 So we're diving once again into the VPN filter and just some of the problems with it. Now I've covered the initial video with which was the release and discussion of VPN filter. The second one when we discovered it does more than we thought and it's injecting content and hijacking traffic which of course is devastating. That means it's even bigger threat than we thought because first we thought it was just using to be an attack botnet to attack other websites but it turns out we'll go a step further. It can also attack you and tries to exfiltrate data from you if you have an infected router. But a lot of people didn't understand or keep asking me like how did I get infected? How is it infected? How do I protect against this? Well let's dive in a little bit to that and I'm going to cover this part from the Juniper threat research group. The initial list of targeted routers include mirrored tick link says neck guarantee p link it is now expanded to include devices from ASUS D link Huawei ubiquity up level NZTE. We still do not believe the list is complete more infected devices are being discovered. There is still no sign of any zero-day vulnerability being exploited so it's likely that known vulnerabilities and weak passwords are the main vector of infection. Now this is the problem with a lot of these inexpensive cheapy and I grabbed one because I have a box full of these that we've pulled out of businesses that we've taken over IT for. This is a DIR 601 probably sold for less than $29.95 or something stupid. I didn't look up the prices but trust me lots of these inexpensive consumer routers are what's on this list and the reason why is because people install them they never change a password and they plug them into the cable moment they work they move on and unless there's something to stop them from working no one ever checks them again. So let's start talking about how these exploits work and give you kind of a bigger scope of how these get infected. One of the problems you're going to first face with these especially those little devices like this there's no logging in here. So if this happens to have an infected copy of firmware then I don't know how we'd know. If you just hold the reset button and it goes away there's not any logging in here there's not enough resources or at least no one's writing it for this particular model. An anti-virus scanner to load inside of here to determine what was changed on here. It's hard to figure these things out because they just weren't made with that extensive logging capabilities you get from a commercial router or even a software firewall such as you know PF Sense or many of the other ones where they have entire logging facilities you can look for file changes you can look for that. Now you can look for file changes on these but then you need because most of these only have compiled firmwares you need the differential between the two running and a lot of these don't offer much in a way of like SSHEN and doing that they don't have a lot of facilities to really dig into how they're infected how it got on here or even a logging system to track like the moment they were infected. We know they're infected based on the signal they're sending out and the attacks we're seeing from them that's where this research is coming from but it's also making the research very challenging. Because without that extra logging information really hard to determine these also the reason and I mentioned the reason like the FBI said reboot your router a big piece of this only lives in memory therefore just by rebooting them it goes away and this is actually one of the huge security challenges that's coming up I have friends who work in this industry. We have all kinds of tools now like Tripwire or OSAC that can do file level monitoring to make sure a server in general no files or change or anything but the mailware people are aware of this too so they look for exploits that allow them to run in memory based on the fact that these don't get rebooted very often and rebooting them if the infection was not closed and there was no firmware update they just reinfect as soon as it reboots so there's not really any way to log in and easily tell you have to find the running process that said what it was so those are all the difficulties in there now let's talk about scope and scale of the problems so if you're not familiar with the common vulnerabilities and exposures or CVE CVE numbers are identifiers given to understand a security vulnerability so if we find a vulnerability in a certain model device there is a proper process generally that is followed in the security industry where we contact the vendor so if you find a hey look there's a gaping security hole here the vendor is contacted a CVE is registered but it is not publicly disclosed and a date is set let's say 90 days from now we the security vulnerability release and that is how long that vendor has unless they ask for some other extra grace period to close those holes CVEs are the common way we track it in a security industry for what the flaws are so let's take a couple of those boxes that are on there and this is this is from the VPN filter wikipedia entry because they keep expanding the list of known devices but the reality is uh because probably common exploits for you in multiple versions of the exploits if you find one device on this list you can assume there's a whole lot more the and what they're doing is they're being cautious they're only reporting on the ones they found but trust me there's going to be more and this is why so foundability details on CVE 2017-15636 CVE score of nine now these are graded based on how easy they are to exploit whether or not they need to be like a complicated exploit so you can have a security hole but if it's an edge case it can get a very low because it's a not a very severe score of yeah you could exploit it it takes like the perfect scenarios to do so and it goes up from there especially when you're talking about a remote found ability and when it requires no user interaction no phishing attack on the user's part and they can simply infect the machine by sending uh some type of command to it that gives it a really high nine and ten score which means just massively vulnerable that being said this is a nine because it's in red and when you look at this and the actual details is not as relevant but what i want you to notice is here's a tp link one here's a list of the 38 devices and firmware versions affected by this one particular CVE and it's also you know wasn't patched and closed and disclosed until 2018 so some of these devices have been sitting around for years probably been infected for a while and no one because they're not stopped being working is going to ever update them and that's where this comes in unless there's something that stops this device from working it sits in the back room and works and the fact that these can be infected and continue to function means no one's really checking that and let's look at another one over here i pulled up just a couple here's like the asus because these were popular for a little while the asus ones there are 51 devices of the ability to see n66u series asus and n56 are similar kind of cool looking black box um you know all in one router firmware they think they were a little bit more expensive but they've been around for a number of years they were really popular i've seen a lot of people have them and once again this vulnerability affects 51 of their devices and you start digging into a lot of these and you're just like yeah there's potentially a lot more infected than there are and we go over here here's one that has a complete 10 the highest CVE score for the d-link this is a dr 615 model and we'll go over here here's a 7.8 for who makes this one d-link and netgear so apparently some shared firmware information here and then here's