Home Routers a Big Consumer Cyberthreat?

Home routers and firewalls are supposed to make users easy and safely connect many devices to their Internet connection. Those devices were advertised to make your Internet safer. In many cases they helped, but more and more often they itself be a real security problem. Strange but saddly true.

Home Routers Pose Biggest Consumer Cyberthreat article says that many home routers are almost impossible to secure because there are so many vulnerabilities in them. It doesn’t take much actual hacking to take over most home routers. Typical problems are related to remote management functionality. Most ship with default admin credentials that are easy to guess and sometimes impossible to delete after they’re changed, or a long list of extraneous, often complex, services built into most home routers and the virtual impossibility of either shutting them down or securing them. Also Universal Plug and Play (UPnP) is riddled with security problems.

Many recent news have been on bug that would allow a remote user to access the administrative console of a Linksys router without logging in first, using port 8083, which is left open on many Linksys models. That remote-access management flaw allowed TheMoon worm to thrive on Linksys routers. SANS Institute’s Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and scanned other devices on network for vulnerabilities. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix.

Just recently there was D-Link Router backdoor vulnerability discovered and Back door found in D-Link routers. The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. All to get through the security checks is to change the user agent string of your web browser tool to a special value to access the router’s Web interface with no authentication. My D-link firewall teardown and vulnerability article has some more information. I also noticed another problem on an old DIR-100 D-link router as My firewall was a security risk that my ISP reported to me.

dlinkfw1

There is an even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. There is also list of Xyxel and Belkin security vulnerabilities at CVE Details. Pick practically any brand and you will most probably find something.

Home Routers Pose Biggest Consumer Cyberthreat article says that it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor.  Nearly every router aimed at homes or small offices is an easy target for attack. It’s that small-office, home office (SOHO) routers are designed to be easy for the non-technical to use, but rich in features that depend on often complex networking protocols. There are series of papers on hacking embedded devices, especially wireless home routers. Routerpwn site is a compilation of exploits and key generators for modems, routers, ONTs and switches.

Why those products are so bad in security? The Internet of Things Is Wildly Insecure — And Often Unpatchable article by well known security expert Bruce Schneier gives a view why there are security problems so often on those cheap routers: Typically, these systems are powered by cheap specialized computer chips, and the profit margins slim. The chip manufacturers try to do as little engineering as possible before shipping. The system manufacturers don’t do a lot of engineering, either. The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. And the software is old, even when the device is new.

Besides programming errors there is one thing that makes me to wonder:  why so many routers hidden back doors in them? Whey the manufacturers all the time put those hard-coded passwords that pass all the checks to their devices that are supposed to be secure. This kind of secrets will be revealed all too often. In this case the the secret was in firmware update packet in plain text inside the code.

Maybe you have to live with your existing router, so you might wonder what to do. How to secure your home router? Start by checking if your router model has a serious problems in it, and update the firmware on it if possible. The first configuration task is to disable the remote administration functionality if you don’t absolutely need it. Routers that are not configured for remote administration are not directly exposed to most attacks. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk. You will need to live with certain level of risk no matter what you do.

 

94 Comments

  1. cat5e riser says:

    I totally agree with you home routers are not totally reliable

    Reply
  2. Tomi Engdahl says:

    Mobile woes: Modems expose control panels
    http://www.controleng.com/single-article/mobile-woes-modems-expose-control-panels/367d2830d2a1f2159e01fab245af8304.html

    Devices managed via their built-in web servers are vulnerable to cross-site request forgery (CSRF) attacks

    The problems all stem from a lack of consideration for security in the design of cheap consumer communications kit and, more particularly, a lack of testing

    Reply
  3. Tomi Engdahl says:

    London firm at centre of hack redirecting 300,000 routers
    http://www.pcpro.co.uk/news/security/387385/london-firm-at-centre-of-hack-redirecting-300-000-routers

    Florida-based security firm Team Cymru said it was examining a “widespread compromise” of consumer and small office/home office (SOHO) routers in Europe and Asia.

    In January, the firm uncovered a “SOHO pharming” campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, “effectively conducting a man-in-the-middle attack,” the company’s report said.

    “If [your router's] been hijacked and is pointing to someone else’s DNS server, you really have no trust over what you’re actually getting – you could be getting the bad guy’s version of Google, or your bank site,”

    Cymru’s Santorelli stressed that the router attack was serious. “It’s not new as an issue to the InfoSec community but this is one of the biggest we’ve seen recently as it’s quite insidious,” he said.

    The attack affects devices from several manufacturers, the firm said said, adding that “consumer unfamiliarity” with configuring routers and weak default settings makes the devices a “very attractive target”.

    “It’s about the people who write the original firmware… this is ubiquitous firmware,” he said. “It’s on all these very good value, cheap routers – it’s really a firmware vendors’ problem than a hardware manufacturers’ problem.”

