Your Home Internet Router May Have Caused the Xbox-Playstation Outage On Christmas Day

I have been meaning to write about this for a week now, but a conversation I had last night with a security-geek friend (thanks, Tim!) allows me to combine two posts.  Happy Friday!

First, the subject line.  Lizard Squad, the group that claimed responsibility for shutting down the Microsoft xBox and Sony Playstation networks on Christmas Day said that the shutdown was an advertisement for their web site stressing service (called a Stresser or Botter).  For literally a few bucks, you can subscribe to their service and “stress test” your web site.  Of course, if you “accidentally” point the stresser to someone else’s web site you get to say “gee, my bad!”.

Of course the cops might not be very happy with you, but they have to find you.  If you use anonymisers and TOR and pay for the service with bitcoins, etc., etc. and you do all that right, you might be hard to find.  Of course, the stresser service, located in Bosnia, is not going to help the police, so you don’t have to worry about them outing you.  Anyway, you get the idea.

So how did the Lizard Squad group generate enough traffic to take down both Sony and Microsoft – two companies that probably have pretty robust networks and data centers?  Now I am back to the subject line of this post.  They hacked your home internet router!  Really, no kidding.  I wrote several weeks ago about Rompager, the bug in the web interface in millions small office/home office routers that allows an attacker to take over the router.  In addition to that, many people don’t bother to change the default userid and password of their SoHo router and voila, Lizard Squad has millions of routers to do their bidding.  According to Brian Krebs, Lizard Squad hacked into bunches (that is a technical term) of vulnerable routers and added some code that allows them to command your router to attack whomever they want.  Even though this malware is pretty crude, it does not give itself away if you log in to the web interface of the router, so you have no easy way to tell if your router has been hacked.

To add insult to that, they are sucking up your bandwidth, reducing the performance of your internet connection and contributing to your bandwidth cap if you have one.

Nice, huh?

Brian and others have several suggestions like making sure that you patch your router, change the default password and turn off WPS, if you can.  What the heck is WPS you ask?  Well, let me tell you.  It gets a bit technical and this post is getting long, so here is a link if you want more details.

The second part is that the router manufacturers thought that all this password stuff was too complicated for users, so they said that instead of remembering that password, we will print an 8 digit pin on the bottom of the router and if you have that, you can just ignore that pesky password and connect to the router.

To make matters worse, the way they implemented it, they did it as two 4 digit passwords and many routers just allow you to try all 10,000 combinations to complete the first part and then another 10,000 combinations to get the second part and you are in.  Any idea how long it takes a computer to try 20,000 4 digit numbers?  Not very long.  Seconds to minutes and the attacker is now in your router.  Combine that with the fact that the router doesn’t lock you out if you try, say, 1,000 bad PINs (that would be inconvenient for the user, of course) and you have a hacker’s paradise.

An alternative that some router makers have come up with is a red button on the router that you push when you want to connect.  This is more secure because it is only active for a couple of minutes after you push the button and you have to have physical access to the router.  BUT, in order to get the WPS logo, you MUST implement the totally unsecure PIN mechanism.

Some routers do not allow you to disable WPS (the PIN approach).  Other routers, like some Cisco and Linksys routers, allow you to disable WPS, but don’t ACTUALLY disable it – in order words, they just make you think WPS is disabled.  Some routers do actually let you disable either the PIN portion of WPS or all of it.  Some routers don’t have WPS.  Those are probably the most secure.  Bottom line is that you have to be way too much of a geek if you want to protect yourself.

This post is already way too long – especially for a Friday.  Feel free to contact me if you have questions.