Misfortune Cookie

DebAmstutz · December 19, 2014, 07:01:12 AM

I wasn't really sure where to put this, but since it affects routers and such, it ended up here:

http://www.msn.com/en-us/money/technology/misfortune-cookie-flaw-puts-12-million-routers-at-risk/ar-BBgYuXd

Mark · December 19, 2014, 08:40:05 AM

Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

In addition to Misfortune Cookie, there is also this from earlier this year:

http://arstechnica.com/security/2014/02/bizarre-attack-infects-linksys-routers-with-self-replicating-malware/

Jeff Zylstra · December 19, 2014, 10:37:55 AM

Quote from: DebAmstutz on December 19, 2014, 07:01:12 AM
I wasn't really sure where to put this, but since it affects routers and such, it ended up here:

http://www.msn.com/en-us/money/technology/misfortune-cookie-flaw-puts-12-million-routers-at-risk/ar-BBgYuXd

I haven't checked out Mark's link, but thought I would post this link that includes a list of suspected vulnerable routers.

http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf

Mark · December 19, 2014, 10:44:25 AM

My link was not exactly related to Misfortune Cookie, but was an additional vulnerability to home routers.

Also, I think Linksys was just added the the Misfortune Cookie list yesterday.

Joshua Conner · December 19, 2014, 02:10:21 PM

I wonder if custom firmware is affected? I have an asus but it has custom tomato firmware on it.

Jeff Zylstra · December 19, 2014, 02:27:45 PM

Silly question here, but it never ceases to amaze me what ill advised things that computers and routers will allow. In the case of the routers, apparently they are either able to write code to the router or make it pass through the router somehow. Probably by this one, faulty chip. I know that some hard drives require that you either slide a switch or insert a jumper to allow data to be written to it. It would seem like that some physical safeguard like that would be possible to insert somehow downstream from other chips or programming that would stop this kind of stuff. If you need to flash your ROM or something, you just insert a jumper and then flash it.

And computers and browsers allow executable code to be downloaded to the temp folder as a "drive by" download. Why? If I want to download something other than HTML code (webpages), I wouldn't mind using another browser or software. It seems like things are too wide open for the sake of relatively little convenience. Or am I over-simplifying things?

Mark · December 22, 2014, 08:29:26 AM

AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.

Jeff Zylstra · December 22, 2014, 09:34:10 AM

Quote from: Mark on December 22, 2014, 08:29:26 AM
AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.

I was thinking of a physical method, such as a "jumper" pin that would need to be inserted in order to program the router. Maybe you could reset the router if it froze by power cycling it, but not remotely programming or configuring it. It might be a pain, but if you were really concerned with these kinds of attacks, it might prove invaluable.

If I remember correctly, Ironkey did something like this years ago with their USB drives. The drive was read only until you slid a switch, then you could write to it. I think it's purpose was for disinfecting computers with malware without allowing it to spread.

Not sure if VMs/"sandboxes" or proxy servers would have helped this or not, but I have think it would have made it at least more difficult. I'm interested to hear any analysis of Sony's corporate IT defenses, but I'm sure that won't ever happen.

Mark · December 22, 2014, 09:35:58 AM

Interesting concept, for sure.

Billy Welsh · December 22, 2014, 10:08:54 AM

Quote from: Jeff Zylstra on December 22, 2014, 09:34:10 AM
Quote from: Mark on December 22, 2014, 08:29:26 AM
AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.

I was thinking of a physical method, such as a "jumper" pin that would need to be inserted in order to program the router. Maybe you could reset the router if it froze by power cycling it, but not remotely programming or configuring it. It might be a pain, but if you were really concerned with these kinds of attacks, it might prove invaluable.

If I remember correctly, Ironkey did something like this years ago with their USB drives. The drive was read only until you slid a switch, then you could write to it. I think it's purpose was for disinfecting computers with malware without allowing it to spread.

Not sure if VMs/"sandboxes" or proxy servers would have helped this or not, but I have think it would have made it at least more difficult. I'm interested to hear any analysis of Sony's corporate IT defenses, but I'm sure that won't ever happen.

That is an awesome solution, IMHO. No changes, no updates/firmware without the jumper. Just make it a larger than standard jumper for the old fogies like me, and easily accessible from the outside. An easy "analog" type solution that requires physical access to the device - so there is nothing that can be "hacked."

A bit of a pain, yes, but I'd gladly put up with that over always worrying that I cannot keep up with the latest greatest digital defenses.

Mark · December 22, 2014, 10:23:22 AM

"Hacking" doesn't always require anything to be written to the device though. I think more often it is "tricking" it. Not saying this idea is impossible, just don't think it's fool-proof.

Also, in order to keep a dhcp table, it would need to write to the device. Same for logging, if any.

Joshua Conner · December 22, 2014, 10:24:32 AM

I am amazed my home internet is DSL. Which has a modem. The company I am with hands out private ips so we are all on a nat. I called and requested a public ip to which they said ok. I had to log into my modem which has default passwords and set it to get off the NAT. I was shocked that it was all defaults and how easy it would be to log into everyones modems and make changes crippling everyone.

Jeff Zylstra · December 22, 2014, 10:39:31 AM

Quote from: Mark on December 22, 2014, 10:23:22 AM
"Hacking" doesn't always require anything to be written to the device though. I think more often it is "tricking" it. Not saying this idea is impossible, just don't think it's fool-proof.

Also, in order to keep a dhcp table, it would need to write to the device. Same for logging, if any.

Yes, I think that the DHCP table could be an issue and could lead to a kind of a "DNS Poisoning" of sorts where traffic is rerouted to malicious sites. Not sure the firewall could separate those functions adequately or not. And I think that you are correct in that this would not be a foolproof thing, but may need to be one in many different counter-measures that might include proxies, VMs and other things as well.

I don't remember if it was Jimmy V, or someone else who turned their router off at night using a light timer, but I thought its simplicity was brilliant. If you need to transmit or receive, turn it on for 20 minutes or something, then turn it off. Kind of like a "burst transmission". And if you really need to turn on remote access, just call it on the "secret line" using an old fashion modem to activate the router. I like those kind of "low tech" counter-measures.