    Reply
  4. Tomi Engdahl says:

    A Team Cymru EIS Report: Growing Exploitation of Small OfCice Routers Creating Serious Risks
    https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf

    This report details our recent analysis of a widespread compromise of consumer-grade
    small ofCice / home ofCice (SOHO) routers. Attackers are altering the DNS conCiguration on
    these devices in order to redirect victims DNS requests and subsequently replace the
    intended answers with IP addresses and domains controlled by the attackers, effectively
    conducting a Man-in-the-Middle attack
    .
    As the bar is increasingly raised for compromising endpoint workstations, cyber criminals
    are turning to new methods to achieve their desired goals, without gaining access to
    victims’ machines directly. The campaign detailed in this report is the latest in a growing
    trend Team Cymru has observed of cyber criminals targeting SOHO routers.

    Reply
  5. Tomi Engdahl says:

    EE BrightBox routers can be hacked ‘by simple copy/paste operation’
    WPA keys, ISP creds, MD5 hashes – all in plain view
    http://www.theregister.co.uk/2014/01/20/brightbox_routers_vuln/

    BrightBox routers supplied by UK telco EE as standard kit to its broadband and fibre customers are riddled with security shortcomings that make the devices hackable, a UK security researcher warns.

    A cache of sensitive traffic including ISP user credentials, WiFi SSIDs and WPA2 keys is kept in a file called cgi_status.js that can be accessed without logging into the device.

    “Security appears not to be a factor in the design of the device. it appears to be a case of only making it functional,”

    Reply
  6. Tomi Engdahl says:

    Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute
    http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/

    Win32/Sality is a family of malware that has been using a peer-to-peer botnet since at least 2003. It is a file infector and a trojan downloader, the latter of which is mainly used to send spam, although it has been used for different purposes such as faking advertising network traffic, distributed denial of service or VoIP account cracking.

    Lately, a new component has now appeared with some novel characteristics: the ability to change a residential broadband gateway router’s primary DNS address

    Win32/RBrute.A tries to find the administration web pages for routers by downloading a list of IP addresses from its C&C server to scan and then reporting back its findings. At the time of our investigation, Win32/RBrute.A targeted the following routers

    If a web page is found, the C&C sends a short list of about ten passwords to the bot and instructs it to perform a brute force password guess attack against the router. If the bot is able to log in to the router, it will then proceed to change the router’s primary DNS server settings.

    Reply
  7. Tomi Engdahl says:

    Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed
    Paper is safe. Clay tablets too
    http://www.theregister.co.uk/2014/04/09/heartbleed_vuln_analysis/

    The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email servers and Android smartphones as well as routers.

    Many routers and other forms of networking equipment use OpenSSL to secure mini web servers to run admin interface, leaving networking equipment vulnerable as a result.

    Networking giant Cisco was quick to put out put out an advisory.

    “The ‘Heartbleed’ SSL vulnerability affects widely deployed versions of the OpenSSL library which is used in the majority of software”

    Reply
  8. Tomi Engdahl says:

    Intentional Backdoor In Consumer Routers Found
    http://tech.slashdot.org/story/14/04/22/001239/intentional-backdoor-in-consumer-routers-found

    “Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access.”

    Easter egg: DSL router patch merely hides backdoor instead of closing it
    Researcher finds secret “knock” opens admin for some Linksys, Netgear routers.
    http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/

    First, DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals

    Vanderbecken disclosed that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface.

    The packet structure used to open the backdoor, Vanderbecken said, is the same used by “an old Sercomm update tool”—a packet also used in code by Wilmer van der Gaast to “rootkit” another Netgear router.

    Just how widely the old, new backdoor has been spread is unknown.

    Reply
  9. Tomi Engdahl says:

    It’s Crazy What Can Be Hacked Thanks to Heartbleed
    http://www.wired.com/2014/04/heartbleed_embedded/

    Western Digital makes a tiny box where you can store all your photos and other digital stuff. It’s called My Cloud, and you’ve probably seen the TV ads hawking the thing. It gives you a way to access your stuff from any machine, across the internet.

    In the ad, while the rest of humanity is camped out atop one big giant cloud, their digital data exposed to prying eyes and sometimes vanishing altogether, one smiling woman sits on her own personal cloud — confident all her data is completely safe. With My Cloud, Western Digital says, you too can have such confidence.

    But My Cloud has a problem that belies this ad campaign. It’s a big problem, and it involves Heartbleed

    But the My Cloud is just one example of an enormous problem that continues to lurk across the net: tens of thousands of devices — including not only My Cloud storage devices but routers, printers storage servers, firewalls, video cameras, and more — remain vulnerable to attack.

    In other words, the Internet of Things needs a patch. “It really is disturbing, the number of devices that are affected by this,” Weaver says.

