Hacks happen, and now they’re happening more often. Consumers and companies alike have become familiar with the typical process: Malicious actors compromise a device, security teams work out a fix and the attackers are sent packing for another day.

But what if it wasn’t possible to remove the infection? What if, once compromised, devices become little more than trash? According to Motherboard, a cybercriminal going by the moniker of BestBuy claimed to have accomplished such a feat by pushing a firmware update to vulnerable routers and keeping them permanently under his control. Is immovable malware the newest iteration of infection?

Turning Routers Into Paperweights

When routers are compromised, users follow a standard response path: Turn off the device and reboot to clear the infection, then update username and password settings. This often does the trick, since software is effectively neutralized once the router goes dark.

BestBuy, however, opted for a different malicious method. The fraudster claimed to have compromised 3.2 million home routers by pushing a new firmware update. This means that even after being reset, the routers still reach out to malicious servers instead of reverting to defaults.

What’s more, BestBuy said the infected routers “will not accept new firmware from … anyone,” according to Motherboard, meaning there’s no way to remove the infection or reclaim the router. In effect, compromised routers become little more than paperweights.

URLs shared by BestBuy seem to show millions of devices already compromised. Security experts agree that his claims are plausible, although researcher Andrew Tierney pointed out that “it is easy to mess up” this kind of firmware update. BestBut doens’t appear to have any larger agenda for his army of retrained routers.

Easy Targets for Firmware

BestBuy’s ability to infect and permanently compromise routers highlights the lack of security in most internet-facing devices. When the BBC presented TalkTalk with data suggesting that its routers had been compromised, the telecommunications company argued that there was “no need” for users to change router settings, despite reliable evidence that 57,000 devices were compromised.

According to a recent article from The Register, meanwhile, users of popular Netgear routers are also at risk. The bug, CVE-2016-582384, enables attackers to take total control if they convince anyone on the local network to open a booby-trapped webpage.

The U.S. Computer Emergency Readiness Team (US-CERT) advised users to hack their own routers using a URL that disables the built-in HTTP servers used to administer devices. Although this temporarily seals the security hole, it also leaves users unable to manage or control the router through the HTTP portal. Netgear is aware of the problem and developing a fix, but no word on how long that will take.

Router breaches aren’t terribly sophisticated, but they’re effective. When administered via firmware, these attacks can permanently infect target devices. So now, the race is on between cybercriminals and security pros. Will routers get the critical corrections they need in the short term, or will it take a major network breach to prompt better default defense?

more from

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…