Reboot your SOHO devices now

Published 3:00 am Friday, June 1, 2018

Last week the U.S. Department of Justice delivered a security bulletin to the public.  The bulletin described a widespread security vulnerability in SOHO devices.  In the notice, they suggested that SOHO device owners reboot their devices.

As I read the bulletin, I noticed that the contents, while very informative and helpful, were not written for the general public.  Many media outlets observed the bulletin and have issued renditions of the contents.

I’ll describe the issue and minimize the use of technical terms as much as possible.

Sign up for our daily email newsletter

Get the latest news sent to your inbox

First, what in the world are SOHO devices?  Are they artisanal electronics fashioned in lower Manhattan by engineering artists?  No.  SOHO is an abbreviation for Small Office Home Office.  The acronym is used to describe consumer electronics.  In essence, SOHO devices are products that most consumers purchase from common electronics stores – think BestBuy, WalMart.  The devices could be present in your home or small businesses.  Also, some service providers will use SOHO devices for their customers.

The bulletin stated that hundreds of thousands of SOHO devices were compromised by foreign actors.  Specifically, indications suggest that a group known as Fancy Bear may have been the originators of the attack.  The hacking group is frequently associated with Russia, some suggest that the group is affiliated with the Russian government.

The attack is a multi-stage persistent malware, named VPNFilter.  Sounds impressive.  It is.

In fact, this malware (malicious software) has three stages.  Stage one of the software builds a connection to a networked device managed by the attackers.  Stage two delivers the collected data and stage three further facilitates stage two with additional capabilities, such as encryption, and specific monitoring tools.

The suggestion from the DOJ is to reboot your home router or NAS device.  The router is the technology that is often provided by your internet service provider, enabling the connection between your home devices and the internet.  Also, many purchase their own routers, typically including wireless networking capabilities.  A NAS device is a network attached storage unit, frequently a piece of equipment used for backup or storage of large files.

However, if your device is infected, a reboot will not resolve the issue.  In fact, a full power cycle will not correct the issue.  Given that the malware is designed to maintain a persistent connection to the bad guys’ remote environment, rebooting or powering off will interrupt the connection and disrupt the first stage of the effort.  In theory, the attackers could reactive the malware through stages two and three.

So, what do you do to remove the threat completely?

First, change your passwords on your router.  If you don’t have the router, or, the device is owned and managed by your internet service provider, contact technical support and ask if they are aware of the bulletin.

After changing the password or contacting support, update your router’s firmware.  Typically, the routers will have the feature enabled by default.  However, you should check.  Visit your manufacturer’s support site for firmware update procedures.  Lastly, and most dramatically, perform a hard reset on the device.

A hard reset is not a trivial effort.  It resets the device to the manufacturer’s default settings and the device will have to be configured again.  If your device is managed by the internet service provider (ISP), they should have the ability to manage remotely without you having to do much.  If you own the device, contact the manufacturer’s website and review the documentation thoroughly before proceeding with the hard reset.

A list of known affected devices has been presented.  However, it is unknown if the list if exhaustive.  Therefore, I suggest all to be cautious and update the firmware.

The malware is designed to gather intelligence (steal and observe activity) and perhaps participate in future planned efforts.  It’s important to update your gear and avoid being a victim.

William Greg Price is the Chief Technology and Security officer for Troy University and the Director of the Alabama Computer Forensics Institute. He currently represents District 2 on the Pike County Board of Education.