Drone aircraft are some of the U.S. Air Force’s deadliest weapons. Information on how to operate them can be very dangerous if it falls into the wrong hands. If that sort of data was breached and exfiltrated, you’d expect the attack vector would be an obscure zero-day vulnerability being exploited by a masterful cyberwarfare group, right? What if I told you that sort of data was breached by someone who desperately needed $200, through a home router exploit that’s been known for years?
Never, ever leave the default settings unmodified on your networking appliances!
Recorded Future’s Insikt Group made an interesting discovery as they were monitoring a Dark Web forum for cyber attackers. Someone was trying to sell manuals for the M1 Abrams tank, improvised explosive devices, and the MQ-9A Reaper drone. The seller was looking for $150 or $200, and they needed the money badly. Further investigation determined that the documents for sale were authentic.
The seller bragged that the manuals contained classified information taken from the Pentagon. While the exfiltrated data is considered highly sensitive, it’s not officially classified. “Highly sensitive” data is forbidden to be “released to another nation without specific authority.” And the data wasn’t taken from the Pentagon, it was acquired through a home router on the Creech Air Force Base in Nevada.
Recorded Future’s Andrei Barysevich was surprised by what they found:
“I’ve been personally investigating the Dark Web for almost fifteen years, and this is the first time I’ve uncovered documents of this nature. This type of document would typically be stolen by nation-state hackers. They wouldn’t be offering it on the Dark Web, and certainly not for $150.”
Insikt Group members built rapport with the seller. They determined that the seller was from an impoverished South American country (which hasn’t been specified), and had exploited a home router vulnerability known for years to obtain the documents. The modest cyber attacker was also able to view (unencrypted) live footage from an MQ-1 Predator, from NASA, and from cameras at the U.S.-Mexico border. All made possible because a U.S. Air Force service member had connected their poorly secured router to the Creech base network.
The exploited vulnerability is very similar to a Netgear router vulnerability, known and patched since 2016. SFGATE reported on the vulnerability in February of that year:
“It’s a potentially dangerous issue — and one that Netgear says its users are responsible for preventing.
The problem stems from a lax authentication process for accessing data on USB peripherals (printers and disk drives, mostly). When users attempt to remotely access data on an attached drive, they are prompted to enter a user name and password. If those users have not established unique log-ins, the router firmware grants access without requiring a password at all…
Netgear, a publicly traded networking equipment provider (NEP) in San Jose, CA, acknowledges the risk. But the company said customers must take steps to guarantee the security of their devices.
‘A simple change of the password will protect against this potential vulnerability,’ the company said in a statement. ‘Netgear advises to change the default password in the user manual in the section on Personal FTP (file transfer protocol) servers.’
The password intended to protect personal file sharing isn’t the same as the one used for WiFi access. Users can connect their computers to their routers to change the router’s password. Further details are in the router documentation, available on the Netgear website.”
The particular Netgear model of the home router that the US Air Force Captain from the Creech Base used hasn’t been disclosed (the SFGate article calls out the Nighthawk AC1900 Smart Wi-Fi Router R7000). But Errata Security’s Rob Graham believes that vendors have a responsibility to disclose the risk of using home routers as FTP servers in their manuals:
“It should be in the manual: ‘Hey, there are (people who are looking) for this thing. So access to whatever you put on this FTP server, they will find it, and they will download those files.”
DataGravity’s Andrew Hay also thinks that vendors should do a better job of educating their consumer customers:
“Suggesting that users change a password to protect themselves says nothing to the fact that any user account tested during our validation of the issue… would allow for full access to the files associated with the device.”
Interestingly, the U.S. Air Force Captain whose router was hacked had completed a cybersecurity awareness course in February. Either they were insufficiently trained, they didn’t properly apply what they learned, or perhaps a bit of both.
Barysevich recognizes the potential danger of the breached manuals:
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”
Thousands of home routers on the internet remain vulnerable to the same sort of exploit, which is easily avoidable. Cyber attackers like the person who illegally acquired the sensitive manuals often use Dark Web services like Shodan to discover vulnerable routers.
As Recorded Future wrote in their report:
“Sadly, very few understand the importance of properly securing wireless access points, and even fewer use strong passwords and understand how to spot phishing emails.
The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”
I think this discovery should be embarrassing to both the vendor and to the U.S. Air Force. Will a lesson be learned? If you have a Netgear router or any other sort of networking devices, go and make sure you’re using secure passwords everywhere, download and apply the latest patches, and avoid leaving factory default settings in place!