    On Thursday, researchers at the University of Michigan began a massive internet scan to find how widespread the problem really is. The number of devices still at risk is harrowing: HP printers, Polycom video conferencing systems, WatchGuard firewalls, VMWare systems, and Synology storage servers. Weaver counts tens of thousands of users of the Parallels Plesk Panel web hosting control panel that are vulnerable too — those could become a prime target of hackers looking to take control of websites.

    Although many vulnerable devices such as printers are tucked safe behind corporate firewalls, Nicholas Weaver found vulnerable printers accessible over the internet, including some built by HP. But even three weeks after Heartbleed was first disclosed, HP can’t even say which of its printers have the bug.

    But things could have been much worse. Anything that needs to connect securely over the internet could have a Heartbleed problem. But Weaver and the University of Michigan team found that many devices that used OpenSSL were not vulnerable — either because they used an old version of the software library, or because the buggy OpenSSL feature that contains the flaw wasn’t enabled.

    Reply
  10. Tomi Engdahl says:

    Fifteen zero days found in hacker router comp romp
    Four routers rooted in SOHOpelessly Broken challenge
    http://www.theregister.co.uk/2014/08/13/fifteen_zero_days_found_in_hacker_router_romp/

    DEF CON Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week.

    Four of the 10 routers offered for attack including the ASUS RT-AC66U; Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised.

    Those devices allowed attackers to execute privileged commands through holes found on updated firmware.

    The Linksys EA6500; Netgear WNR3500U/WNR3500L; TP-Link TL-WR1043ND; D-Link DIR-865L, and the Electronic Frontier Foundation’s Open Wireless Router firmware were either untested or emerged unscathed.

    In January, backdoors were found across routers from manufacturers including Cisco, Netgear and Diamond.

    Reply
  11. Tomi Engdahl says:

    Securobods warn of wide open backdoor in Netis/Netcore routers
    Single, hardcoded password in firmware, claim researchers
    http://www.theregister.co.uk/2014/08/27/netis_routers_have_a_backdoor_say_reserachers/

    Routers sold under the brand Netis by Chinese security vendor Netcore have a hardcoded password that leaves users with a wide-open backdoor that could easily be exploited by attackers, claim researchers.

    The backdoor allows cyber-criminals to easily change settings or run arbitrary code on routers, securobods at Trend Micro warn.

    Reply
  12. Tomi Engdahl says:

    Wi-Fi Router Attack Only Requires a Single PIN Guess
    http://mobile.slashdot.org/story/14/08/30/2150238/wi-fi-router-attack-only-requires-a-single-pin-guess

    New research shows that wireless routers are still quite vulnerable to attack if they don’t use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router’s WPS functionality.

    Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it.

    Reply
  13. Tomi Engdahl says:

    Offline attack shows Wi-Fi routers still vulnerable
    An attack can break into some common Wi-Fi routers, via a configuration feature.
    http://arstechnica.com/security/2014/08/offline-attack-shows-wi-fi-routers-still-vulnerable/

    A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup that allows someone to quickly gain access to a router’s network.

    The attack exploits weak randomization, or the lack of randomization, in a key used to authenticate hardware PINs on some implementations of Wi-Fi Protected Setup, allowing anyone to quickly collect enough information to guess the PIN using offline calculations.

    While previous attacks require up to 11,000 guesses—a relatively small number—and approximately four hours to find the correct PIN to access the router’s WPS functionality, the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm.

    “It takes one second,” he said. “It’s nothing. Bang. Done.”

    The problem affects the implementations provided by two chipset manufacturers, Broadcom and a second vendor whom Bongard asked not to be named until they have had a chance to remediate the problem.

    Reply
  14. Tomi Engdahl says:

    Hackers pop Brazil newspaper to root home routers
    Step One: try default passwords. Step Two: Repeat Step One until success
    http://www.theregister.co.uk/2014/09/15/hackers_pop_brazil_paper_to_root_home_routers/

    A popular Brazilian newspaper has been hacked by attackers who used code that attacked readers’ home routers, says researcher Fioravante Souza of web security outfit Sucuri.

    Attackers implanted iFrames into the website of Politica Estadao, which when loaded began brute force password guessing attacks against users.

    Souza says the attackers aimed to change the DNS settings on hacked routers, writing that ” … the payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords.

    “[The] script is being used to identify the local IP address of your computer. It then starts guessing the router IP by passing it as a variable to another script,”

    “iFrames were trying to change the DNS configuration on the victim’s DSL router by brute forcing the admin credentials”.

    The attack code was manipulated to target Internet Explorer

    The attack could be most easily foiled if users changed the administrative credentials on their routers which left usernames and passwords often set both to admin.

