Wireless attack backdoor discovered in DSL modems

French researcher drives a London bus through wireless modem security. And you don't need to reset the modem's configuration to have a root shell. And some router are vulnerable from the internet, not only from the LAN.

Whilst several vulnerable backdoors in various DSL (broadband) modems were revealed by security researchers last year, would-be hackers required relatively unfettered direct IP access to the device to carry out an attack. Now a French researcher has discovered a series of wireless flaws on DSL modems from Linksys, Netgear and other vendors.

According to Eloi Vanderbeken, the wireless backdoor effectively gives attackers administration level access by simply resetting the modem's configuration settings, so bypassing the firewall settings of the unit.

The vulnerability particularly affects public access WiFi services, SCMagazineUK.com notes, since these units are designed to allow password-less access to the unit across wireless channels, prior to logging in. This raises the spectre of a complete takeover of a public access WiFi hotspot and covert monitoring of all user IP traffic as a result.

Loopholes identified

Vanderbeken has been developing his research strategy for some time but made a major breakthrough over the Christmas period in which he identified a series of common loopholes across several DSL modems.

In his analysis the French researcher revealed that he was attempting to code-limit the bandwidth of individual users of his family's Linksys WAS200G DSL modem, but had locked himself out of the wireless admin console.

This is where it gets interesting, as the researcher discovered he could manage the router via an unusual TCP port (32764) - something that other users, he later found, had also realised. After analysing the firmware of the modem (downloaded from the Web), he created a simple interface to send admin commands to the router without being logged in as an administrator, resetting the unit to its default settings.

Switching to a shell command, he then coded a script to gain access to admin mode - without the admin password - and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script worked on their modems.

Linksys and Netgear say they are investigating the claims.

Home-use vulnerable

Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that, with the proliferation of broadband technology, many homes and small businesses will be relying on these modems to provide access to the Web.

"But how on earth can an average user ensure their modem is fully patched and secure from these exploits?" he asked SCMagazineUK.com, adding that, whilst in this case the exploit requires the attacker to be on the local network, he and his team have seen other security flaws that appear to be easier to exploit.

"Whilst in isolation this may not seem a big problem, imagine if a vulnerable modem was being used by a small supplier to a larger defence or aerospace company? We then start to have interesting conversations about supply chain risk," he noted.

Peter Wood, CEO of pen testing specialist First Base Technologies, meanwhile, said he has seen this type of security loophole many times when conducting penetration testing at major companies, many of whom rely on these types of modems for users to log into the corporate network from home or remote locations.

"The problem here is that, even though the corporate may have locked down its own access systems, these remote modems effectively give attackers access to the system using weird and wonderful port addresses," he said, adding that, even if VPNs and other security mechanisms are used, this does not rule out a remote attack using Vanderbeken's methodology.

"All it does is to reduce the risk of a remote attack. I'm not entirely surprised by this researcher's findings, as in a corporate environment with 2,000 or more network nodes, we tend to see dozens of these port issues, any one of which can let a hacker or a cybercriminal in via the back door," he explained.

Sign up to our newsletters