18Feb 14 Time to Harden Your Hardware? Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions. Last week, the began publishing data about an ongoing attack from self-propagating malware that infects some home and small-office wireless routers from Linksys. The firewall built into routers can be a useful and hearty first line of protection against online attacks, because its job is to filter out incoming traffic that the user behind the firewall did not initiate. But things get dicier when users enable remote administration capability on these powerful devices, which is where this malware comes in. The worm — dubbed “The Moon” — bypasses the username and password prompt onaffected devices. According to Ars Technica’s Dan Goodin, The Moon has infected close to 1,000 Linksys E1000, E1200 and E2400 routers, although the actual number of hijacked devices worldwide could be higher and is likely to climb. In response, Linksys said the worm affects only those devices that have the Remote Management Access feature enabled, and that Linksys ships these products with that feature turned off by default. The Ars Technica includes more information about how to tell whether your router may be impacted. Linksys says it’s working on an official fix for the problem, and in the meantime users can block this attack by disabling the router’s remote management feature. Similarly, it appears that some ASUS routers — and any storage devices attached to them — may be exposed to anyone online without the need of login credentials if users have taken advantage of remote access features built into the routers, according to from Feb. 17. The danger in this case is with Asus routermodels including RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Enabling any of the (by-default disabled) “AiCloud” options on the devices — such as “Cloud Disk” and “Smart Access” — opens up a potentially messy can of worms. More details on this vulnerability are available at . ASUS y released firmware updates last week to address these bugs. Affected users can find the latest firmware updates and instructions for updating their devices by entering the model name/number of the device . Alternatively, consider dumping the stock router firmware in favor of something more flexible, less buggy amd most likely more secure (see at the end of this post for more details). YOUR LIGHTSWITCH DOES WHAT? Belkin WeMo Switch Outfitting a home or office with home automation tools that let you control and remotely monitor electronics can quickly turn into a fun and addictive (if expensive) hobby. But things get somewhat more interesting when the wholesetup is completely exposed to anyone on the Internet. That’s basically what experts at IOActive found is the case with Belkin‘s . According to research released today, multiple vulnerabilities in these WeMo Home Automation tools give malicious hackers the ability to remotely control the devices over the Internet, perform malicious firmware updates, and access an internal home network. From IOActive’s (PDF): The Belkin WeMo firmware images that are used to update the devices are signed with public key encryption to protect against unauthorised modifications. However, the signing key and password are leaked on the firmware that is already installed on the devices. This allows attackers to use the same signing key and password to sign their own malicious firmware and bypass security checks during the firmware update process. Additionally, Belkin WeMo devices do not validate Secure Socket Layer (SSL) certificates preventing them from validating communications with Belkin’s cloud serviceincluding the firmware update RSS feed. This allows attackers to use any SSL certificate to impersonate Belkin’s cloud services and push malicious firmware updates and capture credentials at the same time. Due to the cloud integration, the firmware update is pushed to the victim’s home regardless of which paired device receives the update notification or its physical location. The Internet communication infrastructure used to communicate Belkin WeMo devices is based on an abused protocol that was designed for use by Voice over Internet Protocol (VoIP) services to bypass firewall or NAT restrictions. It does this in a way that compromises all WeMo devices security by creating a virtual WeMo darknet where all WeMo devices can be connected to directly; and, with some limited guessing of a ‘secret number’, controlled even without the firmware update attack. There does not appear to be anyone or anything attacking these vulnerabilities — yet. But from where I sit, the scariest part of theseflaws is Belkin’s apparent silence and inaction in response to IOActive’s research. Indeed, according to a released today by Carnegie Mellon University’s Software Engineering Institute, Belkin has not responded with any type of solution or workaround for the identified flaws, even though it was first notified about them back in October 2013. So be forewarned: Belkin’s WeMo products may allow you to control your home electronics from afar, but you may not be the only one in control of them. Update, 10:24 p.m. ET: Belkin has responded with a statement saying that it was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Belkin notes that users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkinurges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app. Original story: NETWORK ATTACKED STORAGE As evidenced by the above-mentioned ASUS and Linksys vulnerabilities, an increasing number of Internet users are taking advantage of the remote access features of routers and network-attached storage (NAS) devices to remotely access their files, photos and music. But poking a hole in your network to accommodate remote access to NAS systems can endanger your internal network and data if and when new vulnerabilities are discovered in these devices. One popular vendor of NAS devices — Synology — recently alerted users to a security update that fixes a vulnerability for which there has been since December that allows attackers to remotely compromise the machines. A number of Synology users recently that the CPUs on their devices were consistently maxing out at 100 percent usage.