The Dragon who sold his Camaro: Analyzing custom router implant

[OVERKILL]

In May of last year Check Point, a name most should be familiar with as a firewall and security company, released the following report:
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research

By monitoring targeted attack traffic, it was traced back to Chinese Nationals, a hacking group called "APT" that Check Point tracks as "Camaro Dragon".

The source? A malicious firmware implant for TP-Link routers (a Chinese company) that creates a persistent back door and allows access to an extensive portfolio of features that enable movement into the device's now compromised host network. Beyond the basic shell functionality, other features, such as being able to tunnel through this device to obfuscate traffic are also present. They can also upload/download files, which means additional applications, and thus functions, could be added to the device over time.

While this discovery was restricted to TP-Link devices, the implant itself has platform-agnostic code, so it could be modified to work on other vendor's firmware, assuming the same vulnerability that allows for implant is present.

While the modified full firmware images they were able to acquire were for old (2014) devices, the implant is not limited to these, they are just the samples obtained. Check Point has not yet determined how devices are being infected but assume, quite reasonably, that it's through an existing vulnerability:

We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication. The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.

It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.

While this exploit is specific to TP-Link devices, it is important to keep in mind that it could be easily ported to others, provided a similar means of injection exists. This underscores the ongoing challenges with consumer network gear where the placement of a device designed to be manufactured as cheaply as possible on the perimeter, and with few resources allocated to not only software R&D, but in staying on top of the security of that software after the fact, presents what amounts to a considerable attack surface. With "cloud tied" services now also being (poorly) implemented on these products, it is likely that we will see the list of ongoing vulnerabilities and exploits grow, rather than shrink.

 

[Rand]

That makes me want to rush out and buy some TP-LINK HARDWARE ASAP! /sarcasm.

Or you could take your toiletpaper link router and repurpose it as a WAP behind a new unifi cloud gateway ultra ($129)

Cloud Gateway Ultra - Ubiquiti Store

Powerful and compact multi-WAN UniFi Cloud Gateway with a full suite of advanced routing and security features.

store.ui.com

 

[Invisible]

Or you could take your toiletpaper link router and repurpose it as a WAP behind a new unifi cloud gateway ultra ($129)

Cloud Gateway Ultra - Ubiquiti Store

Powerful and compact multi-WAN UniFi Cloud Gateway with a full suite of advanced routing and security features.

store.ui.com

I have 2 Gigabit fiber, so I built my own security box:
- 4 core Alder Lake CPU
- 32GB LPDDR5
- 2 x 1 TB PCI-E 4 SSDs - RAID 1
- 4 x 2.5 Gigabit Ethernet ports
- Proxmox 8.1, KVM virtualization, two dedicated ports with passthrough for pfSense, Pie Hole, Wire Guard VPN, the works.

That makes me want to rush out and buy some TP-LINK HARDWARE ASAP! /sarcasm.

Not me...

 

[andrew_j]

Personally I have felt TP link is vastly overrated company. Great reviews because of price however early failures, lockups and trouble trying to get their “highly rated” routers working correctly was enough. All in trash about $500 worth. Spending hours chasing a problem not worth it.

Bought a Google WiFi mesh and never happier. It just works although it seems dated as top speed is about 400 Mbps on network with wired backhaul. The speed test on app shows it actually gets 600 Mbps from ISP.

 

[OVERKILL]

Personally I have felt TP link is vastly overrated company. Great reviews because of price however early failures, lockups and trouble trying to get their “highly rated” routers working correctly was enough. All in trash about $500 worth. Spending hours chasing a problem not worth it.

Bought a Google WiFi mesh and never happier. It just works although it seems dated as top speed is about 400 Mbps on network with wired backhaul. The speed test on app shows it actually gets 600 Mbps from ISP.

They probably have paid reviewers.

Sites doing "reviews" of consumer-grade network gear, you generally aren't having a network engineer or somebody in infosec doing this, it's a tech journalist with some very basic networking knowledge rating it based on paper specs and "features". It's pretty easy to hit it out of the park when those are the criteria, and that's before considering if there's some money involved.

