services (e.g. web interface) on the Internet. I wouldn't be surprised if it could be also used to scan your LAN and to connect to any local machines, to access unauthenticated resources and to brute-force your passwords.
How do I know if my router is affected? EDIT: nvm, here is the list https://www.akamai.com/us/en/multimedia/documents/white-pape...
Nothing is going to change until this kind of stuff affects the financials of the people using these bad router configs, compromised internet of thing devices, malwared computers, and anything else that creates a bunch of outbound traffic.
It should be impossible to be unaware that your home network's outbound is saturated all month. It's ridiculous.
This Phrack article predates their 2011 reference to successful UPNP exploit by 3 years.
UPNP is a mess and I'm not even sure if there is a way to proplerly make it secure.
I'm surprised that there are no TP-Link routers on the list of affected manufacturers.
I know I'm a strange fellow, but I am having a hard time to understand why consumer grade routers are such garbage.
I have been using 2x wall-mounted industrial mini PCs running Debian to cover 2400 sq two story house. They just work. They have no software that is tricky or unknown. Hell, the one that has a cross connect to the cable modem even run a firewall. Speeds blow consumer routers out of the water. I even have a guest network so the visitors can access internet and not see anything else they are not supposed to have access to. Cost? $300 for both.
Had experience with multiple ISP's pushing their own heavily marked-up and broken routers. I assume its a good money maker.
If only there was a slither of corporate responsibility and associated punishment, probably a big ask from governments benefiting handsomely from the vulnerabilities despite the loss to the citizens they represent.
Guess it could be considered a new form of taxation? National security only really extends the physical domain.
We have found a large amount routers hitting our servers at my current job using routers with poor or no security. It seems as if they tend to be using email password dumps and just going through their lists through these routers trying to log into our site.
One of the reasons went to using the Google WiFi as home as did not want to worry about things like this or keeping my network gear up to date.
I sent an Email to Telecom Serbia warning them that ZTE ZXHN H1X8N XDSL modems they've been giving to customers are vulnerable and they should push new settings through CWMP that disable UPnP.
How many home routers are there in the world? 65,000 actually sounds like a shockingly low number to me.
My router is affected but I would never enable UPnP or remote management ...