Security Firm Detects 57M Attempts to Exploit 2-Year-Old Router Firmware Backdoor

Share this…

The case of the Netis router firmware backdoor shows you that even if a company puts out a patch to resolve security issues, the problem lingers on for years, as users fail to update their devices, or the patch itself fails to properly fix the issue.

In 2014, Trend Micro researchers announced they found a hidden user account in the firmware of Netis routers.

The backdoor was an always-open UDP port (listening on port 53413) that allowed an attacker to reach internal network via the router’s WAN interface.

Patch didn’t fix the issue

The Chinese company that sold that particular router put out a patch to mitigate exploitation attempts, but didn’t remove the account completely.

Hackers found workarounds around the patch and many devices were left unpatched, mainly because the firmware update procedure involved a complex series of operations that many users didn’t have the technical skills to follow through.

Exploits that leveraged the backdoor soon appeared and spread like wildfire, including this one on PasteBin.

There are millions of exploitation attempts each month

Trend Micro, the company that discovered the flaw, added specific rules in its security systems to detect exploitation attempts for this backdoor, back in August 2016.

In only three months, the company said that telemetry data picked up 2.9 million exploitation attempts on around 5% of its customer base. Extrapolating this number to its entire clientele, Trend Micro estimates that there must have been over 57 million attempts to exploit the backdoor in the last three months alone, which is a massive number.

Most of these incidents are recursive attempts to find vulnerable devices. These attacks are carried out by automated scanners that look for the vulnerable port and try to authenticate with the backdoor’s credentials. Because of this, the Trend Micro numbers are not accurate to the number of vulnerable routers.

A more accurate statistics for the number of compromised Netis routers is provided by The Shadowserver Foundation, which claims to have identified over 15,000 hacked Netis routers, which is more than enough to build powerful DDoS botnets and bring down websites.


The problem with today’s router and IoT vendors

Today’s Internet is full of unsecured IoT devices and unpatched networking equipment. Because these devices are often very hard to patch and update, it is of great importance that vendors ship secure and thoroughly tested firmware out of the box.

A recent experiment carried out by Errata Security researcher Rob Graham revealed that unknown attackers had scanned and compromised an out-of-the-box surveillance camera 98 seconds after it had been plugged in.

Unfortunately, good firmware often implies more R&D, more investments, and sometimes more powerful technical specs, which many vendors aren’t willing to accept.

Today, most vendors gripe about the costs of a screw, let alone the costs needed to develop and run thousands of pen tests. As such, there are very few companies that provide solid products out of the box, and without laws and consumer protection regulation in place, most vendors won’t bother to fix their devices after the fact, let alone deliver solid firmware out of the box.