Routers prove weak point in remote-work strategy

Home and SOHO routers are often insecure, but companies can protect themselves from attacks through remote workers’ home routers.

From a cybersecurity perspective, the worst aspect of the mass move to remote work has been the loss of control over workstations’ local network environments. Particularly dangerous in this regard are employees’ home routers, which have essentially replaced the network infrastructure normally under IT specialists’ control. At RSA Conference 2021, researchers Charl van der Walt and Wicus Ross reported on ways cybercriminals can attack work computers through routers, in “All your LAN are belong to us. Managing the real threats to remote workers.”

Why employee home routers are a major problem

Even if corporate security policies could cover updating every work computer’s operating system and all other relevant settings, home routers would still lie beyond corporate system administrators’ control. With regard to remote-work environments, IT can’t know what other devices are connected to a network, whether the router’s firmware is up-to-date, and whether the password protecting it is strong (or if the user even changed it from the factory default).

That lack of control is only part of the issue. A huge number of home and SOHO routers have known vulnerabilities that cybercriminals can exploit to gain complete control over the device, leading to huge IoT botnets such as Mirai that combine tens and sometimes even hundreds of thousands of hijacked routers for a variety of purposes.

In this regard it is worth remembering that every router is essentially a small computer running some distribution of Linux. Cybercriminals can accomplish many things using a hijacked router. The following are a few examples from the researchers’ report.

Hijacking a VPN connection

The main tool companies use to compensate for remote workers’ unreliable network environments is a VPN (virtual private network). VPNs offer an encrypted channel through which data travels between the computer and the corporate infrastructure.

Many companies use VPNs in split tunneling mode — traffic to the company’s servers, such as by RDP (Remote Desktop Protocol) connection, goes through the VPN, and all other traffic goes through the unencrypted public network — which is usually fine. However, a cybercriminal in control of the router can create a DHCP (Dynamic Host Configuration Protocol) route and redirect RDP traffic to their own server. Although it gets them no closer to decrypting the VPN, they can create a fake login screen to intercept RDP connection credentials. Ransomware scammers love using RDP.

Loading an external operating system

Another clever hijacked router attack scenario involves exploiting the PXE (Preboot Execution Environment) feature. Modern network adapters use PXE to load computers with an operating system over the network. Typically, the feature is disabled, but some companies use it, for example, to remotely restore an employee’s operating system in case of failure.

A cybercriminal with control over the DHCP server on a router can provide a  workstation’s network adapter with an address of a system modified for remote control. Employees are unlikely to notice, let alone know what’s really going on (especially if they’re distracted by update installation notifications). In the meantime, the cybercriminals have full access to the file system.

How to stay safe

To protect employees’ computers from the above and similar attack options, take the following steps:

  • Opt for forced tunneling instead of split. Many corporate VPN solutions allow forced tunneling with exceptions (by default passing all traffic through an encrypted channel, with specific resources allowed to bypass the VPN);
  • Disable Preboot Execution Environment in the BIOS settings;
  • Fully encrypt the computer’s hard drive using full disk encryption (with BitLocker in Windows, for example).

Focusing on the security of workers’ routers is vital to increasing the security level of any corporate infrastructure that includes remote or hybrid-mode work. In some companies, technical support staff consult employees on the optimal settings for their home router. Other companies issue preconfigured routers to remote workers, and allow employees to connect to corporate resources only through those routers. In addition, training employees to counteract modern threats is fundamental to network security.