More than 1,000 owners of Wi-Fi routers were left exposed to potential cyber-attacks after Singapore Telecommunications Limited forgot to secure port 10000 in its Wi-Fi gigabit router devices after opening them up to troubleshoot some Wi-Fi issues.
The oversight not only exposed over 1,000 routers to potential access by cyber-criminals, but also exposed hundreds of IoT devices that were connected to the routers. The ports would have eventually been exploited by hackers had they not been discovered by alert security researchers and reported to CERT Singapore.
According to researchers at NewSky Security who discovered the exposed ports, potential attackers could exploit them to access administrator settings in affected routers and change their passwords, thereby denying original users of such routers from accessing them.
"The ISP SingTel initiated this port forwarding due to troubleshooting an issue with these routers. After they fixed the issue, they forgot to close the port forwarding. As a result, it became possible for attackers to gain full control of these devices from port 10000. Hence, we coined this as 'ForgotDoor'," said Ankit Anubhav, principal researcher at NewSky Security.
He added that a hacked router allows an attacker to reconfigure itself to re-route traffic, monitor data packets, or even plant a malware. At the same time, hackers can also change DNS settings in routers to make all connected devices to visit phishing/malicious/adware related websites.
"The ISP SingTel has disabled port forwarding to port 10000 for the affected routers. Root cause: Port forwarding was enabled by their customer service staff to troubleshoot Wi-Fi issues for their customers and was not disabled when the issues were resolved. ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed," said Douglas Mun, deputy director in charge of SingCERT at the Cyber Security Agency of Singapore.
To protect their routers from potential attacks that exploit exposed ports, he suggests that owners of such routers can consider setting up SSH on an unusual port to evade attacks that target default SSH ports. However, since hackers can identify unusual ports through easily available crawling scripts and services like Shodan, owners of routers need to implement basic IoT security measures such as cautious port forwarding, strong authentication, a trustable firewall / other IoT security mechanism and regular updates.
Commenting on the discovery of exposed port 100000 in SingTel routers, Natan Bandler, CEO and co-Founder of Cy-oT, told SC Magazine UK that this is a daily occurrence and since routers are among the most sensitive assets in organisations, hacking groups are looking for the easiest way to access these assets in order to make money.
"In this case, it seems that there was a misconfiguration of the router which caused the vulnerability. This will always happen- human error will always happen. There's no way to stop it, so it's not simply a matter of making sure that the software is tightly secured, tested and patched. In order to be completely secure, you cannot trust the infrastructure itself. Security should be separate from the infrastructure, and therefore you need an external mechanism.
"You can't trust that a device is secure and protected by design. People assume they are protected all the time, but things happen. Yes, there are patches and this can solve one security issue, but they can also bring in another security issue. There are human mistakes, configuration mistakes - it will always happen.
"We need to take into account that risks and vulnerabilities are around us all the time, so to be protected, organisations need a mechanism that is monitoring all the activity and detects when something is broken. You need to be able to detect when someone is trying to utilise the vulnerability or the risk will always be there," he added.
