Published July 12, 2018
A Netgear router with an easy-to-guess default password may have a helped a hacker steal sensitive documents about a US military drone.
On Tuesday, the security firm Recorded Future said it recently noticed an interesting item up for sale in a hacker's forum; last month, a merchant was offering up files regarding the US Air Force's MQ-9 Reaper drone.
The merchant, an English-language hacker, claimed he obtained the files by scanning the open internet for vulnerable Netgear routers. Specifically, the hacker exploited a known vulnerability with the routers' File Transfer Protocol (FTP) access, which was secured with the default login credential "admin" and "password."
By hijacking the FTP access, a bad actor can potentially infiltrate any data storage devices connected to the router. Researchers from Record Future held conversations with the hacker, who claimed to have targeted one specific Netgear router to steal files from an Air Force unit captain stationed in Nevada.
Among the files initially up for sale were maintenance course books for the Reaper drone, and a list of airmen assigned to maintain them. The hacker later offered up an operation manual for an M1 Abrams tank, and other manuals regarding tank platoon tactics, but it isn't clear how he obtained these batch of documents.
"He (the hacker) professed that on days he was not hunting for his next victim, he entertained himself by watching sensitive live footage from border surveillance cameras and airplanes," Recorded Future said in its write-up. "The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico."
Although the documents up for sale were not classified, they were marked as export-controlled, indicating that foreigners were probably barred from viewing them. "In unfriendly hands, they (the documents) could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts," Recorded Future said.
The whole incident is a reminder to secure your internet routers, especially when they're connected to storage systems. Older routers models are typically protected with weak default passwords, which has made them easy targets for hackers.
Recorded Future noticed that the Netgear FTP vulnerability has been detected in over 4,000 routers exposed on the open internet. Product models that contain the weak login credentials include the Netgear Nighthawk series; the manufacturer has instructions on how you can change the FTP access on these affected models.