Threat Alert: Threats to Home and Small Office Routers
TLP:CLEAR
Overview:
The U.S. Department of Commerce (USDoC) is considering a ban on home internet routers manufactured by Chinese firm TP-Link, citing national security concerns. This follows an October report from Microsoft disclosing that, since August 2023, multiple Chinese threat actors have launched password spray attacks using a proxy network consisting primarily of compromised TP-Link routers, a line of products that often contain exploitable vulnerabilities the manufacturers frequently fail to address.
- Widespread Usage in the US: As one of the more cost-effective options on the market, TP-Link routers are widespread throughout the US, making them a large and attractive target.
- Low Presence in Alberta: Scans indicate TP-Link routers are far less common in Canada, and indeed Alberta, than they are in the United States, with less than 100 publicly facing TP-Link routers identified in Alberta using Censys and Shodan searches..
Despite TP-Link not dominating the router market in Canada, these recent developments remind us of the risks of supply chains with geopolitical ties. They also highlight the need for strong passwords policies on network devices, not only in homes, but also in small to medium businesses, enterprise networks, and internet service providers.
What to Communicate to Executives:
- Popular Targets: Home routers are frequently targeted by various threat actors, including nation-states and cybercriminals. These groups often exploit home routers for resource development, integrating them into botnets, or using them as proxies for further attacks.
- Patch: Commercial off-the-shelf (COTs) routers are commonly found to have numerous vulnerabilities. These vulnerabilities are a significant factor in the compromise of such systems. It is imperative that users regularly install patches.
- Credentials: The use of default or weak credentials is another prevalent method by which small office/home office (SOHO) routers are compromised. The infamous Mirai botnet, for example, recruited edge devices by attempting default credentials on common devices.
What Can an Albertan Do?
- Use Secure Web Access: When you go to your router’s settings page, make sure the web address starts with “https://” to keep your login details safe.
- Rename Your Wi-Fi: Change the name of your Wi-Fi network to something unique that does not give away the brand of your router.
- Create a Strong Wi-Fi Password: When you set up your router, change the default username and password to something only you know. Use a password that is hard to guess for your Wi-Fi network.
- Use Strong Wi-Fi Security: Make sure your Wi-Fi is protected with the latest security settings (e.g., WPA3).
- Update Router Regularly: Regularly check for updates for your router and install them as soon as possible to keep it secure.
- Turn Off Remote Access and Easy Connect: Disable any settings that allow people to easily connect to the router, particularly if they are outside of your home or office.
- Set Up a Guest Network: If you have visitors, give them access to a separate network so they do not use your main one.
- Check Connected Devices: Regularly look at which devices are connected to your network and remove any you do not recognize.