    Reply
  15. Tomi Engdahl says:

    Borked Belkin routers leave many unable to get online
    Many ISPs, models appear affected—with a DNS problem apparently to blame.
    http://arstechnica.com/information-technology/2014/10/borked-belkin-routers-leave-many-unable-to-get-online/

    Owners of Belkin routers around the world are finding themselves unable to get online today. Outages appear to be affecting many different models of Belkin router, and they’re hitting customers on any ISP, with Time Warner Cable and Comcast among those affected. ISPs, inundated with support calls by unhappy users, are directing complaints to Belkin’s support line, which appears to have gone into meltdown in response.

    The reason for the massive outages is currently unknown. Initial speculation was that Belkin pushed a buggy firmware update overnight, but on a reddit thread about the problem, even users who claim to have disabled automatic updates have found their Internet connectivity disrupted.

    Others suggest that there is some kind of DNS problem at work. Although the routers are correctly picking up their DNS settings from DHCP, they’re apparently unable to resolve domain names correctly.

    Reply
  16. Tomi Engdahl says:

    Is your home or office internet gateway one of ’1.2 MILLION’ wide open to hijacking?
    Doublecheck your NAT-PMP settings now
    http://www.theregister.co.uk/2014/10/22/home_router_security_threat_rapid7/

    Hundreds of thousands of routers, firewalls and gateways used by small offices and homes are said to be vulnerable to hijacking due to bungled NAT settings.

    The networking devices are, we’re told, commonly misconfigured to allow remote attackers to reprogram how network traffic flows to PCs, servers, tablets and other machines.

    The at-risk hardware acts as a gateway between a local network and the wider internet, and uses NAT-PMP (Network Address Translation Port Mapping Protocol) to configure how traffic from the outside world reaches machines on the LAN.

    But it turns out these gateways typically accept NAT-PMP commands from the public internet as well, without authentication, due to configuration blunders.

    These findings are according to security biz Rapid7, which says it’s found 1.2 million publicly accessible devices that have insecure NAT-PMP settings. There’s no solid evidence that these are being widely exploited.

    Anyone who has a NAT-PMP-capable device on their network should ensure that all NAT-PMP traffic is “prohibited on untrusted network interfaces/” ISPs also have a responsibility in supplying kit that is free from NAT-PMP flaws, added Rapid7 – which is best known for the Metasploit penetration testing tool.

    Reply
  17. Tomi Engdahl says:

    Is your home or office internet gateway one of ’1.2 MILLION’ wide open to hijacking?
    Doublecheck your NAT-PMP settings now
    http://www.theregister.co.uk/2014/10/22/home_router_security_threat_rapid7/

    Hundreds of thousands of routers, firewalls and gateways used by small offices and homes are said to be vulnerable to hijacking due to bungled NAT settings.

    The networking devices are, we’re told, commonly misconfigured to allow remote attackers to reprogram how network traffic flows to PCs, servers, tablets and other machines.

    The at-risk hardware acts as a gateway between a local network and the wider internet, and uses NAT-PMP (Network Address Translation Port Mapping Protocol) to configure how traffic from the outside world reaches machines on the LAN. For example, a computer on the local network can send a NAT-PMP request to map HTTP traffic from the internet to a web server on the LAN.

    But it turns out these gateways typically accept NAT-PMP commands from the public internet as well, without authentication, due to configuration blunders.

    Reply
  18. Tomi Engdahl says:

    Michael Mimoso / Threatpost:
    Vulnerability in embedded web server software from 2002 leaves about 12M home routers exposed — 12 Million Home Routers Vulnerable to Takeover — More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man …

    12 Million Home Routers Vulnerable to Takeover
    http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970

    More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.

    Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.

    “The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.” – See more at: http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970#sthash.qay5bYS0.dpuf

    Reply
  19. Tomi Engdahl says:

    Misfortune Cookie: The Hole in Your Internet Gateway
    SUSPECTED – VULNERABLE MODELS
    http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf

    Reply
  20. Tomi Engdahl says:

    ASUS router-popping exploit on the loose
    Local users become mighty admins
    http://www.theregister.co.uk/2015/01/09/asus_router_popping_exploit_on_the_loose/

    ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says.

    The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks.

    everal popular models were affected including the RT-N66U and RT-AC66U.

    ASUS Router infosvr UDP Broadcast root Command Execution
    https://github.com/jduck/asus-cmd

    Reply
  21. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Lizard Squad’s DDoS attack service “Lizard Stresser” runs mostly on thousands of hacked home routers

    Lizard Stresser Runs on Hacked Home Routers
    http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/

    The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, KrebsOnSecurity.com has discovered.

    Just days after the attacks on Sony and Microsoft, a group of young hoodlums calling themselves the Lizard Squad took responsibility for the attack and announced the whole thing was merely an elaborate commercial for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. As it turns out, that service draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.

    In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad.

    On Jan. 4, KrebsOnSecurity discovered the location of the malware that powers the botnet. Hard-coded inside of that malware was the location of the LizardStresser botnet controller, which happens to be situated in the same small swath Internet address space occupied by the LizardStresser Web site (217.71.50.x)

    As we can see in that writeup, in addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as “admin/admin,” or “root/12345”. In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials.

