Learn From the U.S. Military’s Mistake: Update Your Router Password

The conflict between convenience and security has claimed its latest victim: the U.S. military. Security company Recorded Future reported this week that a hacker stole sensitive documents from the U.S. Air Force and put them up for sale on the deep and dark web. How were those documents stolen? It didn’t take a feat of technical genius–all it required was a quick Shodan search and the exploitation of a security vulnerability in Netgear routers.

Shodan is billed as the world’s first search engine for the Internet of Things. It’s often used by researchers and hackers alike to look for vulnerable devices, almost like they were using Google to search for people who could easily be hacked, except by targeting hardware instead of humans. In this case, Recorded Future said the hacker used Shodan to find vulnerable Netgear routers. That search led to the U.S. Air Force.

Once the device was found, accessing it was trivial. That’s because of a vulnerability in Netgear routers originally revealed in February 2016. The flaw lies with Netgear’s default settings related to File Transfer Protocol (FTP) servers connected to its routers. If the router’s owner doesn’t set a password to access these FTP servers–and they absolutely should–Netgear opens the door to anyone who comes knocking.

None of this is technically sophisticated. It would be easy for Netgear to force customers to use passwords. It’s already easy for those people to set their own passwords, and it’s even easier for someone to find an unsecured Netgear router just waiting to offer up access to an FTP server. In this case, Netgear merely wanted to make it as easy as possible for people to access their data. It just happened to put everyone at risk by doing so.

Recorded Future said the hacker it discovered and contacted was initially selling documents related to the MQ-9 Reaper drone used by the U.S. Air Force, Navy, CIA and other members of the military and intelligence community. Reaper drones have become nigh ubiquitous in areas where the U.S. operates; they’re used for everything from gathering data to conducting missile strikes. Defending their specs is pretty important.

Another recent error involved an electrical engineer for LBI, a defense contractor that according to the Justice Department “designed and built unmanned underwater vehicles for the U.S. Navy’s Office of Naval Research and deployable ice buoys used to gather weather data for the National Oceanic and Atmospheric Administration (NOAA).” This engineer was found guilty of planning to convert trade secrets belonging to LBI.

You’d think those secrets would’ve been stolen a little carefully, right? Nope. The Justice Department said the engineer “surreptitiously uploaded thousands of LBI files to his personal account with Dropbox.” At that point you might as well plot an assassination attempt via Gmail and sell weapons on Instagram. (OK, fine, it’s not that bad. But it still seems like a questionable way to steal from a defense contractor.)

Neither of these incidents demonstrated technical prowess. It would’ve been easy to secure the documents stolen from the U.S. Air Force–all it required was setting a password. Stealing trade secrets probably would’ve also been made easier if they were smuggled out via physical drives, for example, instead of uploaded to Dropbox. The lesson here is hackers don’t need to rely on sophisticated attacks for success; they just have to prey on apathy.