One million routers may have been compromised by redirect attack

Users of SOHO routers are being urged to update their firmware as soon as possible following the discovery of a new exploit that has caused in excess of one million redirects in a week.

Devices such as routers are vulnerable to the Unix worm
Devices such as routers are vulnerable to the Unix worm

According to a researcher called Kafeine, the exploit is based on CVE-2015-1187 which was released on 2 March 2015. He said it's a cross-site request forgery (CSRF) pharming attack that has grown more sophisticated in the time that he's been studying it.

A list of routers from the source code indicates that more than 40 popular router models are being targeted as vulnerable to the attack.  

Although it's targeting a known vulnerability that's been patched by most manufacturers, router firmware is rarely if ever updated by users, leading Kafeine to comment in his blog, “i [sic] guess this attack is pretty effective ( the % of routers updated  in the past two months is probably really low).”

He also notes evidence that the attacker is exploiting even older vulnerabilities including CVE-2008-1244. “Routers are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for routers this might still be relevant,” he wrote.

The CSRF exploit enables the attacker to change the router DNS settings without having to target only routers with vulnerable remote services.

Once in control of the router, the attacker can launch banking man-in-the-middle attacks, phishing, ad fraud and so on.

Cesar Cerrudo, CTO for IOActive Labs at IOActive, said he wasn't surprised at the news, given that SOHO routers are notoriously insecure.

“Basically, vendors think that because they are used on internal networks (ie the web interface is not exposed to internet commonly) they are safe. The configuration interface – usually a web application – is really weak, has default/hardcoded/weak passwords, XSS vulnerabilities, CSRF vulnerabilities, no firmware signing mechanism, etc,” he said.

“Vulnerabilities in SOHO routers are serious because most of them allow a remote attacker to take over your router. This is not difficult since usually SOHO routers are configured at well known IP addresses such as 192.168.0.1, etc, allowing attackers to guess an IP address and launch attacks when target users are browsing a website.”

He said hardware manufacturers need to take a cue from software developers. “Router manufacturers should implement some automatic update mechanism that doesn't interfere with network usage, alerting the user to update router software once in a while, etc, just like any widely used software currently does such as Windows, Adobe Reader, etc.

“Vendors should make it user-friendly and remind users of the importance of updating router software to protect against security problems,” Cerrudo said.