    The botnet is not made entirely of home routers; some of the infected hosts appear to commercial routers at universities and companies, and there are undoubtedly other devices involved. The preponderance of routers represented in the botnet probably has to do with the way that the botnet spreads and scans for new potential hosts. But there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.

    If you don’t know your router’s default username and password, you can look it up here. Leaving these as-is out-of-the-box is a very bad idea. Most modern routers will let you change both the default user name and password, so do both if you can. But it’s most important to pick a strong password.

    Reply
  22. Tomi Engdahl says:

    It’s 2015 and home routers still leave their config web servers wide open
    ADB Pirelli boxes suffer a pair flats, says researcher
    http://www.theregister.co.uk/2015/01/15/pirelli_router_bugs/

    Broadband routers from ADB Pirelli – used by Movistar in Spain and an ISP in Argentina – are vulnerable to at least two nasty security weaknesses, it’s claimed.

    The ADB Pirelli ADSL2/2+ Wireless Routers can be trivially controlled remotely from across the internet, allowing someone to surreptitiously monitor or disrupt home networks, according to a security researcher.

    “Neither authentication nor any protection to avoid unauthorised extraction of sensitive information”

    This would allow anyone to, say, request an owner’s Wi-Fi network password using a simple plain-text HTTP request

    Reply
  23. Tomi Engdahl says:

    Got a GE industrial Ethernet switch? Get patching
    Hard-coded RSA keys found in firmware
    http://www.theregister.co.uk/2015/01/15/got_a_ge_industrial_ethernet_switch_get_patching/

    GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches.

    IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419).

    The vulnerability occurs in various GE Multilink managed Ethernet switches: the ML800, 1200, 1600 and 2400 versions 4.2.1 and older; and the ML810, 3000 and 3100 versions older than version 5.2.0.

    In these switches, the RSA key used to encrypt SSL traffic is hard-coded in the firmware, which needs to be updated (the company has issued patch instructions here). ICS-CERT reckons the skill level needed to remotely exploit the vulnerability is low.

    Reply
  24. Tomi Engdahl says:

    Universal Plug and Play
    Router Security Check
    http://upnp-check.rapid7.com/

    Recent research from Rapid7 revealed that many of these devices are at risk due to security flaws in the UPnP protocol. These issues potentially expose millions of users to remote attacks that could result in the theft of sensitive information or further assaults on connected machines such as personal computers.

    This service can test your router and determine whether it is vulnerable to attack.

    GRC’s | ShieldsUP! — UPnP Exposure Test
    https://www.grc.com/su/UPnP-Rejected.htm

    There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.
    Whenever changes are made to your network configuration, whenever you update your router’s firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n’Play (UPnP) protocols.

    Reply
  25. Tomi Engdahl says:

    It’s 2015 and default creds can brick SOHO routers
    Remote reboot and takedown tricks detailed by security chap
    http://www.theregister.co.uk/2015/01/21/fun_router_hacks_to_bash_crash_and_mash/

    A hacker has detailed a series of tricks that can silently reboot or brick routers or activate admins functions.

    Many routers including Netgear and Surfboard models look to be affected, with most attacks requiring just victims’ default universal credentials to be applied.

    Applications security bod Joseph Giron detailed how victims could be knocked offline or routers bricked.

    So many routers have been found vulnerable in recent years that the DEF CON security event threw a “SOHOpelessly Broken” competition that saw 15 zero days were dug up by only a handful of hackers.

    Last week, Argentine and Spanish telcos were found deploying ADB Pirelli broadband routers with two dangerous security holes that exposed the internal web server.

    That find paled in comparison to the discovery that an estimate 200 cheap SOHO router models including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL and used by 12 million people were affected

    Cisco, Netgear and Diamond router models were found vulnerable last year, following the 2012 discovery of security holes in 13 routers from the likes of Linksys and Belkin

    Reply
  26. corporation tax says:

    You could definitely see your enthusiasm within the article you write.
    The arena hopes for even more passionate writers like you who
    aren’t afraid to say how they believe. At all times go after your heart.

    Reply
  27. Tomi Engdahl says:

    D-Link removes fingers from ears, preps mass router patch
    Amnesia strikes as hacker discloses remote code exec flaws
    http://www.theregister.co.uk/2015/03/04/dlink_removes_fingers_from_ears_preps_mass_router_patch/

    Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear.

    The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws.

    The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries.

    D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution.

    Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess.

    Reply
  28. Tomi Engdahl says:

    Broadband routers: SOHOpeless and vendors don’t care
    The basic internet access device in hundreds of millions of homes is an insult to IT
    http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

    Feature

    “It is far more common to find routers with critical flaws than without” – Craig Young

    “It’s sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins

    Introduction

    Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities.

    Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate.

    Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes.

    A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities.

    Arguably the most infamous hack in recent months was Check Point’s so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei.

    In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic.

    Security is ‘abysmal’

    “Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.”

    Reply
  29. Tomi Engdahl says:

    D-Link Routers Face Multiple Vulnerabilities
    http://www.infosecurity-magazine.com/news/dlink-routers-face-multiple/

    Vulnerabilities that leave some D-Link routers open to remote attacks has been discovered. An exploit could give an attacker root access, allow DNS hijacking and more.

    D-Link said that it is looking into the problems, and noted in an advisory that there are three reported flaws. The first vulnerability relates to a malicious user who might be connected to the LAN-side of the device to use the device’s upload utility to load malicious code without authentication. A second vulnerability relates to the device’s ping utility that might permit command injection without authentication. And a third vulnerability may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack that discloses information about the devices configuration.

    “The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows to inject arbitrary commands into the router,” said Tiago Caetano Henriques of Swisscom, who discovered the main issue back in November. “Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/NAT rules on this router.”

    DIR-626L/DIR-636L/DIR-808L/DIR-810L/DIR-820L/DIR-826L/DIR-830L/DIR-836L – Remote code execution – Information disclosure – DNS hijacking
    http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052

    Reply
  30. Tomi Engdahl says:

    D-Link home routers affected by remote command injection flaw
    http://securityaffairs.co/wordpress/34349/hacking/d-link-home-routers-flaw.html

    Adkins explained that other versions of D-Link routers and one router from TRENDnet are affected by the same vulnerability. The flawed version of D-Link routers are:

    D-Link DIR-820L (Rev A) – v1.02B10
    D-Link DIR-820L (Rev A) – v1.05B03
    D-Link DIR-820L (Rev B) – v2.01b02
    TRENDnet TEW-731BR (Rev 2) – v2.01b01

    There are no patches available for the vulnerability right now. A

    Reply
  31. Tomi Engdahl says:

    Pub O’clock probe finds thousands of repeated 512-bit RSA keys
    FREAK-finding expedition finds one key on 28,000 hosts … who sells this rubbish?
    http://www.theregister.co.uk/2015/03/17/freakscan_turns_up_thousands_of_repeated_512bit_rsa_keys/

    Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast.

    The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – started with a scan of the IPv4 address space using zmap, to see how many TLS-supporting servers could still be asked to dip back to 512-bit ciphers.

    “Of 22,730,626 hosts supporting TLS that we discovered, 2,215,504 offered export-grade RSA keys (all at 512 bits) when probed”, their paper states – a vulnerability rate which is lower than that reported when FREAK was first discovered.

    That’s a good thing, since it suggests that sysadmins have been turning off support for “export-grade” encryption since FREAK was first discovered.

    That’s also where the good news from the study ends, though, because the researchers made the stunning discovery that there are “large clusters of repeated moduli” – in other words, that some 512-bit RSA keys out there are repeated.

    In the case of the key that turned up more than 28,000 times, the researchers say it was associated with an unnamed broadband router with an SSL VPN module – in other words, Vulture South guesses, we’re talking about the persistent stupidity among vendors of generating a single key and hard-coding it into the device.

    Such vulnerabilities are not surprising to anyone familiar with the security of home-grade equipment – merely depressing.

    Broadband routers: SOHOpeless and vendors don’t care
    Basic net access device in millions of homes is an insult to IT
    http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

    Reply
  32. Tomi Engdahl says:

    Researchers find same RSA encryption key used 28,000 timer
    http://www.itworld.com/article/2897775/researchers-find-same-rsa-encryption-key-used-28000-times.html

    What if the key to your house was shared with 28,000 other homes?

    That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”

    They found that 9.7 percent of nearly 23 million hosts, or around 2.2 million, are still accepting 512-bit keys, a surprising number considering the seriousness of FREAK and that more than two weeks has passed since it was made public.

    In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.

    That never should have happened.

    The process for generating good, random prime numbers for public keys takes some effort, however. Software in devices such as routers need to have a good source of random bits in order to generate unique primes, which they often don’t, Paterson said.

    What likely happened is that a manufacturer generated one key and then installed it on many, many devices.

    “That’s just laziness on the part of a manufacturer,” Paterson said in a phone interview. “This is cardinal sin. This is just not how cryptography should be done.”

    The danger is that an attacker could factor just one, 512-bit key and then potentially decrypt traffic exchanged by more than 28,000 devices that use the same key.

    Reply
  33. Tomi Engdahl says:

    D-Link patches yet more vulns
    Consumers rise up to ignore firmware update en masse
    http://www.theregister.co.uk/2015/03/18/dlink_patches_yet_more_vulns/

    D-Link is moving to patch a bunch of vulnerabilities in consumer products, which almost certainly means that most users either won’t know the patch is happening or won’t run the update.

