Dr. Eric Cole- Reboot Your Router
In recent news, the FBI recommends that you reboot your router. While good advice, a lot of the news articles to do not really address why this is important and more importantly what other long term measures should be taken. The short answer is many routers used by individuals and small business to connect to the Internet, have been infected with malware that runs in memory. Since it runs in memory, turning off your router erases the content of memory and would erase any of the malicious code. When the router is turned back on, a new version of the router’s operating system is loaded (and at the time this is written, the malicious code did not infect or compromise the stored version of the routers code).
There have been a lot of questions around this topic, so let’s break down what this really means and how to be properly protected online.
TYPES OF MALWARE
There are two general types of malware: persistent and non-persistent. Persistent malware will often write itself to a hard drive and infect the stored image of the operating system. Therefore, even if you reboot the system, the malware would run every time. Non-persistent malware infects the memory of the system, which is volatile memory. This means that when you turn off the system, anything in memory disappears including the malicious code.
For laptops and personal computers that are typically turned off on a daily basis. Persistent malware is the most dangerous. If a device that is turned off frequently is infected with non-persistent malware, the impact and overall damage is minimal. However, with devices like routers and servers that are often running 24/7 and not turned off for years, non-persistent malware can be very damaging.
As of the writing of this article, the malware in question is non-persistent and only infected the running memory. This is the reason the FBI recommends turning off your router and turning it back on again. Compromising memory is often easier than compromising the actual image of the operating system that is used to load the router, each time the device is powered on. Typically, routers do not have hard drives, like a computer and even if they do, the operating system is often written into firmware that does not change that often. In order to achieve long term access to a device, attackers will often go through the extra trouble of making sure their malicious code can “survive a reboot”. Since routers are often never turned off and run 24/7, in this case infecting memory gave the same long term access, without the extra work.
The real question is how are the adversaries going to morph in response to the recommendation for everyone to reboot their system. On the one hand, since many people do not listen to security recommendations, many people will probably not reboot their routers, so the adversary will still have long term access. On the other hand, if enough people do, the attackers may work harder to see if there is a way to infect the system in a persistent manner, so even if the router is rebooted, the adversary still has access. Therefore, it is important to read on and be proactive.
LONG TERM PROTECTION
Rebooting the router is a good recommendation and something that is recommended. But, let’s ask some simple questions: How did the adversary get in? and If the adversary got in once, even if you reboot to remove the malicious code from memory, what’s stopping the adversary from breaking in again using the same method? So is the solution to reboot your router every day, just to be safe.
With any cyber-attack, there are typically 2 steps that need to be taken: a short term fix and a long term fix. The short term fix is to reboot the router. If you are infected, this will stop the malicious code, but nothing stops the adversary from breaking back in again, and again, and again. The long term fix is to figure out how they got in and remove the original means of exploitation.
At the writing of this article the exact means of compromise are not known, but by understanding how attacks work, it is pretty easy to narrow down the list of potential areas and remove them. In order to “hack” a system there has to be 3 conditions:
1) visible IP;
2) means of access; and
3) method of access.
Internet routers by default need to be accessible from the Internet so there is not a lot that can be done about being visible from the Internet. However, for a home or business, those routers should not have to be accessible from the Internet because they will not need to be remotely managed. Yes, larger organizations need to be remotely managed but those routers are not the ones that have been compromised. The routers of concern are for homes and small offices. The problem is the routers that have been compromised have remote administration turned on by default. This is a problem because you should not allow access from the Internet, especially when you do not need it; however by itself is not problematic unless there was a way to get access to the device. Since many of these routers have default passwords that are well known, thus creates the epidemic problem that we are facing today with 50,000+ routers being compromised.
Therefore, the long term protection is to turn off the remote administrative access and change the password. Simple but effective.
THE ROAD AHEAD
Every compromise, every exploit, every cyber security breach is an opportunity to learn. The question is will you embrace the moment and implement proactive security or say it is not going to happen to me, ignore it and wait for the next big compromise. While this post was focused on routers, look around your home and office and ask yourself what other electronics do I have that are connected to the Internet that can be compromised and be proactive. Any device that is plugged in, take the time to change the default password and turn off administrative access. These simple things could be the difference between safe and secure or being the next victim. It is your choice, but choose wisely.