Michael Horowitz
Home => Debunking the New York Times on Router Security
[Formatted for Printing] From the personal web site of  Michael Horowitz
The New York Times on Router Security
The article in question

Debunking the New York Times on Router Security and VPNFilter

June 17, 2018

On June 14th the New York Times ran an article about router security by Brian Chen. The article contained technical mistakes, invented new terminology, and failed to make some very important points, thus depriving non-technical readers of important information.

Who am I to come down on the New York Times?

Google "router security" and my website, RouterSecurity.org is the first hit. Second, is an article about a Router Security presentation I gave back in 2014. I created RouterSecurity.org in late 2015 and have added to it most days since. It's a subject that I am familiar with.

OVERSELLING FEAR

The main source of technical information on VPNFilter comes from the Talos division of Cisco. The published two reports, the first on May 23rd, the second on June 6th. Sophos also published an extremely detailed two-part examination of VPNFilter (Part 1, Part 2).

VPNFilter is bad, of course, but the danger is oversold in one respect. The malware tries to convert secure HTTPS requests to insecure HTTP requests so that it can steal credentials (userids and passwords) in transit. However, the vast majority of passwords are no longer transmitted with HTTP and many websites are exclusively HTTPS.

This very website, for example, always uses HTTPS. Enter   http://michaelhorowitz.com   and the web server running this site will automatically convert the HTTP request into HTTPS. You will never see a page on this site using insecure HTTP. And, of course, if I can do it, so too can large companies. Thus, the passwords available to VPNFilter are few and far between.

So, when the Times article says that VPNFilter "is capable of manipulating your web traffic", it is leaving out the elephant in the room - that it can only manipulate web pages transmitted with HTTP. From the beginning of the web, it has been widely known that HTTP pages can be modified in-flight between from a website to the end user. Before CNN converted to HTTPS, I remember reading about a prankster that would put fake news stories on their home page by modifying the page before the user saw it. Martians landing on the White House lawn and the like. Data manipulation is one of the motivations to moving to secure HTTPS web pages, which can not be modified in transit.

Simply put, HTTPS web pages, such as this one you are reading now, are immune to tampering by VPNFilter. Talos fails to stress this, and the Times article, written by someone unfamiliar with the topic at hand, also fails to point it out. Scaring people is good for business, I guess.

The Times article takes fear mongering to Trumpian heights when it says of VPNFilter:

" ... Attackers could use it to load a fake banking site on your computer browser that looks like the one you normally use and steal your credentials and clean out your bank accounts."

This is not true.

For one thing, Talos said nothing about banking websites.

And, since VPNFilter can only steal passwords from HTTP pages, for this statement to be true, banks would have to use HTTP. None do. I verified that all the large US banks exclusively use HTTPS. Specifically, I tried to load an HTTP version of the home page at chase.com, bankofamerica.com, citi.com, fidelity.com, wellsfargo.com, usbank.com, tdbank.com, capitalone.com and us.hsbc.com. In each case, the sites returned an HTTPS web page. This was not a surprise.

And, then there is the issue of just what is a fake banking website? A bad fake can be done in a million ways, it does not require sophisticated router malware such as VPNFilter. Bad fakes would be CLTL.com (posing at citi.com) or chase-bank-logon.net (posing as Chase bank). A good fake would appear in the browser address bar with the real name of the real site. But, the website would be a scam. This is certainly possible, but requires DNS manipulation, something that VPNFilter does not do. At least, not yet.

Finally, to anyone familiar with VPNFilter, it is clearly a spy thing. Nothing about VPNFilter is profit based. It does no crypto mining or ransomware. Draining bank accounts would be totally out of character for the authors of VPNFilter, whoever they are.

I really have to wonder where the author got this idea from, or, if he just made it up based on not understanding the technology.

The article also says that bad guys could "... load spoof versions of an email site you use to steal your password and gain access to your communications." This seems much like the previous claim, unfounded. Talos said nothing about email, and, like banks, webmail systems are very likely to always use HTTPS when transmitting passwords. In fact, VPNFilter has four exceptions: www.google.com, twitter.com, www.facebook.com and www.youtube.com. It does not bother with its HTTPS to HTTP trickery for these sites, knowing full well they are exclusively HTTPS.

