Security vulnerability 101: everything you need to know about the misfortune cookie

The wrath of cyber attacks

Security vulnerabilities have long been a problem in software, with wide ranging impact to both consumers and the vendors affected. These bugs can potentially enable cyber criminals to exploit internet accessible devices and expose sensitive information on computers and machines connected to the breached network. Fraud, financial, data and identity theft, and denial-of-service attacks are often the result, leaving companies and persons with serious losses or, at the very least, damage to their reputation.

In 2016, the number of software vulnerabilities had increased by more than 85% since 2011. This influx of vulnerabilities, many of which are still widespread, creates major exposures that are nearly impossible to manage on an ongoing basis.

Nothing lucky about a Misfortune Cookie

One such example is the Misfortune Cookie; a critical security vulnerability originally discovered by the security experts from Check Point’s Malware and Vulnerability Research Group in 2014. This security vulnerability has affected well over 12 million homes and business internet routers across nearly 200 countries — making the Misfortune Cookie one of the most widespread vulnerabilities in years.

The Misfortune Cookie is a byproduct of an error within the HTTP cookie management mechanism (hence the name) present in affected software. This vulnerability allows intruders to remotely take over WiFi routers and gateways, gain access to administrative privileges, and use it to attack home and business networks.

When first identified, the reach of home networks was somewhat limited to a few computers connected to a router. However, in today’s world of the Internet of Things (IoT) and the huge rise of smart home devices, the potential security threat a vulnerability like the Misfortune Cookie can have is enormous. What makes the Misfortune Cookie especially dangerous is the ease of which someone can exploit it. It doesn’t require any specialized skillsets or tools. All you need is an internet browser like Safari or Google Chrome.

Consider your home today and the myriad of devices connected to your network – computers, smartphones, tablets, and a host of smart devices such as thermostats, smart locks, security, and even appliances. By hacking into your network, an attacker can easily tap into these devices, some of which may store sensitive information such as emails and files, to steal personal identify information like your social security number, birth dates, and passwords; financial information like banking and credit card accounts; browsing history; and more.

Steps to protect your home network

So what can you do to ensure you’re protected and your privacy remains intact?

  1. The first step to protecting yourself against any type of bug, worm, or security flaw is to ensure all your network routers and devices have the latest firmware and patches. If your devices and computers don’t have automatic patching, it will take a bit of legwork to search for and install the latest and greatest patches to ensure you’re protected.
  2. Install additional security on your computers. Installing antivirus software acts as an additional layer of protection if a hacker tries to infect your devices with managing viruses. 
  3. Another way to help protect against Misfortune Cookie and any other type of malware is to ensure any sensitive data is password protected to add an additional hurdle for hackers to clear.
  4. The key to a cyber criminal’s happiness is your data. So purchase devices that offer data encryption that encodes the data transmitted between your computer and your router. The best protection is either WPA (Wireless Protected Access) or WPA2, which are both very difficult to bypass.
  5. And finally, don’t be shy about upgrading your router every few years. Newer models tend to offer the latest security features right out of the box, as well as automatic software updates to ensure you always have the latest patches and bug fixes.

eero enterprise grade security for the home

eero home WiFi systems offer modern day security features such as WPA2 personal wireless encryption, DHCP, NAT, VPN pass-through, UPnP, Static IP, and Port Forwarding — which work to keep your network safe and sound. Core to our security framework is our own operating system (eero OS), which gives our engineering team freedom to incorporate fixes that happen in the open-sourced community. Read this blog post to learn more about eero’s security capabilities.

And since eero’s infrastructure resides in the cloud, customers get the benefit of continuous monitoring and improvements to all eero networks, as well as automatic security updates to ensure you’re always on the cutting edge of security for your home network.

Lessons learned

It’s virtually impossible to completely protect yourself from all the security vulnerabilities and malware out there. Take Misfortune Cookie as an example of a vulnerability that was introduced several years ago and continues to exist. All you can do is stay diligent in following best practices, or upgrade to eero so you’ll never have to lift a finger and can rest easy knowing your network is protected.