MikroTik is a Latvian-based company that produces networking equipment and maintains a proprietary Linux distribution for networking devices called RouterOS. RouterOS is a ripe target for hackers both because there are obvious reasons why nefarious actors would want to exploit vulnerability in networking devices and because many people, businesses, and internet service providers are less than diligent about installing updates. I use a MikroTik router (the Hap ac3 as of the publication of this article) and keep it up to date with the aid of an RSS feed. Below, I will offer a cautionary 2018 story about why you should keep your routers up to date before explaining how to use RSS to help you make sure your RouterOS devices have the latest security patches (skip to the RSS section if you are just looking for the feed tips).
(If you do not know what a feeds or feed readers are, see my general introduction and be sure to follow The New Leaf Journal’s feeds.)
A 2018 Gray-Hat Hacker Story
On October 12, 2018, ZDNet reported the story of “[a] Russian speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals…” The hacker, who went by Alexey, told ZDNet that he had patched 100,000 MikroTik routers. Mr. Alexey explained what he did:
I added firewall rules that blocked access to the router from outside the local network,” Alexey said. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.
What was Mr. Alexey protecting people from (by his own account, of course)?
At the time, the vulnerability (known as CVE-2018-14847) was a zero-day, but MikroTik rolled out a fix in record time … CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.
That is sub-optimal to say the least.
As ZDNet noted, MikroTik put out a fix very quickly once it caught the issue. However, as I noted at the top, many router owners are either unaware of the need to install router updates or too lazy and complacent to do so. One advantage of using MikroTik is that it seems to have a reputation for responding to issues quickly. But this does end-users little good if end-users do not install the fixes promptly.
Now one may think that this is leading into an ethics debate about whether Mr. Alexey was in the right when he hacked into vulnerable MikroTik routers to fix them. However, I am not going to cover that subject. Instead, I am going to offer my tip on how to make sure that enterprising grey-hat hackers like Mr. Alexey do not have to hack into your router to patch it after it was hijacked by weird crypto people.
Using RSS to stay abreast of MikroTik updates
I use a graphical application called Winbox to manage my MikroTik router (I have discussed Winbox’s very retro UI). Winbox is technically a Windows-only application, but it runs perfectly on top of WINE on Linux (MikroTik itself supports using WINE). I could also access the router via SSH or through my web browser, but Winbox works for me. Note that there is a MikroTik mobile app as well, but I never installed it.
I seldom have little to do in my router’s settings (note to self: I should spend a few hours learning RouterOS better). Thus, I tend to only open Winbox when I need to install RouterOS updates. Updates sometimes come in quick succession. Other times they are separated by a few weeks. I once made it a habit to try to remember to start Winbox once a day to check for updates, but that proved to be unwieldy.
There must be a better way.
I went onto MikroTik’s website and checked its software releases page (see page). Now take a look at the following screenshot:
You can see RSS symbols next to “RouterOS v7” and “RouterOS v6” – this is precisely what I was looking for. MikroTik, which is aimed at technical users, offers RSS feeds for RouterOS releases. If you add one of the two feeds to your favorite feed reader, the feed will update every time MikroTik makes a new release. RouterOS v7 and v6 are the two currently-maintained versions. Although it looks like MikroTik has separate feeds, there is only a single feed which has updates for RouterOS v7 and v6. My Hap ac3 is on RouterOS v7, so I only go into Winbox with the intention of updating my router software when I see a v7 release in my MikroTik feed. You should take note of which version of RouterOS your device is on.
RouterOS versions feed URL (recommended by me): https://mikrotik.com/download.rss
I use a free and open source Firefox extension called mPage for my software update feeds instead of using my primary feed article reader (Handy Reading on my LineageOS phone). I would recommend separating these sorts of software feeds from article feeds, but use whichever feed reading solution works best for you.
MikroTik also offers changelog feeds for different RouterOS versions. I prefer the download feeds because I see the changelogs in Winbox whenever I apply a RouterOS update, but some may prefer having the full changelog in their reader. The feeds combine RouterOS v6 and v7 and the changelog section has separate feeds for stable and testing versions of RouterOS (this may the best choice for people using something other than the stable branch). You can also opt for the stable and long-term release feed, but I think that the regular download feeds for RouterOS v7 and v6 will be the best choice for most RouterOS users on the regular update branches.
Missing MikroTik feeds
I was disappointed to see that MikroTik does not offer a feed for Winbox updates. Winbox downloads are available on the same software download page wherein one can find the RouterOS version downloads, but there are only links for the current 64- and 32-bit WinBox versions. I make a habit of checking for a new WinBox release every time a RouterOS update pops up. I hope that MikroTik creates an additional RSS feed for WinBox updates.
MikroTik does not offer feeds for cloud hosted router SwitchOS or SwitchOS Lite updates. However, I do not know much about these software, so I have no view on whether they should have feeds.
Conclusion
Although the MikroTik grey-hat hacker story is dated, there is a valuable lesson. Routers tend to sit in a corner and work. It is easy to forget that they need to be updated, especially if you are not using a mobile app or other tool that provides notifications. In the case of MikroTik, RSS feeds make it very easy to stay on top of updates without having to use Winbox, an app, or a similar tool to check every day for something which may only be updated once every few weeks. I encourage fellow RouterOS users to try using an RSS feed for updates. If you are using and managing a different router, I strongly encourage you to look into how to keep it up to date and make sure that you have a convenient way for receiving update notices. I would not be surprised of other router operating system manufacturers also offer RSS feeds or if it is otherwise possible to convert an update list into a feed (see e.g., the excellent Morss.it tool).
(If you are using a free and open source router operating system such as OpenWRT or pfsense, I commend you. I considered setting up my own router – but ultimately decided against it for the time being. Someday. But make sure you are keeping your router up to date in any event.)