NEWS FROM THE 2009 BLACK HAT BRIEFINGS
Exploiting routers can be a high value, and a high effort, activity
- By William Jackson
- Jul 29, 2009
LAS VEGAS — It seems counterintuitive, but routers, which handle so much network traffic, have proved a tough nut for remote attackers to crack.
“It’s a high value target, but we’re not seeing large scale advanced exploits so far,” Felix Lindner, a researcher with Recurity Labs of German, said today at the Black Hat Briefings security conference.
The reason is partly in the nature of routers and partly due to the quirks of the most widely deployed router operating system: Cisco’s IOS.
More news from the Black Hat Briefings:
Microsoft calls for united front in war against malware, hackers
Microsoft progam to help quantify costs, risks, returns of patch management
New tool could help computer forensics move off the disk and into memory
New weapon revealed for defense against zero-day attacks
“Routers don’t expose that much functionality to the attacker,” Lindner said. Routing protocols are run internally. In addition, “vulnerabilities in networking equipment often get fixed as functionality issues,” because they require high availability. “They are not even noted as vulnerabilities, as such.”
The current emphasis on client side vulnerabilities also protects routers, because they are seldom, if ever, run as clients.
Cisco’s IOS also makes attacks difficult because of some of its apparent weaknesses, Lindner said.
“Cisco can’t recover from any fault within the software,” he said. It’s only option to a fault is to crash, making it unavailable to an attacker.
There also is no standard image for any version of IOS, he said. Each image is built from scratch, so the layout of each depends not only on the version but also on who compiled it. This can be a problem for interoperability, which encourages wholesale upgrades of equipment, but it also makes attack difficult. Finding the right address for a process being attacked is difficult if not impossible, given the 272,722 different known IOS images.
As a result, most reported router exploits have been configuration issues and inside attacks. However, that could change as more research is done on practical router exploits. Analysis of similarities in different images of IOS can identify patterns that could make it easier to find target addresses within the operating system. But it is difficult to do and keeping a router running to execute and exploit still is not easy.
“This is still not perfect,” Lindner said after outlining some promising avenues of attack against Cisco routers. “This is a work in process.”
Also promising — or troubling, depending on your point of view — is the addition of new services such as voice over IP (VoIP), which can create more client-like attack surface on routers, and the federally mandated Lawful Intercept Functionality, which enable wiretapping and can create vulnerabilities in service provider equipment.
Fortunately, “network engineers are an old school bunch, and they don’t really like to run that crap on their routers,” Lindner said.
The best protection for routers is to keep such services off of networking equipment and in a separate infrastructure, and to make sure that only administrators can talk to the routers, he said.