Every bad thing that can happen to a hacked computer can happen to a hacked router.
Coined in 1999, the term the “Internet of Things” (IoT) has only recently become in vogue. The term IoT refers to a network of physical objects – devices, vehicles, buildings and/or other items – embedded with electronics, software, sensors and/or network connectivity that enables these objects to collect and exchange data. The objects may be assigned an IP, or internet protocol, address and are able to communicate with one another and with remote things over a network, such as a home network and the internet. The objects may be associated with an environment, e.g., a house, an office, a community, an office park or a municipality. Consider a household. In a household environment, the objects could be a refrigerator, a milk carton inside the refrigerator, a toaster, a cooking oven/ range, an automobile parked in the garage and even a person. All these objects are able communicate with each other and the internet via the household wired/wireless network. For example, the refrigerator might send a warning to a mobile device if the temperature becomes too high. A milk carton inside the refrigerator might send an alert to the mobile device when the milk’s expiration date is nearing. A person on the way home from work might instruct the oven to preheat. A person’s pacemaker may send data to a doctor’s office about the person’s condition or to signal that the battery is due to be replaced. An automobile might send information about fuel levels and scheduled maintenance. The automobile might also be in communication with a city’s traffic grid so as to guide the vehicle through a less congested route and/or to direct traffic in a manner that minimizes overall congestion. Hackers often gain access to a computer within a network by means of viruses, worms, trojans, malicious code, etc.—”malware”—that have been unknowingly loaded onto the computer. Once installed, the malware can take control of the computer and, potentially, anything else on the same network as the infected computer. The risks of these types of attacks may be somewhat mitigated by various software programs, sometimes called anti-malware, that search incoming data and programs for known threats, and/or by a network firewall that helps to block known threats from entering the network. However, since the router sits between the local network and the internet, it can be, and has become, a focal point for an attack to gain entry to the local network and the objects within it and/or to carry out other malicious activity. The router is a highly specialized computer that operates under control of computer instructions called “firmware.” Thus, like any other computer, a router can be hacked. Every bad thing that can happen to a hacked computer can happen to a hacked router. For example, a hacked router may direct a browser to a disreputable website, even though a legitimate URL was entered into the browser. There are many environments, each with its own specific digital makeup. These are only a few examples. Modem Router Appliances Tablet Computer Car Smartphone Modem Router Utilities Laptops Phones Cameras Cloud Storage Servers Internet Personal Environment City Environment Office Environment University Environment Building Environment Inside the household, there will also likely be laptop and desktop computers, video game consoles, smartphones, tablets, etc. that are connected to the network. The objects in this environment may also communicate with servers in the cloud. And so on. The possibilities are endless. Because each of these objects is connected to the internet, they are vulnerable to malicious activity, such as a cyberattack. One who gains access to the environment can theoretically control the objects within it, steal valuable and confidential information, spy on the environment, and more. Commonly, the objects within the environment are part of a local network that is connected to the internet. In the household example, the local computers, refrigerator, oven/range, etc. are part of the local, or home, network. Typically, the interface between the local network and the internet is a modem and a router. The modem connects the local network to an internet service provider (ISP) via a router. The router is connected, either by a wired connection, or wirelessly, to each object. The router’s job is to enable multiple objects in the environment to communicate with each other, and also with the modem, and hence the internet. Exemplary environment Usernames and passwords can be hijacked as a result. A router can be hijacked so that it spies on all communications within the local network and/ or between the local network and the internet. Once hijacked, the objects connected to the router may be controlled by an unauthorized outsider. A hacked router can even corrupt or disable the automatic update feature of a local computer’s operating system and/or its antimalware program. The router represents a particular vulnerability because, unlike other computers, once it is installed, it is usually forgotten, and therefore, not kept updated. In addition, out of the box, routers have a default password that many consumers don’t change after installation. That makes unauthorized access to a router even easier. The chances are good that a typical home router is at least a couple of years old and that its firmware is outdated and vulnerable. Or, there is the real possibility that the router, even though recently purchased, has old firmware, or a newer version of firmware built on an older, vulnerable version that contains the same vulnerabilities as the older version. In fact, the Federal Trade Commission (FTC) recently settled a dispute with a router manufacturer in which the FTC sued the manufacturer for selling routers with security flaws. The Wall Street Journal has reported on the issue in an article titled “Rarely-patched Software Bugs in Home Routers Cripple Security” and even