Orange Cyberdefense will be attending RSA Conference 2021, demonstrating their cutting-edge research around the risks posed by secure remote access. We interviewed Wicus Ross from the Orange Cyberdefense Security Research Centre, to get a sneak peek on the recent findings concerning issues with home routers and Wi-Fi connections.
Not really. The tactics, techniques, and procedures used by attackers remained fundamentally unchanged during the examined period. Our research show that the lockdown, because of governments response to managing the COVID-19 pandemic, had a marginal impact on the volume and intensity of attacks. In the article titled 'Hidden impact of COVID', published in our Security Navigator 2021 report, we note that attackers pivoted quickly to use COVID-19 as a lure but this lasted only a short while before moving on to other themes.
We found that attacks targeting people (e.g. phishing, water holing and scams) have been featuring more often than the year preceding the pandemic, but did not make the news more often during, or because of, the COVID-19 lockdown period. We saw that COVID-19-related social engineering attacks spiked in Q2 of 2020 and then dropped off in Q3, while other significant security events involving ‘the human’ remained constant for that period.
For us, the most relevant is to focus on the impact of the crisis on the systemic factors and the first that comes to my mind is of course the massive adoption of remote working, secured by remote access technologies.
What we see is that there are some security issues with home routers and Wi-Fi connections. Even if they integrate a part of security by design, they still need to be patched and configured correctly, which is, unfortunately not always the case.
Our research shows that a compromised home router changes the threat model. A home router, for example a Wi-Fi- Access Point (AP), or any other IoT device for that matter, is typically a powerful, fully functional Linux computer that is connected to the same LAN as the user’s endpoint and is being ‘trusted’ by the endpoint in several ways. For example, the home router controls or influences network configuration (IP address, routes, DNS settings, network boot settings), web content, connectivity, and more. This puts a malicious or untrusted router in a very powerful position.
Much of our research has to do with reframing concepts that seem obvious through the lens of the attacker. For example, because the AP controls DNS lookups, it can influence where connections from the endpoints go. Because the AP controls routing, it can influence how traffic flows to the enterprise network, and even whether it goes through the remote access tunnel or not. Because the AP controls access to the internet, it can prevent the remote access tunnel from being established or convince the endpoint it is behind a captive portal. Under the right circumstances, an AP could even convince an endpoint to boot up an entirely different operating system, defined and controlled by an attacker. And those are only the elements we’ve been able to think up thus far.
We created the following three examples:
I must add that those are rare attack scenarios, but still real. Surely all these problems are mitigated when the user uses a remote access technology to establish a secure connection to the enterprise network.
In our research, we run a set of six threat scenarios against six different remote access technologies in different configurations. The results demonstrate that in a scenario where the attacker has all the power of a compromised AP, only the most rigorously configured secure remote access makes any difference. The learning is simple: the configuration is key and the “standard” mode, like most cases with most technologies, is not enough.
It is important to emphasize that secure remote access technologies do work and are indispensable to protect a network. But these technologies have limits, and good practices also need to be implemented.