Skip to content
Home ยป VPNFilter DD-WRT

VPNFilter DD-WRT

  • by

Introduction

VPNFilter is a sophisticated piece of malware that has had a significant impact on consumer-grade network equipment such as wireless routers. First discovered in 2018, VPNFilter is known to have infected over 500,000 small office/home office (SOHO) routers and network devices globally.

The malware allows attackers to collect communications, launch attacks on other networks, and permanently disable infected devices. One aspect that makes VPNFilter particularly concerning is that it targets popular custom firmware installations like DD-WRT that are used to extend functionality and support on wireless routers beyond what the vendor provides.

It’s crucial for home users and small business owners to understand the scale of vulnerabilities that exist with many SOHO routers, and the elevated risks associated with custom firmware like DD-WRT. Proactively taking measures to secure devices and networks is essential.

Vulnerabilities in SOHO and Industrial Wireless Routers

The discovery of VPNFilter in 2018 shed further light on the insecurity of many consumer wireless routers and other SOHO networking equipment. Researchers have found that a majority of devices in this class have publicly known vulnerabilities that can enable remote takeover even when fully updated.

Specific investigations in recent years have revealed issues in popular hardware from vendors like Asus, DLink, Netgear, TP-Link, and others. Most SOHO routers are found to lack modern security features, have firmware bugs, or have backdoor access methods built-in.

Organizations like Cisco’s Talos Intelligence group have worked actively with vendors to report and help mitigate vulnerabilities. However, the vast scale of the insecure router problem continues to pose major risks for consumers and businesses globally.

Vulnerabilities in DD-WRT Routers

While vendor-supplied firmware on most SOHO routers is itself vulnerable, custom firmware installations like DD-WRT pose even greater risks. Specific flaws allowing remote code execution have existed across multiple versions of DD-WRT – for example, a memory corruption bug was found to impact at least DD-WRT builds 32270 through 48599.

Additionally, DD-WRT inherits and even compounds some of the general Linux and driver-level vulnerabilities associated with underlying router hardware platforms. The complex nature of the custom firmware and addition of numerous packages and services can significantly expand the attack surface.

Researchers posit that DD-WRT routers are prone to vulnerabilities that device owners and even custom firmware developers are not aware exist. Like any complex Linux-based platform, the potential for escalation-of-privilege and remote takeover bugs is high.

Impact of VPNFilter on DD-WRT Routers

With over 500,000 confirmed infections across routers and network devices, VPNFilter has illustrated the immense exposure that consumers and businesses face. Features allowing an infected DD-WRT router to intercept traffic, launch attacks on other networks, corrupt firmware, or fully disable infected devices provide high-impact capabilities.

Even a single infected DD-WRT router on a home or office network represents an elevated threat of data theft and opens the door for lateral movement towards other devices on local networks. Permanent destruction of routers via VPNFilter also causes direct financial harm and significant inconvenience.

Mitigating the existing exposure will require consumers, firmware developers, and router vendors to prioritize security and threat detection.

 

Mitigation Strategies

Rebooting routers – A basic initial step that consumers can take to deactivate VPNFilter on infected routers is simply rebooting devices. This kills the malware and temporarily halts malicious activities, though does not remove the infection.

Firmware updates – DD-WRT developers work to patch known vulnerabilities through firmware updates. Keeping routers updated to the latest security releases helps mitigate known weaknesses being actively exploited in the wild.

Strong passwords – As with all network-connected technology, having strong, unique passwords across both router admin consoles and Wi-Fi networks is crucial to limiting brute force risk. Default passwords continue to be a factor in malware infections and device takeovers.

Access control – Disabling features like remote administration over WAN interfaces helps reduce attack surface. MAC filtering, VPN encryption, firewall rules and port forwarding configurations also limit external access from unknown devices and help prevent lateral movement.

Conclusion

The significant vulnerabilities in consumer-grade routers and network devices underscore the importance of having an awareness of threats like VPNFilter, especially for those using custom firmware installations like DD-WRT. While malware like VPNFilter illustrates risks, a combination of firmware updates, password management, and access controls can help mitigate exposure.

Managing home and small business connectivity remains imperative, and wireless routers are unfortunately prone to evolving threats from well-resourced attackers. Continued education and implementing basic security precautions however can help owners reduce risks as firmware developers and hardware vendors continue working to improve embedded device security.

Tags: