More than 700,000 routers provided to customers by their ISPs harbour serious vulnerabilities that could enable hackers to take control of them, according to a security researcher.
The devices are usually low-cost models sent out to customers as part of their broadband contract with the ISP. These routers contain several flaws that would allow a hacker to sniff internet traffic or hijack computers.
The vulnerabilities, discovered by security researcher Kyle Lovett, can allow for “directory traversal” and appear in the router firmware component called webproc.cgi. A file in the router's configuration settings, known as config.xml, contains the administrator's password hashes and can easily be extracted by criminals. These hashes can be easily hacked because of the use of weak hashing algorithms.
The file also contains ISP connection username and password, Wi-Fi passwords, and client and server credentials for the TR-069 remote management protocol. The flaws could allow hackers to break into a router and change DNS settings, directing traffic to rogue servers while users think they are accessing legitimate websites.
Lovett told delegates at a presentation at the CrestCon & IISP Congress 2015 in London that poor security on routers represented a threat not only to consumers but also to enterprises that have remote workers connecting into their networks from these flawed routers.
He said that most of these vulnerabilities are already widely known and yet ISPs and the OEMs that provide the faulty routers have done little to secure these devices.
Other flaws the devices possess are easy-to guess hard-coded support passwords that could allow backdoor access to devices. Other routers can have their memory dumps remotely recorded and scanned for sensitive information. Lovett said routers were already being probed from IP addresses based in China.
Ken Munro, senior partner at Pen Test Partners, told SCMagazineUK.com that the vulnerabilities highlight that “manufacturers still have things to learn about security and secure coding practices”.
“There seems to be the assumption that hardware is harmless (one need only look at the USB issue) but in reality attackers are quick to exploit any potential doorway,” he said. “Consumer devices like these have been seen turning up in botnets and bitcoin mining teams, so they do have some value to an attacker.”
Munro added that these routers are rarely patched, making it difficult to determine if they have been compromised.
“The addresses of common devices are going to be easily guessable, and whilst you will need access to the victims internal LAN to take advantage of most of these vulnerabilities, it's a great way to maintain persistence if you own the gateway device,” said Munro.
Tom Landesman, security researcher at Cloudmark, said that it is possbile that these routers were already being compromised by attackers who found this out on their own.
“Current botnets of compromised routers could be leveraged to find and send off hashes to be cracked, thus allowing the attacker to add even more resources to their botnet which in turn allows them to compromise even more routers more quickly,” he told SC.
Landesman said that avoiding and preventing these types of issues is a “multifaceted problem that requires better scrutiny of the device manufacturers, the router vendors, and ISP's delivering these devices to households.”
“The list of flaws stem from each of the various points in this chain making the solution less than straightforward,” he added.
Wolfgang Kandek, CTO at Qualys, said that in the absence of official regulation, and associated government fines, the only solution is to make the customers aware of these companies, and the problems in their equipment.
“We need to show them what they can do to prevent security issues: complain to their service provider and install alternative equipment, with an open-source implementation of the routing software. These types of router software (dd-wrt, openwrt, etc) tend to be stable and typically get very favourable reviews by security professionals,” he said.