noted an instance in which recently purchased routers had firmware from 2002. Were this a desktop or laptop computer, the fix might be simple. You might receive a notice on your computer screen that an update is available for download, or the update might be downloaded and installed automatically. However, the router is a separate component that is not part of the computer itself, and notice of the availability of an update is not ordinarily displayed on the computer screen. The availability of updates must be determined by logging into the router and checking via the router’s interface. For example, many modern routers have a feature that will check the manufacturer’s website for firmware updates when the user clicks on a “Check for Updates” button. Older routers may not have this feature, and may require the user to go to the manufacturer website to check for the latest firmware and then manually install it. The problem is that most home users rarely interact with the router once they have installed it and/or don’t know how to check, or don’t think of checking, their router for the availability of firmware updates. Moreover, many users may be loath to attempt a firmware update for fear of permanently disabling, or “bricking,” their router and losing all network and internet access. To complicate matters, routers are sold “off the shelf” and router manufacturers don’t know who purchased their routers, much less which model was purchased or the date of purchase, unless the purchaser registers the product with the manufacturer. Thus, unlike automobile recalls, for example, the router manufacturer may have no way of notifying customers of the availability of an update by more conventional means such as mail, e-mail, etc. All of these problems, and more, were highlighted when the FTC took action against a well-known router manufacturer, referred to in this article simply by the name “RM.” Click here to see the FTC press release. The FTC noted that in RM’s routers, even when a user clicked on the “Check for Updates” button, the latest firmware was not detected or installed because RM had not updated the list of available firmware or because the availability of the latest firmware was not recognized by the router. Additional users reported that the router’s firmware upgrade tool had inaccurately notified them that the router’s current firmware was the latest version when, in fact, newer firmware with critical security updates was available. The FTC asserted that RM could have prevented or mitigated these risks through simple, low-cost measures, e.g., by: informing consumers about security risks; advising consumers to disable or update vulnerable software; implementing well-known and low-cost protections; and preventing consumers from using weak default login credentials. For the more technically inclined, a fuller explanation of the risks can be found here, and a router security checklist, along with preventative measures that can be taken, can be found here. RM is not the only company to have been called out for vulnerabilities in its routers, and the types of devices containing security-related vulnerabilities are not limited to routers. For example, certain modems, VoIP phones and IP cameras have been identified as having potential security flaws. See, for example, this article. Thus, any object in the IoT may be vulnerable. Lest there be any doubt about the FTC’s authority to pursue manufacturers for failing to take proactive measures to secure their routers and other devices, a federal appeals court has held that the FTC has the legal right to sue companies that fail to protect their customers’ A router can be hijacked so that it spies on all communications within the local network and/or between the local network and the internet. The router represents a particular vulnerability because, unlike other computers, once it is installed, it is usually forgotten, and therefore not kept updated. Celebrating the 100th anniversary of its founding this year, BakerHostetler is a leading national law firm that helps clients around the world to address their most complex and critical business and regulatory issues. With five core national practice groups – Business, Employment, Intellectual Property, Litigation, and Tax – the firm has more than 940 lawyers located in 14 offices coast to coast. For more information, visit bakerlaw.com. Baker & Hostetler LLP publications inform our clients and friends of the firm about recent legal developments. This publication is for informational purposes only and does not constitute an opinion of Baker & Hostetler LLP. Do not rely on this publication without seeking legal counsel. bakerlaw.com © 2016 Contact Steven J. Rocci T 215.564.8364 firstname.lastname@example.org 1. Don’t rush to get a product to market at the expense of security. Take time to design security into the router at the outset. 2. Design the router through the consumer’s eyes. Make the router easy to use and make the interface simple and intuitive. Build in a self-automated firmware update feature. 3. Make it easy for the consumer to select safe security options. Don’t overwhelm the user with a maze of screens and setup procedures. Consider the security implications of the default password and the router’s default settings. 4. Pay attention to consumer feedback, the market, the press and known or foreseeable vulnerabilities. Be proactive in addressing security issues. Don’t wait for a malicious attack or to hear from the FTC. 5. Consider how to alert consumers about firmware updates and fixes. A security patch is no good unless consumers are aware of it and told how to install it. 6. Learn from other FTC cases. For example, the RM case identifies some specific things to avoid, to wit: weak default login credentials; insecure protocols, especially when safer ones are readily available; disregarding industry-accepted testing measures; and failing to implement even low-cost protections against well-known vulnerabilities.