    The first CERT advisory, here, covers DCS-93 series network cameras (models 930L, 931L, 932L and 933L using version 1.04 2014-04-21 of the company’s firmware). Vulnerable devices allow remote attackers to upload arbitrary files to locations of their own choice on the device, as well as remotely executing arbitrary code.

    DAP-1320 wireless range extenders are subject to an ancient vulnerability, CWE-78

    Earlier this month, the company rolled out a mass-patch for a bunch of networking boxen.

    D-Link removes fingers from ears, preps mass router patch
    Amnesia strikes as hacker discloses remote code exec flaws
    http://www.theregister.co.uk/2015/03/04/dlink_removes_fingers_from_ears_preps_mass_router_patch/

    Reply
  34. Tomi Engdahl says:

    F Secure : How You Can Protect Yourself from Evil DNS
    http://www.4-traders.com/F-SECURE-OYJ-1412460/news/F-Secure–How-You-Can-Protect-Yourself-from-Evil-DNS-20081575/

    How You Can Protect Yourself from Evil DNS

    New one-button tool from online security leader F-Secure helps people keep their Internet traffic heading in the right direction.

    Helsinki, Finland – March 25, 2015: The Internet works in mysterious ways for many people, and that’s something that attackers can use to their advantage. But Internet users now have an easy-to-use tool to help prevent themselves from becoming part of an online scam. The one-button Router Checker, developed by F-Secure, checks people’s Internet set-ups to help protect them from having their web traffic misdirected to websites that can spread malware or steal their personal information.

    Router Checker makes it easy to identify altered Internet settings that can let attackers manipulate what people see and do online. Attacks that change router or Internet settings are popular amongst hackers because it allows them to reach large numbers of people without being noticed. According to F-Secure’s Labs, over 300,000 home or office routers were discovered to have altered settings in 2014, with each router potentially serving multiple computers, mobile phones and other devices.

    Attacks like these are difficult to notice because they can manipulate people in very subtle ways. “Attacks that target Internet settings often go unnoticed because they don’t really have obvious symptoms for people to pick up on. People will suddenly see more ads, or they’ll be misdirected to a dangerous website that looks and feels safe”,

    https://campaigns.f-secure.com/router-checker/

    Reply
  35. Tomi Engdahl says:

    Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics
    http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/

    Malware that hijacks router DNS settings is not new. However, exploits developed in recent years that enable hijacking through the use of Javascript alone are making this a widespread problem. Ara Labs has uncovered a new ad-fraud scheme where fraudsters are using hijacked router DNS settings to intercept Google Analytics tags and replace them with pornography and other ads. For victims whose router has been compromised this has the effect of injecting ads and pornography into every site that they browse that uses Google Analytics. In this article, we will expose the fraud scheme and explain how you can protect yourself.

    Malware that changes router DNS settings has been around for a while. In 2013 Team-Cymru published an excellent paper detailing some of these attacks. In 2014 other attacks were documented that used Javascript to guess default router authentication credentials and change the router’s DNS.

    If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.

    Google Analytics is a service that provides the ability to track and analyze website traffic. Webmasters enable Google Analytics by embedding the analytics tag on their website.

    When a viewer loads the webpage the Google Analytics tag downloads and runs some Javascript which reports the view. The webmaster can then log into their Google Analytics account and get reports on their site’s traffic.

    Google Analytics is currently the most widely used traffic analytics service. Since this tag is embedded on the majority of websites who are tracking traffic it is a perfect target for the fraudsters to inject into.

    In this case, the fraudsters are using the hijacked DNS to intercept requests to the google-analytics.com domain, then directing the victim to a fake Google Analytics site. When the victim requests the Google Analytics javascript from the fake site they are served malicious Javascript that injects ads into the site they are browsing. This is not a vulnerability with Google Analytics itself, the service was simply targeted due to its widespread use.

    In the fraud scheme investigated by Ara Labs the criminals are using a rogue DNS server located at 91.194.254.105. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (8.8.8.8) is configured as the secondary.

    Reply
  36. Tomi Engdahl says:

    Anonabox Recalls 350 ‘Privacy’ Routers for Security Flaws
    http://www.wired.com/2015/04/anonabox-recall/

    The project to build a tiny, anonymity-focused router known as Anonabox has overcome plenty of hurdles to get to market: critics who pointed to gaping flaws in its promised security, others who argued that it was a mere repackaging of stock Chinese hardware, and eventually Kickstarter’s decision to freeze its $600,000 fundraising campaign. But even after a second, more successful fundraiser, its acquisition by a larger tech firm, and the milestone of shipping the first batches of routers to customers, it turns out that Anonabox should have listened more closely to its detractors.

    Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge.

    the company has confirmed to WIRED that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range.

