Around six months ago, an Internet service provider (ISP) doing business in the Middle East was forced to ask a security researcher for help in order to regain access to over 15,000 routers it had lost control of.
No, this is not the case of another cyber-attack carried out by botnet operators, like the recent incidents against Deutsche Telekom, TalkTalk, and the UK Postal Office. This is one of those cases where ISPs employ antiquated devices that the hardware vendor doesn't support anymore, and the ISP cannot update its routers.
ISP asks security researcher for help
The hardware expert the ISP called for help is Amit Serper, who's currently leading security research at Cybereason's Boston branch.
"I was doing some pro-bono consulting to a large ISP about router security," Serper recounted to Bleeping Computer on how this collaboration started.
"After our engagement ended, I got a call from the CTO of the ISP telling me that one of their CPE vendors stopped working with them," Serper says. "They were stuck with ~15K devices that they were locked out of."
CPE (Customer-Premises Equipment) vendors are hardware manufacturers that provide the millions of routers and modems that ISPs offer for free to their customers.
Most of these vendors kick the bucket out of the blue, but the ones that last don't usually provide support for devices for more than a few years, and this is exactly what happened, as the vendor shifted to producing a new line of products, completely ignoring the older ones.
In this case, the CPE had stopped collaborating with the ISP, which was now in a precarious situation.
ISP asks researcher to create a "good" exploit
"They [the ISP] had asked me to develop an exploit for them in order to return control over those routers," Serper said. "They had to reflash the firmware with new SSL certificates because the ones on the routers were expiring at the end of the year."
"Their problem was pretty serious," the researcher asserted. The routers would still connect to the network, but the ISP couldn't ship new firmware, being effectively locked out of their own devices.
"Once those certificates expired, those routers wouldn't connect [to the ISP's network]," Serper said.
But things were even worse. "Due to the fact that they did not have control over the device, they [the ISP] couldn't even know where EXACTLY the routers were, so they could contact customers and replace them."
As such, convincing the researcher to hack their routers and find a way to deliver a new custom firmware with updated SSL certificates was crucial to their business.
Serper didn't help the ISP hack its own routers
"Crafting the exploit was a rather simple, two hour task, including research and writing the PoC code," Serper said. "Very little to no attention was given to the security of this product."
But Serper says he didn't hand over the exploit to the ISP, as he was moving to the US, and had no time to deal with the subsequent contracts and implementation procedures. So if the ISP hasn't reached out to another security researcher, if your router mysteriously stops working on January 1, 2017, and you live in the Middle East, you're possibly one of the clients of that mysterious ISP, which Serper declined to name.
The researcher, who makes a living from low-level OS security research, has been reverse engineering router and other IoT firmware as a hobby. Just yesterday, Serper published an exhaustive research on two zero-days that affect a few hundreds of thousands of IP cameras.
In the past few months, Serper has been cracking routers for fun, and giving security talks on the insecurity surrounding the Internet of Things domain. In fact, the exploit he crafted for the Middle Eastern ISP was a variation on an exploit he put together in December 2015, demoed in a video on Twitter, and included in a presentation named "The internet of $h1t." [The name of the ISP and the router model in the video are not the ones he was suppose to hack over the summer.]
Overall, Serper has been very critical of IoT security in general. But that's what happens when it takes him about ten minutes to discover a trove of vulnerabilities in his new home's (CPE) router.
It's no surprise that small CPE vendors have problems securing their firmware. If big companies such as Sony can't get their firmware right, then we should expect and plan for all sorts of security-related problems when we buy devices made by no-name vendors.
@campuscodi All of their routers that is. Their vendor did not support them anymore and they had to replace the certs on the routers.
— Amit Serper (@0xAmit) November 29, 2016
Comments
Shahadat334 - 6 years ago
That's great idea about ISP Hack and security. I archive knowledge from your article. Thanks for sharing. I look forward more article about like isp.
My Source: http://isphack.blogspot.com