Most IT devices have some form of remote access, whether via web browser or app. As long as devices are accessed by an authorized user from within an internal network, this isn’t a problem. Unfortunately, many devices, especially routers and smart home gateways are also accessible from the internet. And that’s where the problems begin. In fact, they have never stopped. Open remote access is among the greatest yet unfortunately inevitable threats of IT devices. Anybody who can access the management interface can control the device and usually the owner will not notice. Devices that are connected to the internet are constantly scanned and scrutinized for vulnerabilities. Open remote management interfaces should be treated as the digital equivalent of a loaded gun. It can be used but you need to know exactly what you are doing and take every possible precaution. It does not matter whether the router or gateway connects nothing more important to the internet than an old laptop and an inkjet printer. Even these devices can be used for DDoS and ransomware attacks. Manufacturers often cannot know where their devices will be used. Devices designed for the home may equally be used by a small company, an attorney’s office, a medical practice or for connecting a home office to the Internet.
All of this information is nothing new and it’s hard to see why such vulnerabilities still exist:
These are just reported vulnerabilities from the last four weeks and the list is far from complete. The fact that most routers for the consumer or small office market are not even supplied with the most rudimentary security features for remote access is even worse. Default passwords for the admin account are often identical on all devices and not even at least linked to the MAC address. Online brute force attacks are possible because access is not blocked after three attempts. Support access is frequently already configured and provided with well-known passwords. The list could go on for quite a while and its far from surprising that most security analysts have called home office router security “hopeless”. John Matherly, developer of the Shodan search engine which tracks vulnerabilities in Internet devices, says only half in jest that the number of vulnerabilities in routers is limited only by the time security analysts have to look for them.
Why such vulnerabilities are still on the agenda and why basic security measures are still not installed is simply incomprehensible. Probably the situation will only improve when manufacturers are held accountable for damages caused by such poor security. A mandatory VPN for remote access would easily help to minimize the problems. Is this really too complicated? Hardly, considering the target audience. Inexperienced users are not likely to use remote access with or without VPN. And anyone who is capable of configuring the remote management interface of their router is likely to be able to configure a VPN. Of course software fixes and regular security updates also need to made available and built-in remote access should be removed from the firmware. But this can’t be so hard, considering that cars can now calculate safe distances automatically, reverse park and recognize traffic signs.