ubiquitiairrouter01100662255orig
Security

Worm infects unpatched Ubiquiti wireless devices

Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability.

The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually.

The worm creates a backdoor administrator account on vulnerable devices and then uses them to scan for and infect other devices on the same and other networks.

"This is an HTTP/HTTPS exploit that doesn't require authentication," Ubiquiti said in an advisory. "Simply having a radio on outdated firmware and having its http/https interface exposed to the Internet is enough to get infected."

The company has observed attacks against airMAX M Series devices, but AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices running outdated firmware are also affected.

The vulnerability was reported privately to Ubiquiti last year through a bug bounty program and was patched in airMAX v5.6.2, airMAX AC v7.1.3, airOS 802.11G v4.0.4, TOUGHSwitch v1.3.2, airGateway v1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 and AF5 2.2.1. Devices running firmware newer than those versions should be protected.

For airMAX M devices, the company recommends upgrading to the latest 5.6.5 version. However, this version removes support for rc.scripts, so users relying on that functionality should stick with 5.6.4 for the time being.

Using firewall filtering to restrict remote access to the management interface is also highly recommended.

According to researchers from Symantec, after the worm exploits the flaw to create a backdoor account, it adds a firewall rule in order to block legitimate administrators from accessing the Web-based management interface. It also copies itself to the rc.poststart script in order to ensure that it persists across device reboots.

"So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers," the Symantec researchers said in a blog post Thursday. "It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation."

Ubiquiti Networks has also created a Java-based application that can automatically remove the infection from affected devices. It can be used on Windows, Linux and OS X.

Router security is particularly bad in the consumer market, where large numbers of routers can remain vulnerable to known vulnerabilities for years and can be compromised en masse to create distributed denial-of-service (DDoS) botnets or to launch man-in-the-middle attacks against their users.

In the past, attackers have managed to hijack hundreds of thousands of home routers by simply trying out default or common usernames and passwords. Users should always change the default administrator password when installing their router and should disable remote access to its management interface unless this functionality is needed.

IDG Insider

PREVIOUS ARTICLE

« Older Chromebooks won't get the Play Store, even if they're able to run Android apps

NEXT ARTICLE

The Project Tango smartphone is coming and it's more useful than you think »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Poll

Do you think your smartphone is making you a workaholic?