VULNERABLE DEVICES

I also take issue with this statement from the article:

"... base stations from every well-known router brand were a target for this malware, known as VPNFilter..."

VPNFilter does not target every well-known brand of router. Cisco, for example, whose Talos division is the main source of technical information on VPNFilter, said none of their routers were infected. The two mesh routers mentioned in the article, Eero and Google Wifi, are both well-known and have not been infected. Neither have Synology routers or the AmpliFi mesh router. Both Juniper and Peplink said their routers had not been infected. Then too, VPNFilter is not just router malware, it also infects QNAP NAS devices, something the article omitted.

By and large the routers that were targeted were from companies that do not prioritize security. That said, Netgear seems to be taking security much more seriously this year than it had in the past. As a relatively informed observer, the list of manufacturers with vulnerable devices was not a surprise.

The most important point about targeted/vulnerable devices, was left out - the current list is not expected to be the final list. Talos was very clear about this.

VPNFilter uses different infection vectors with different routers. Few router vendors are confident that they know the specific bug that was abused to install VPNFilter on their devices. Thus, any specific router model may be vulnerable with firmware from 2016 but not vulnerable with firmware from 2017. We don't know. As to vulnerable devices we know very little.

One exception is QNAP, which said that their QTS software is vulnerable if it is version 4.2.6 build 20170628 or earlier, or, version 4.3.3 build 20170703 or earlier. They also warn that any QNAP NAS using the default password for the administrator account can be hacked. But, this level of clarity is the exception, not the rule.

IS YOUR ROUTER or NAS INFECTED?

Here my gripe is with what the article left out. It went straight from VPNFilter is bad, to what you should do about it, skipping completely the issue of detecting an infection.

Addressing this subject would have taken some actual reporting.

Neither Talos nor the FBI said anything about what you might experience if connected to an infected router. For example, neither said to watch out for fake banking websites. Nor did they say that you might be taken to a spoofed version of an email site.

The second Talos report said that VPNFilter forwards port 80 to port 8888. Routers that support port forwarding show, in their administrative interface, which ports are currently being forwarded. Can we see the port forwarding on an infected router? Can we detect that port 8888 is open? Don't know.

The first Talos report described how infected routers listen for a trigger packet containing an IP address from which a half-infected router can download the rest of itself and fully infect the host router. Why doesn't the FBI or a technology company offer to test your router by sending a trigger packet with the IP address of a good server? If only some reporter understood the technology.

HOW TO FIX THAT

The article says

"Netgear, D-Link and Linksys said they advised people to install the latest security updates and to choose strong usernames and passwords. TP-Link and Asus did not respond to requests for comment."

This is shameful reporting from a news organization. And brutally lazy.

Both TP-Link and Asus have, in fact, issued responses to VPNFilter. TP-Link issued theirs on May 23, 2018, Asus issued theirs on June 8, 2018. Neither are as impressive as QNAP, but they do exist. And, as noted before, installing the latest firmware is not guaranteed to block VPNFilter since we don't know the infection vector in every case. It's a good thing to do, but not the perfect prevention this article makes it seem to be. And, every vendor said to install the latest firmware, not just the three mentioned in the article.

The instructions for updating router firmware are flawed, but at this point it would seem like nitpicking to go into the details.

ROUTER PASSWORD MISTAKES

The article quotes Dave Fraser, chief executive of Devicescape, saying this about the userid and password used to logon to a router:

"The problem with having a weak username and password is that anybody within range of your router could log in to it and change its settings ... "

This is clearly, obviously not true. Before anyone can try to login to a router, they first have to connect to the router, either via Ethernet or Wi-Fi. A router with a weak password is safe as long as its Wi-Fi security is good. There must be millions of people, literally, that know this.

Then, on the subject of router passwords (not Wi-FI passwords), the article says to

"... change the username and password to something strong and unique. Security experts recommend creating long, complex passwords consisting of nonsensical phrases and added numbers and special characters."

This is not true either.

The security requirements for a router password and a Wi-Fi password are quite different. Encrypted Wi-Fi passwords can be captured while traveling over the air and then be subjected to brute force guessing. No doubt computers can make well over a billion guesses a second by now. This is not true of router passwords. A router password of "TallMapleTrees" is sufficiently secure. A Wi-Fi password, on the other hand, should be at least 15 characters long to resist brute force guessing. Yes, numbers are good, as are upper case letters and special characters. But, complex passwords do nothing to defeat brute force guessing and nonsensical phrases are just that, nonsensical.

TERMINOLOGY

For some reason, the author creates new words out of the blue, which only makes the subject harder for non-techies to understand. For example,

"Network security needs to be high on our list of considerations because a Wi-Fi station is the gateway for devices to get on the internet."

There is no term "Wi-Fi station" in the techie lexicon. The author is referring to a router, so, why not call it a router? The term "station" is sometimes used in techie articles, but it does not refer to a router, it refers to a computer on a network.

The allergy to the word router continues here:

"That means base stations from every well-known router brand were a target for this malware, known as VPNFilter ... "

OK, maybe a router is a base station, but why the new term?

Then, another new term:

"If it is time to update your router, rid yourself of some of these headaches by looking for a smarter router."

Smarter? Routers are not rated based on their intelligence. Dumb vs. smart is not a thing.

Finally, after mentioning the Eero and Google Wifi mesh router systems, the article says:

"For both of these systems, you can also add base stations throughout the home to extend their wireless connections ... "

You do not add base stations. In regard to mesh networks, the term "base station" refers to the device that is Ethernet connected to a modem. There is only one in any consumer mesh network. With Eero, you add Beacons. With Google Wifi you add Wifi points. With AmpliFi you add Mesh Points, and with a Netgear Orbi, you add a Satellite. The generic term for these add-on thingies would be access points. Speaking of which, the article failed to point out the difference between a router, a gateway, a modem and an access point; something that many people do not understand.

HOW DOES THIS HAPPEN?

Imagine a review of a new car that focused solely on the entertainment center and the color of the car. Surely some experts would point out that the engine and the ride should also be considered. But that doesn't seem to happen at the New York Times. Many of the mistakes in this article were surely obvious to techies working for the newspaper. For whatever reason, the paper published an article that many employees knew contained mistakes.

And, this is not the first time. An article on VPNs by the same author back in April of 2017 was, to be kind, amateurish. Clearly the author had no background in the subject matter, tried a few VPNs for the first time and wrote up his experiences. No doubt, many High School newspapers have written more insightful articles on VPNs. Students, no doubt, are motivated to bypass network restrictions.

And, while mistakes are one thing, omissions count too. This article doesn't say anything about disabling router features that can be security problems, Guest Wi-Fi networks, or any of the other security tweaks offered on my RouterSecurity.org site.

Finally, it's a bit ironic that the New York Times links to router recommendations from The Wirecutter which judges routers solely on Wi-Fi seed and range with no regard to security at all. The exact opposite of what this article is about.


Update June 19, 2018. I emailed the paper, pointing them to this blog. Their email auto-reply included this:

"PLEASE NOTE: For security reasons, we do not open email attachments. IF your email included an attachment, please resend your message with all of the information in the body of the email."

Email attachments can be opened safely, it just takes planning. Every email system in the world offers a web interface. A Chromebook running in Guest mode is a safe environment for opening anything. In addition, email messages can be viewed in plain text rather than HTML, which protects from a number of attacks. I do this as a matter of course. If the Chromebook were isolated on their LAN (as I do with VLANs) it would surely be safe enough. Of course, the Chromebook should be re-booted every now and then, just in case. All told, that's five defenses. Not that they should open attachments, the bang for the buck may not be there, but they could open them safely.

 

 

 @defensivecomput TOP Home => Debunking the New York Times on Router Security   
 michael--at--michaelhorowitz.com   Last Updated: June 20, 2018 8 PM  
  License Plate
Copyright 2001-2018
Copyright 2001-2018  
Printed at:   September 24, 2018 7:11pm   ET
Viewed 3,542 times since June 17, 2018 (36/day over 99 days)