And, I mean, that's not surprising, the audience isn't the infosec crowd or people that do networking for a living, so there's that. Problem is of course that there are some considerable infosec concerns with these devices, lol.

Reminds me a bit of the "Initial Quality" rankings by JD Power, it's not telling you that the H/K 2.4L DI engine was hot garbage guaranteed to fail, or that the rest of the car was going to age just as poorly. This stuff isn't being evaluated by engineers.

LG fridges were the top ranked in the New York Times, while there's simultaneously a class action lawsuit over them

 

[andrew_j]

They probably have paid reviewers.

Sites doing "reviews" of consumer-grade network gear, you generally aren't having a network engineer or somebody in infosec doing this, it's a tech journalist with some very basic networking knowledge rating it based on paper specs and "features". It's pretty easy to hit it out of the park when those are the criteria, and that's before considering if there's some money involved.

And, I mean, that's not surprising, the audience isn't the infosec crowd or people that do networking for a living, so there's that. Problem is of course that there are some considerable infosec concerns with these devices, lol.

Reminds me a bit of the "Initial Quality" rankings by JD Power, it's not telling you that the H/K 2.4L DI engine was hot garbage guaranteed to fail, or that the rest of the car was going to age just as poorly. This stuff isn't being evaluated by engineers.

LG fridges were the top ranked in the New York Times, while there's simultaneously a class action lawsuit over them

Next go around will buy a more small office grade network setup. Google WiFi has been flawless/no brainer install except it seems to under deliver my ISP speed increase now but I believe is older tech.

 

[ka9mnx]

I have 2 Gigabit fiber, so I built my own security box:
- 4 core Alder Lake CPU
- 32GB LPDDR5
- 2 x 1 TB PCI-E 4 SSDs - RAID 1
- 4 x 2.5 Gigabit Ethernet ports
- Proxmox 8.1, KVM virtualization, two dedicated ports with passthrough for pfSense, Pie Hole, Wire Guard VPN, the works.

View attachment 208427



Not me...

View attachment 208415

I'm using a similar setup, but not so elaborate.
Older intel NUC i3-3120 with 8gb ram and 60gb NVME I purchased on epay for $45. Plenty of HP for FreeBSD and pfSense. Looks like the same case as yours.
Managed 5 port tp-link switch. 3 ports for LAN and 1 port for, isolated, tp-link, access point, router for WIFI.
Just the wife and me so very small network!

 

[OVERKILL]

I'm using a similar setup, but not so elaborate.
Older intel NUC i3-3120 with 8gb ram and 60gb NVME I purchased on epay for $45. Plenty of HP for FreeBSD and pfSense. Looks like the same case as yours.
Managed 5 port tp-link switch. 3 ports for LAN and 1 port for, isolated, tp-link, access point, router for WIFI.
Just the wife and me so very small network!

Have you monitored that TP-Link gear for any "phone home" activity?

 

[JHZR2]

Have you monitored that TP-Link gear for any "phone home" activity?

How does one do that?

 

[OVERKILL]

How does one do that?

Wireshark. @terry274 did some monitoring of his, which is behind his OPNsense box and the PCAP shows some considerable "phone home" traffic to TP-Link domains that are hosted in AWS. Unfortunately, since the communication is encrypted, you can't see what is actually being transmitted. Some of it is to their "cloud" domain, which I assume is verifying its connectivity to the "TP Cloud", but that doesn't make up the bulk of it.

It also makes connections to Linkedin, reddit, Google, Microsoft (bing) and some other domains, I assume to determine that it is "online", as no real traffic was sent to those. This is above and beyond the NTP requests it makes.

 

[ka9mnx]

Have you monitored that TP-Link gear for any "phone home" activity?

Normally I just check the firewall activity on a daily basis. Tonight I looked at the traffic logs and didn't see anything from them.

