Home routers with little to no security are far too common. They’re dangerous from a number of perspectives: as peeping holes for spying on people’s daily web use, for filtering stolen files and for launching distributed denial of service (DDoS) attacks, where the power of combined compromised machines is used to flood target websites with traffic, thereby knocking them offline.
Such rank insecurity has allowed the likes of the infamous Lizard Squad, responsible for numerous Microsoft Xbox Live and Sony PlayStation Network outages, to build up sizeable botnets consisting of hundreds of thousands of routers.
With vendors failing to act and users either unbothered or unaware of their home’s part in huge web attacks, vigilante hackers the White Team, who emerged from the shadows last year, decided to take action. The anonymous hackersbuilt their own peer-to-peer botnet (where the network shares resources without a single point of control) that infects routers to close off vulnerabilities, such as weak default passwords for administrator access to devices. Their malware, which continues to be updated, removes other malicious software already on the system.
Last year, initial analysis indicated the White Team had 10,000 routers under its control. But the crew told FORBES it now has access to between 50,000 and 70,000. Mario Bollano, a Symantec SYMC -2.65% researcher who is watching over the botnet, said that looking at his stats, “it’s very plausible that 70,000 devices were infected at some stage”.
The White Team not only has some detractors in the security world due to the illegality of their work, but in the criminal world too. Lizard Squad even sent a mocking email to the vigilantes from one of its main admin accounts, the owner of which confirmed to be genuine. That mail from last year read: “You wasting your time, bot count wasnt affect [sic] by your dumb shit. Still 150-200k strong. Being a whitehat you get a shit salary (no more than $200k), always behind the game. I never work day in life [sic].”
A spokesperson for Lizard Squad told FORBES its botnet contained somewhere between 120,000 and 150,000 bots. They claimed to include not just PCs and routers, but fridges and other smart home devices too (this could not be independently verified and Lizard Squad has told fibs before — but security company Proofpoint claimed in 2014that fridges, televisions and other connected home devices had been used in a spam botnet, not a DDoS botnet).
White Team’s plan to remove Lizards from your home
The White Team said it believed it would be able to hack and protect 150,000-200,000 devices from Lizard Squad attacks, removing the reprobate crew from its digital hiding places in people’s homes. That’s one heck of a technical task, especially when working with a malware, known as Wifatch, that is often too big to install on smaller routers. “The goal is to use (most) of the 60,000 nodes we have to connect to the hundreds of thousands of boxes that are too small for our normal disinfector and disinfect them remotely,” the collective told FORBES over encrypted email.
The crew is comparing the files it finds on routers to a full library of malware samples taking up a whopping 40GB of storage, which is too big to lump on routers it has hacked, White Team said. “On the other hand, imagine 400,000 nodes requiring database accesses every hour: this will overwhelm any of the boxes we control.” The hacker said they didn’t want to rent a server to host their files, as it would be too difficult to remain anonymous.
As law enforcement flounder and White Team builds up its operation, Lizard Squad continues to profit from its control of all those hacked machines. The Lizard Squad spokesperson told FORBES it was to launch a “booter” service on top of its Lizard Stresser, which grants buyers control over the botnet to launch attacks against whomever they wish. The booter is cheaper at a $10 monthly subscription and can either be paid in Bitcoin or by post.
With the recent increase in extortion via DDoS attacks, where criminals hold businesses to ransom by knocking them offline and demand money to cease the bombardment, these products become an even greater menace, drastically lowering the bar for wannabe digital criminals.
Vulnerable devices everywhere
Both White Team and Lizard Squad have only been able to access so many machines thanks to hundreds of thousands of unsecure devices that can be hacked with little to no effort. Reports of more vulnerable routers pour in every week. On Friday, researcher Zach Wikholm, from San Diego-based hosting provider CARI.net, issued one of what will be many warnings on devices with either weak default passwords or no authentication whatsoever.
He discovered the Cambium ePMP 1000 hotspot used a default username of ‘admin’ and the same word for the password to access the router via Secure Shell (SSH), a protocol for secure remote login. Wikholm discovered three additional web access accounts on the device with default usernames and passwords of “installer”, “home” and “read-only”, the latter granting limited access, but the others permitting administrator-level control over the router.
Cambium told FORBES it shipped its networking goods to ISPs and it advised them to change the default settings as soon as they received devices. It also noted SSH access was limited to tools that improved the operation of the router, whilst other accounts with default passwords could either be given stronger credentials or removed entirely.
Wikholm discovered problems in AirOS and EdgeMax devices from Ubiquiti too, claiming all current products had the default username and password of “ubnt/ubnt”. Such is the level of access possible to an outsider, an attacker could “create additional users, change system settings and reset the device to factory default”, he wrote. “Ubiquiti devices make for a great target.”
Ubiquiti had not responded to a request for comment. Its devices have been used in DDoS attacks in the past, as anti-DDoS provider Incapsula noted last year. The firm found tens of thousands of Ubiquiti machines running on ARM processors were infected with ‘MrBlack’ malware to launch sizeable attacks.
Over the last year, Wikholm found that more than half of the attacks his company saw originated from network providers primarily comprised of residential customers. The message was clear: people’s home technologies were being compromised en masse for further criminal use.
More vigilantes vying for a safer web
Wikholm doesn’t believe vigilantes are the answer to the widespread vulnerability. They help downplay the issue, he told me.
But the White Team aren’t the only vigilante hackers trying to secure the Internet. Just last week, anti-virus company Avira discovered one of the most active financial malware types, Dridex, was delivering the firm’s security software rather than the bank login pilfering kit.
Avira believes the most likely explanation is that a distribution channel of the Dridex botnet was taken over by a do-gooder hacker. “There is a possibility that a white hat has hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” said Kroll.
“While what they are doing is fundamentally helpful, it is also technically illegal in most countries, so they probably don’t want to be known or identifiable.”
At least in the US and the UK, vigilante hackers are still deemed criminals. But the White Team, which hasn’t responded to requests for comment in the last week, said it hadn’t had any trouble with law enforcement. ”We are not aware of anything, which either means they haven’t found us yet, or more likely, nobody bothered because, after all, it’s hard to accuse us of actual evildoing so far,” White Team added.
Even if some vigilantes are taken down, hacker wars will continue to be fought in people’s homes as long as there are vulnerable devices ripe for exploitation.