The sharing economy enables people to unlock the latent value in their time and property. Renting your apartment to someone for a weekend is good for the wallet. Letting someone stay in it for free as part of a worldwide peer-to-peer hospitality network is good for the soul. Underneath all of the warm fuzzies, though, there’s a spiky security problem with sharp edges, and Jeremy Galloway just found it. He’ll be explaining it all in person to the audience at SecTor this October. His talk, ‘AirBnBeware: Short-Term Rentals, Long-Term Pwnage’, should send shivers down your spine.
Galloway started out like any good tech enthusiast, teaching himself at home, and scouring the Internet for information. He spent a lot of time pouring over the old hacking text files from the 80s and 90s, and was well-prepared when he finally pursued cybersecurity certification. He worked his way into the profession via sysadmin jobs, finally getting into operational security engineering before managing security intelligence at Atlassian. He also likes to snowboard, which is more relevant than it might at first seem.
Galloway uses Airbnb whenever he goes snowboarding with friends. Recently, coming back to an Airbnb apartment early from the piste, he thought he’d play around on the host’s network. “I assumed it might take a couple of hours of poking and prodding,” he says. “Then, I realized that I could walk straight up to the router which was just sitting there totally unprotected, and within five minutes flat I owned the network.”
Good security pros know that physical access to a system is one of the best ways to compromise it. A router usually has its admin username and password printed right on it, and you can reset most of them with a paperclip (Galloway calls this the other type of APT: the Average Paperclip Threat).
Physical access isn’t always easy to get, but it made Galloway realize that apartments rented or loaned as part of the sharing economy were a perfect attack vector. There are two million AirBnB listings in 34,00 cities worldwide, across 191 countries. That’s a pretty big attack surface.
“There’s no CVE. There’s no patch to fix this. There’s no one-click solution for having a piece of hardware exposed,” said Galloway. “If I’m a good guy realizing this, then it means the bad guys probably realized it a while ago.”
What can an attacker do with a compromised router? The first thing is to enable remote administration so that they can access the device whenever they want, which enables them to compromise other devices connected to it far into the future.
Routers let an administrator manipulate the routes that its users take to get to the broader Internet. Spinning up a virtual private server and pointing the router’s first hop at lets a malicious admin broker all of the user’s inbound and outbound traffic, effectively mounting a man in the middle attack.
This attack can be passive, simply dumping the user’s traffic to a file, or more active, which opens up other possibilities. The attacker could make the user type their computer’s username and password into a fake access portal before permitting their web session. A malicious admin could add their own DNS server to their VPS, directing the user to fraudulent web sites and gathering their login information for banking sites, say.
Is the user too tech savvy to fall for any of that? Maybe the malicious VPS could deliver something nasty to the their computer in the form of drive-by malware. An even more subtle approach would be to simply wait for the machine to request software updates from vendors with known vulnerabilities in their update clients.
There are plenty of those, and there are plenty of vulnerable routers, too, because everything is broken. Routers as a category are generally so vulnerable that there are even contests dedicated to pwning them.
“It’s largely the responsibility of the manufacturers to make secure defaults, but in the home router space we see the exact opposite,” Galloway said. “We see terrible buggy code, no automatic updates, insecure defaults.”
But if you’re standing right next to one of them, you probably don’t even to exploit those flaws. And if you’re routinely renting out your home to others, then there could be someone with dishonest intentions groping your router right now.
Airbnb is the biggest name in the homesharing space, but it’s far from the only one. Owners making their property available via other home rental services and free couchsurfing sites could all be vulnerable. And that means that all of their short-term tenants could be vulnerable, too. Because once a router is pwned, it generally stays pwned.
That’s a worrying thought, isn’t it? Perhaps we should rename it the scaring economy.
If you want to hear more detail on this threat, then come and see Galloway talk at the SecTor security conference this October 18-19 (with a day’s training on 17th). It’s at Toronto’s Metro Convention Centre, and you can register here.