NewSky Security has uncovered a security vulnerability across all routers from Singapore’s leading internet service provider, SingTel.
The uncovered vulnerability could potentially give access to all devices connected to the affected routers.
Attacks related to the Internet of things (IoT) have diversified in recent years, using varying methods to gain access to connected devices.
IoT attacks can loosely be classified into three levels: level zero (attacking device with no authentication), level one (guessing a weak/default password), and level two (using an IoT exploit to gain access).
It would be expected that the level zero attack would not be of great concern in today’s security conscious environment, however, this is not what Ankit Anubhav, principal researcher, NewSky Security, who uncovered SingTel’s router vulnerability, has found.
“The IP list for Singtel wi-fi gigabit router devices that have their port 10000 wide open can be easily accessed and controlled by potential attackers,” said Anubhav in a blog post, dated May 28.
Because of the nature of the vulnerability, Anubhav suspected the root cause would be found to be a case of gross negligence from the users.
Alternatively, a backdoor vulnerability was also considered a possibility, allowing an attacker to bypass normal authentication or encryption.
Anubhav informed the Singapore Computer Emergency Response Team (SingCERT) of his findings. However, it was discovered the real reason for the vulnerability was something quite different.
“In simple words, the ISP SingTel initiated this port forwarding due to troubleshooting an issue with these routers,” said Anubhav. “After they fixed the issue, they forgot to close the port forwarding.
"As a result, it became possible for attackers to gain full control of these devices from port 10000. Hence, we coined this as 'ForgotDoor'."
Commenting on the finding, Douglas Mun, deputy director in charge of SingCERT at the Cyber Security Agency of Singapore, said, “The ISP SingTel has disabled port forwarding to port 10000 for the affected routers.
“Root cause: Port forwarding was enabled by their customer service staff to troubleshoot Wi-Fi issues for their customers and was not disabled when the issues were resolved.
“ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed."
Level zero attacks are more common that they should be, with NewSky Security uncovering another such compromise just two weeks ago.
The responsibility for holes in IoT security is considered the remit of the vendor/ISP, there are some actions end users can take to improve their overall security against such attacks.
“The various levels of IoT attacks can be combated with cautious port forwarding, strong authentication, a trustable firewall / other IoT security mechanism and regular updates,” concluded Anubhav.