Why it matters: As long as people continue to ignore critical security patches and do not change the default passwords on their devices, high-profile hacks like this one will remain common and could have lasting consequences.
A computer hacker was able to infiltrate the computer network of a Nevada Air Force base because nobody changed the default password of a Netgear router on its network. The hacker then made off with sensitive documents about the Air Force's MQ-9 Reaper drone and put them up for sale on a dark web marketplace.
The documents were discovered online by security research firm Recorded Future who spoke with the hacker to confirm their validity. They determined the breach took place as a result of a well known Netgear router vulnerability and a default FTP password on that router.
The stolen documents themselves are not classified, but could still pose a security threat if they fell into the wrong hands.
To find the vulnerable router, the hacker used a service called Shodan which is essentially a search engine for finding internet connected devices around the world. There are still thousands of routers online that are still vulnerable to this type of attack.
Once the attacker found the device, it was trivial to compromise it since the IT department at the Air Force base had not patched the router. From here, the attacker gained access to the router's root directory and the ability to remotely execute commands. This gave the hacker access to the computer of the Officer in Charge at the base and all the documents on it. Ironically, one of the documents the hacker exfiltrated showed that the Officer had recently completed a "Cyber Awareness Challenge."
Upon further questioning, the hacker also offered up documents on IED defenses, M1 Abrams tank operation, tank tactics, and more. It's not clear where these documents came from, but based on the information they contain, it's likely they were stolen from the Pentagon or a US Army official.
The government is aware of the leak and is investigating. Although they believe they have the hacker's name and country of origin, they haven't made that information public.
Update: Netgear has released the following statement to us in response to the issue
NETGEAR has previously released a firmware that fixes this issue. We ensure that remote services are disabled by default, and passwords are required to be configured during device setup.
Details can be found on the firmware release notes articles # 29959, 29461, and 27635. Customers can be notified of the new firmware by checking the Router Update page, desktop, and mobile genie app. NETGEAR has also proactively notified our registered customers via email.
1. Secure by default – we don’t enable services unless configured by the consumer.
2. Easier security updates – making it very easy for customers to keep their system up to date with auto updates or single button upgrades.
3. Email notifications to registered customers urging them to update to latest software including security fixes.