The evolution of risk to corporate infrastructure has been augmented by the COVID-19 pandemic over the last week. Previous exposures to low value targets have grown into a risk that should be accounted for as people begin to transition into their homes to work remotely. Pressure applied to Internet Service Providers to fix these vulnerabilities is now becoming the responsibilities of the corporations that own the risk. Employees that are continuing to protect revenue streams as they work from the homefront are entitled to better protection.
Cable Haunt is a vulnerability in Broadcom chip spectrum analyzers that allows for DNS rebinding attacks and uses a default credential. A whitepaper published by researchers is available outlining the details and this is accompanied by the site cablehaunt.com. This is one exposure in a series of flaws that consumer equipment faces. To increase this liability, there is an aging WPA2 standard that has multiple problems.
More than a billion devices are susceptible to Kr00K, and this is an entrypoint for the execution of attacks similar to Cable Haunt. In layman’s terms, Kr00k is the door that can be used to allow access to the network that Cable Haunt causes susceptibility for. These attacks are not complicated, as can be seen when applying the MITRE ATT&CK framework as you would for any other corporate network. That is what your home network has become if you have begun to use company resources at home.
The threat to information at home is imminent. With low-hanging fruit available, the risk to both the worker and the company has increased as a result of measures to counter COVID-19. While the targets of each may not typically fall under the same style of attacker, the resultant opportunity will be an opportunistic approach allowing for the compromise of both corporate and personal data. Managing risks to our workforce is a necessary step in defending our enterprises.
CPA Journal has neatly bundled information on how to deal with the risk that organizations face. The recommendations found on this site are staples for the cybersecurity diet and should be followed by those in charge of securing corporate networks. Industry standard courses are available from companies such as SANS as well as formal institutions. These typically require significant resources, and it would be prudent to outsource any of the risk management changes you are considering. As with all business needs, establishing a relationship with a security professional should be accompanied by a sufficient level of insurance, experience, and aptitude.
After a recent conversation, it was brought to my attention that these vulnerabilities do not necessarily qualify for remediation on their own. Home networks are compromised of many devices these days including jailbroken phones, IoT devices, unpatched systems, Smart TV’s, and the list goes on. If you are going to still work from home without pushing for the security of your cable modem and WiFi appliances, you can still segregate your network with different subnets and even VLAN tagging. Working at home from standard networks is irresponsible (10.0.0.0/24, 172.16.0.0/24, 192.168.0.0/24, 192.168.1.1/24). While security through obscurity is not the best practice, using non-standard network subnetting and VLAN while you come up with a RAP solution is better than nothing.