Researchers at VPN Mentor have found two vulnerabilities in GPON home routers that, when combined, could allow attackers complete control of the device and therefore the network. Ashley Stephenson, CEO at Corero Network Security commented below.
Ashley Stephenson, CEO at Corero Network Security:
“If verified, these home gateways join the escalating category of botnet-vulnerable IoT devices, and they underscore the growing risk of very large botnet-based DDoS attacks. This class of routers typically are directly connected to high speed broadband Internet connections. Once compromised the devices could be covertly “herded” by a bot master to form a botnet large enough to generate high-impact DDoS attacks against victims around the world. This is not the first example of vulnerable IoT devices, and it will not be the last.”
Sean Newman, director of product management at Corero Network Security, has also offered some thoughts of what organisations can do while waiting for a fix to be issued, “If no fix for these routers is forthcoming the best action is for organisations to ensure they are properly protected from the types of attacks which could ensue. The obvious example being large-scale DDoS attacks, from which the best way to protect is using the latest generation of always-on, automatic, real-time DDoS protection solutions.
“Currently, it has been shown that access can be gained to the routers, via these vulnerabilities, and the owners privacy can be violated. There’s no current demonstration that they can have code added which could result in them being recruited into a botnet, for example, to launch an attack, but this shouldn’t be discounted. However, with 1 million plus of these vulnerable routers accessible on the internet, the potential scale of a possible DDoS attack is unthinkable, especially when you consider that Mirai and its variants have been launching attacks with tens of thousands of compromised devices.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.