It was all over the news. Russian hackers are inside home Internet routers across America, spying on us, stealing our identities, meddling with elections, and who knows what else. But don’t worry – just reboot that little box with all the wires connected to it and it all goes away. And if reboot is too technical a word, then unplug it and plug it back in. Just like your toaster. And to really make sure, press a little teeny tiny button and reset it back to its factory settings (which will probably break your Internet connection, but just call your ISP and they’ll fix you right back up). Here are a couple links to typical fluff articles:
- From close to where I live: FBI Urges After Russian Hacking: Reboot Your Routers
- From the San Jose Mercury News: FBI: Reboot your router to help defeat malware attack
Sometimes, we dumb things down so much, the information is worse than worthless.
Why is anyone surprised about Russian attacks? The United States and Russia have been adversaries since the end of WWII. If Russian hackers can find a way to use our Internet connections as a weapon, we should spend less energy on outrage and more energy understanding and defending against it.
More importantly, why do we throw away our critical thinking skills when the subject is technology? Does it bother anyone that this problem has been growing since 2016 and nobody noticed it until recently? I understand that not everyone in the United States is a software engineer, but even toddlers use cell phones and computers these days. Isn’t it about time the public acquired some Internet literacy?
Forget the Internet for a minute. If your car acted badly, and the suggested cure from the service department was, turn it off and back on again, would that be acceptable? What if the cure were to disconnect and reconnect the battery cables – the equivalent of a reset? Would you be curious about what went wrong and why? And wouldn’t you want it really fixed? Why do we accept weenie fluff around Internet technology when nobody in their right mind would put up with it anywhere else?
Here is a more substantive article from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please. And a pointer to the original Cisco Talos blog that describes the attack, named VPNFilter, and what Cisco did about it.
And indeed, the Talos short-term recommendation is, reboot, and eventually reset our SOHO (Small office/Home office) Internet routers. The recommendation makes sense. But it’s not the whole picture. And the popular media short-changes the public by failing to inform about the broader context.
Here is a summary of what’s going on. Somebody – probably Russian hackers because the people who analyzed the malicious software noted similarities between what they found on SOHO routers and Russian code from other attacks – planted malicious software in thousands of SOHO routers. The malware has at least two components; one is in the system boot image and phones home for marching orders. The other is only in memory and contains the downloaded marching orders. These may change every time the router phones home, which explains why the analysts don’t know all the details around this attack.
“Phone home” means contacting a command and control mother ship server over the Internet. Apparently, VPNFilter drones find their mother ship via a DNS name. DNS, or Domain Naming System, translates names to IP Addresses. Think of DNS as kind of like a phonebook on the Internet, which comes in handy when the mother ship moves. When the mother ship moves to a different IP Address, its masters can update its DNS records, and VPNFilter drones around the world can still find it.
This worked until recently, when the FBI seized that domain name and pointed the name to its own servers. So, when compromised SOHO routers phone home, now they contact the FBI instead of the Russians.
Wonderful. Our tax dollars at work. Factory-reset our routers and make the world safe for democracy again. Except, it doesn’t. Here is the dirty little secret with consumer Internet devices nobody likes to talk about. They all use old kernels with known vulnerabilities and none of the consumer vendors offer credible support. Does anyone seriously believe any consumer router vendor will spend money on software updates for a $50 box, and more money to hold consumers’ hands through an update process? Which means, after consumers factory-reset their routers, sooner or later, the Russians will build a new and smarter mother ship and come find them again. But this time, US law enforcement may not get lucky.
What do we do about it? SOHO router vendors and Internet service providers need to step up their games. Consumers pay a monthly fee for Internet service. And since Internet service providers usually bundle routers with monthly service, part of that fee should include frequent router updates, access to a router update site, and prominent and easy-to-follow update instructions.
Somebody needs to educate the public about what SOHO Internet routers do and how to maintain them. I’m not advocating turning everyone into network engineers. But with cars, everyone knows what the steering wheel, gas, and brake pedals do. How many consumers even know how to identify their Internet routers? This has to change. At minimum, every consumer should know how to login to their Internet router, install updates, turn off remote management, and change (and record) its password.
We can beat back Russian hackers. And anyone else who wants inside our homes over the Internet. But we need to care enough first to take action. The media is in a position to lead the way. Up to the challenge?