Last week, Symantec discovered a worm that infects routers and takes measures to make them more secure. For lack of anything else to call it, Symantec is calling it malware, and most of the security echo chamber is probably howling over this, but I think I understand why it was created.
The malware consists of a Perl interpreter capable of running on the most common router architectures, plus a script that does things like disable Telnet and replace it with a message urging the user to change default passwords.
I’m well aware of the dangers. You’re running code on a computer that doesn’t belong to you, which is illegal, and since it’s not your device, it’s impossible to predict every possible outcome, and it’s possible that this worm will damage some of the devices it’s trying to improve. That’s why creating a cleaning worm that patches vulnerable devices isn’t an accepted security practice.
But infected routers are turning into a big problem, and the manufacturers aren’t interested in solving it. While I can’t condone what the author of this worm did, far be it from me to condemn the action too.
The problem is that routers are inexpensive commodity devices, and people buy based on price and perhaps past experience, and that’s about it. Security doesn’t sell in this space, so nobody tries very hard. If consumer routers were a high school or college class, the valedictorian would have a D+.
Instead, we get devices that will probably function if you just plug them inline between your modem and your computers and turn them on, and if anything, that’s a selling point. It’s not secure, but it functions.
What we need is devices that update themselves at least occasionally, and that when first plugged in, present the users with a wizard when they open up a web browser that asks a few simple questions, then configures itself in a secure manner. This manner of functioning is generally accepted–it’s what Android devices do, and there’s a billion and a half of those and counting out there–and as long as the router ensures it’s not actually in heavy use when it patches and reboots itself, most users will accept that as well.
But we’re a long way from that right now, so that’s why a vigilante wrote a worm to try to clean up some of the mess.
There is one more thing to keep in mind: This malware goes away when you reboot. Most malware does, though if you don’t fix the vulnerability that got it infected in the first place, it’s only a matter of time before that or another worm comes back. But if you want to improve the security of your router, scheduling it to reboot every so often isn’t a bad idea. Moving its IP address off the standard 192.168.0.1 or 192.168.1.1 is another very simple thing you can do, and it dramatically improves router security.