Millions of fibre broadband routers open to remote control by hackers
Millions of fibre broadband routers open to remote control by hackers
Security researchers have found flaws in fibre-optic broadband routers that enable hackers to bypass security and takeover devices.

In a blog post, researchers at VPN Mentor found that many routers used to connect users to fibre-optic broadband or Gigabyte Passive Optical Networks (GPON), contains a vulnerability (CVE-2018-10561), that allows attackers to bypass all authentication on the device. With this authentication bypass, researchers were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device.

The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication. The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick, according to researchers.

They added that by appending ?images/ to the URL, the attacker can bypass the endpoint.
This works on both HTML pages and GponForm/.

“While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn't take much to figure out that the commands can be injected by the host parameter. Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output with the authentication bypass vulnerability,” they added.

According to an accompanying video, around 1,054,692 GPON devices can be found on IoT search engine Shodan. Every router tested by the researchers contained the same flaws. Around half of the flawed routers are located in Mexico with a sizable proportion found in Kazakhstan and Vietnam. The impacted devices are made by a Korean company by the name of Dasan Networks.

VpnMonitor said it had contacted Dasan before making the information public but had not had a response.

“Because so many people use these types of routers, this vulnerability can result in an entire network compromise,” said researchers. The flaws could allow hackers to spy on the user or any connected device. Criminals may also be able to route their activities through a compromised device.

Researchers recommended that users should check if your router uses the GPON network, be aware that GPON routers can be hacked and exploited and contact their ISP to see what they can do to fix the bug.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC Media UK that unfortunately, many network devices, from security cameras to routers are prone to critical vulnerabilities in their web interfaces. 

“Many manufacturers totally ignore admin interface security, creating huge risks for their users. Worse, some of the devices don't even have any update mechanism making them almost unusable once a high-risk vulnerability is discovered,” he said.

“Others have quite complicated update processes for common users, and unsurprisingly very few customers have their firmware up2date. Users should ascertain that their home routers and other connected devices are inaccessible from the outside and keep their firmware up2date whenever possible.”

Sean Newman, director of product management at Corero Network Security, told SC Media UK that it's possible that a new release of firmware will be issued to address these vulnerabilities, but not guaranteed, as the manufacturers often have short lifecycles on these types of products and quickly move on to developing new models.
 
“If a fix is released, there is still the issue of how many of those 1 million plus routers will actually be upgraded to the new release – experience says, not many!” he said.
 
“Even if they are aware of this issue, the owners of the routers may not even be able to do the software upgrade, as the service providers which provide them often lock down that part of the user interface, so it would then be reliant on the service provider themselves to do it, which would be a massive undertaking.”