mirrored tick this has a complete 10 out of 10 as well this was fixed in march of 319 here as when updated in april is probably when they have the new firmware so they did patch it but once again if it does not affect the end user and it's on under a managed contract where someone is actively monitoring security these devices will never get updated unless there is a reason to update them that being said how many of them are just left at default username password so there is no cv vulnerability but someone got on a network now we've run into us ourselves and it was not a malicious actor as much as it was a kid goofing around uh we got they called us because they're in a panic they didn't know what to do it was a small business that had an open wi-fi and they just wanted to give wi-fi to their customers but they also left admin admin and their cheap link sys that they named guest network who someone logged in and changed it to something not nice and these happen these happen every single day and that's part of the problem no one's monitoring this everyone's just leaving these things wide open so finding the exact level of infection hard to do finding out what you're infected hold in a reset button update the firmware if you're on the list at all there's a very high chance you're infected the problem is really not there's not like one thing I can tell you to do to tell if you're infected with these the other side of it is take and wipe and load and buy a newer not on the list router you know and I've recommended before these unify ones and things like that and yes I know I unify was on this list but that being said it's kind of weird because the unifies on the list the ubiquity devices on the list aren't routers they're site to site units which like I said someone probably left them publicly exposed I don't I've never used these in a routing fashion I generally because they're wireless bridges I use them for their primary use function which is a bitage but that doesn't mean there's not someone publicly exposed them who didn't leave the default ubnt ubnt on there matter of fact we just did a job we took over a client I'm like hey cool they installed unify equipment um but I'm going to need the passwords from the old IT guy and the old IT guy they called us because well he's MIA this doesn't return phone calls but a quick login was ubnt ubnt so the other IT guy thank you for just completely leaving the default passwords wide open on the network so he joined the network um and logged in with the default passwords which is handy thank you um but this happens a lot even you know even when you see nice installed equipment if it's not secured or set up properly it's not necessarily fault I mean same with mirror tick they have updates they have and I may be seeing mic microtick um they have updates but you have to update them so this is something that is important for these so even if you do have a commercial one please update it please make sure it's managed so if you want to avoid any of these problems you know getting about a router I guess that I'm I'm still a fan of some of the edge switches are nice unify does make some uh home equipment which I've heard good things about I'm never using myself which is the amplified equipment so if you're completely non-technical but want something you know better there is that but just generally update the firmware see if it's out there and I'm hoping and I think we're going to start seeing a trend uh where we see a lot of these companies um start having auto updating firmware that way it's no longer an option but when you're talking about a race to the who can make the cheapest thing for the mass consumer market uh the security gives something they're skimping on quite a bit the other thing too I noticed and that I didn't see in the list or see in any of the readings I've done is your standard cable modems given to you by companies let's say Comcast I didn't see any of them in the list and for example you know Comcast gives a lot of consumers a pretty basic router these do have some limited functionality as well uh even though they do have a default username password on most all of them so there is that as a risk but they're stricter on firmware updates because the firmware updates are pushed through by the cable companies and because the cable companies can see inside them because there is a hidden management interface on there it seems like less likely and the cable companies purposely don't want their networks being uh used for other things so they probably would uh do that I know for example uh dealing with both Comcast and wide open s area they're able to easily push firmware updates and they've we've had to work with them to get bridging enabled and the solution a lot of times is they just push down on a firmware update so they're actually are taking care of some of that to the extent that they feel they need to I don't doesn't mean I would blindly trust them but oddly you are actually adding risk so the people who took their Comcast and bridged into this uh d-link opened up a risk that the Comcast didn't have previously so those are a couple things that gives you a couple things to think about so there's no you know turnkey snap my fingers easy solution um nice thing is though if you if you have one of these devices or anything is just go ahead and factor reset it make sure you have the latest firmware and don't leave it at default password those are your basic protections your router protection of course is getting a better higher quality device um that hopefully isn't on this list or will won't soon be on that list so hopefully this is helpful and explaining a little bit more about how these got infected and how to do it um and my final thoughts on what the future holds well until these viruses actually stop the units from functioning there's no solution for this this will continue to go on because well that's just how this works so there's not that's kind of my thoughts for the future unless the bricker bot makes a comeback and if you uh want some fun history I think I did a video on it but just read about the bricker bot uh somebody who created a bot that was not to uh purpose of infecting these for nefarious reasons but it would go around infecting iot devices and bricking them which I think was uh the person called himself the chemotherapy the internet and he realized if he infects and bricks them that will force people to replace them and also stop them from potentially being used to destroy the internet like the vpn filters being used for attacks and bot nets so um I'm not suggesting that vigilante come back but those are the only things that really seem to stop this and you know cause actual change to happen and people to run out and go oh man I really should replace this horribly broken thing thanks for watching if you like this video go ahead and click the thumbs up leave us some feedback below to let us know any details what you like and didn't like as well because we love hearing the feedback or if you just want to say thanks leave a comment if you wanted to be notified of new videos as they come out go ahead and subscribe and the bell icon that lets youtube know that you're interested in notifications hopefully they send them as we've learned with youtube anyways if you want to contract us for consulting services you go ahead and hit laurencesystems.com and you can reach out to us for all the projects that we can do and help you we work with a lot of uh small businesses it companies even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network also if you want to help the channel in other ways we have a patreon we have affiliate links you'll find them in the description you'll also find recommendations to other affiliate links and things you can sign up for on laurencesystems.com once again thanks for watching and i'll see you in the next video