 

[OVERKILL]

Normally I just check the firewall activity on a daily basis. Tonight I looked at the traffic logs and didn't see anything from them.

Could always block all their domains and see if you get any hits.

 

[Wheel]

Normally I just check the firewall activity on a daily basis. Tonight I looked at the traffic logs and didn't see anything from them.

If I wrote malware, I'd have some mechanism that prevented that traffic from entering the logs. Wireshark would really be about the only way.

Sadly, most of the impacted users will have no idea. Maybe ISPs could get on board blocking this behavior, but I have my doubts about their concern, many deploy equipment to residential installations with default passwords and not enough emphasis to change those.

 

[JHZR2]

Wireshark. @terry274 did some monitoring of his, which is behind his OPNsense box and the PCAP shows some considerable "phone home" traffic to TP-Link domains that are hosted in AWS. Unfortunately, since the communication is encrypted, you can't see what is actually being transmitted. Some of it is to their "cloud" domain, which I assume is verifying its connectivity to the "TP Cloud", but that doesn't make up the bulk of it.

It also makes connections to Linkedin, reddit, Google, Microsoft (bing) and some other domains, I assume to determine that it is "online", as no real traffic was sent to those. This is above and beyond the NTP requests it makes.

That’s troubling. I have tp link 2.4Ghz antennas and a powerline Ethernet. It’s just to broadcast to my other building like 300 ft away to get a camera and streaming music over there.

But still, it’s in my router so In guess it can see all traffic and let the ccp do bad things, or at least observe.

 

[JHZR2]

Personally I have felt TP link is vastly overrated company. Great reviews because of price however early failures, lockups and trouble trying to get their “highly rated” routers working correctly was enough. All in trash about $500 worth. Spending hours chasing a problem not worth it.

Bought a Google WiFi mesh and never happier. It just works although it seems dated as top speed is about 400 Mbps on network with wired backhaul. The speed test on app shows it actually gets 600 Mbps from ISP.

So now Google is selling your data to advertisers instead of tp-link to the ccp? Not sure what’s worse. If they want it, the ccp will buy it from Google I’m sure. Scary stuff!

 

[andrew_j]

So now Google is selling your data to advertisers instead of tp-link to the ccp? Not sure what’s worse. If they want it, the ccp will buy it from Google I’m sure. Scary stuff!

Google does not sell or consume any data related their Wifi except performance. Other places they do if you use their search or email or app suite.

I use them as a login mostly.

 

[JHZR2]

Google does not sell or consume any data related their Wifi except performance. Other places they do if you use their search or email or app suite.

I use them as a login mostly.

Maybe? Google is all about knowing, and monetizing everything.

 

[dogememe]

Personally I have felt TP link is vastly overrated company. Great reviews because of price however early failures, lockups and trouble trying to get their “highly rated” routers working correctly was enough. All in trash about $500 worth. Spending hours chasing a problem not worth it.

Bought a Google WiFi mesh and never happier. It just works although it seems dated as top speed is about 400 Mbps on network with wired backhaul. The speed test on app shows it actually gets 600 Mbps from ISP.

I've actually had great luck with TP-Link stuff. I've installed multiple TP-Link Deco systems. The price to performance ratio is good compared to "bigger" brands.

 

[OVERKILL]

I've actually had great luck with TP-Link stuff. I've installed multiple TP-Link Deco systems. The price to performance ratio is good compared to "bigger" brands.

The problem isn't the "bang for buck" but more as to the nature of this thread. You may be getting more than you bargained for with their products.

 

[dogememe]

The problem isn't the "bang for buck" but more as to the nature of this thread. You may be getting more than you bargained for with their products.

Right, I totally got you... I was simply responding to the commenter who was sharing his negative experience and sharing a positive one. There is no TP-Link equipment in my home because they make nothing I would find useful, but for clients, friends, family, they are generally a solid choice. Moving forward I may have to reevaluate that equipment choice based on these findings but I want more information and research before I write off the brand as a whole.