    The two flaws combined make the effected devices “downright dangerous to use,” says the security researcher and consultant who uncovered them, Lars Thomsen. “This is worse than not using any privacy device at all. Anyone in range can listen to your traffic without you noticing,” Thomsen says. “Anyone can gain access to the device and install a sniffer to capture all that traffic.”

    Reply
  37. Tomi Engdahl says:

    D-Link Fails at Strings
    http://hackaday.com/2015/04/14/d-link-fails-at-strings/

    Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.

    The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.

    The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.

    Hacking the D-Link DIR-890L
    http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/

    Reply
  38. Tomi Engdahl says:

    Troubleshooting feature on Cisco routers is open to data-slurp abuse
    Mad skillz + $10k = DIY NSA
    http://www.theregister.co.uk/2015/04/15/cisco_routers_easily_abused/

    Infiltrate A default feature of Cisco routers can readily be abused to collect data, security researchers warn.

    Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router.

    Brazilian security researchers Joaquim Espinhara and Rafael Silva were able to abuse the feature and build a system to hoover up massive volumes of data.

    Silva told El Reg that the hack was possible by exploiting the EPC feature rather than taking advantage of a vulnerability as such. Both Cisco and the researchers agree that abuse of the feature would need privileged user access (ie admin control), a hurdle that would-be abusers would need to overcome, through some other attack or social engineering ruse.

    Nonetheless, because the troubleshooting feature is enabled by default it presents a risk, according to Silva.

    “There is no disable mode for this feature. Because this feature is commonly used for troubleshooting network problems,” Silva explained. “Cisco have to implement some features that would stop OR [make] difficult this approach to abusing EPC.”

    Reply
  39. Tomi Engdahl says:

    D-Link router patch creates NEW SOHOpeless vuln
    You keep using that word ‘security’. I do not think it means what you think it means
    http://www.theregister.co.uk/2015/04/16/slow_clap_dlink_ac3200_patch_only_creates_more_vulns/

    Hacker Craig Heffner says D-Link has not only failed in its bid to patch its DIR-890L router but has managed to introduce a new vulnerability instead.

    The Tactical Network Solutions router wrecker says D-Link’s quadcopter-esque AC3200, reviewed elsewhere as ” the most insane router in the history of mankind”, is open to authentication bypass.

    Heffner disclosed the vulnerabilities earlier this month badging it as a product with the same buggy firmware “crammed” into routers for years.

    D-Link has been contacted for comment.

    The Home Network Administration Protocol (HNAP) bug affects the DIR-645 and DIR-890L and centres on the incorrect use of strstr for validation which he says D-Link attempted but failed to patch.

    Heffner says the router rooter failed to remove the sprintf stack overflow, the call to system, and did not as they should have used strcmp instead of strstr to validate the SOAPAction header.

    “[The patch] does at least prevent users from supplying arbitrary data to sprintf and system,” Heffner says in an advisory.

    Experts agree that small home and office routers are almost universally terrible, often as a result of the focus on cost competition between feature and function-obsessed vendors.

    Reply
  40. Tomi Engdahl says:

    D-Link: sorry we’re SOHOpeless
    PS. Most products don’t have a fix yet
    http://www.theregister.co.uk/2015/04/21/dlink_sorry_were_sohopeless/

    D-Link’s SOHOpeless HNAP vulnerability hasn’t been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists.

    The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that “fix” blew a hole in the device’s authentication routines.

    Tactical Network Solutions’ Craig Heffner called out the error, saying that “this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid”.

    After briefly hiding under the blanket, the vendor has now told users it’s sorry for the “inconvenience”.

    The company has told BetaNews it’s got the patch working right for two products, the DIR-880L and DIR-890L, and promises that between 21 April and 24 April, all the patches will be issued.

    Reply
  41. Tomi Engdahl says:

    SOHOpeless Realtek driver vuln hits Wi-Fi routers
    SOAP scum dirties D-Link, TRENDnet and maybe more
    http://www.theregister.co.uk/2015/04/29/sohopeless_realtek_driver_vuln_hits_wifi_routers/

    Twenty months of optimism has come to nought, so the Zero Day Initiative has gone public with a vulnerability in the Realtek SDK that’s inherited by at least two broadband router vendors.

    The vulnerability that the HP-owned TippingPoint initiative discovered, here, is in the SDK’s SOAP implementation.

    The minigd SOAP service doesn’t sanitise user data in NewInternalClient requests, before executing a system call – and that gives remote attackers the chance to execute arbitrary code as root.

    It’s specific to 802.11 a/b/g and 802.11b controllers from Realtek –

    Zero Day says in the absence of a patch, the only viable mitigation strategy is to make sure only trusted systems can communicate with the SOAP service (for example, via firewall rules).

    Reply
  42. Tomi Engdahl says:

    RealTek SDK Introduces Vulnerability In Some Routers
    http://mobile.slashdot.org/story/15/04/28/2254246/realtek-sdk-introduces-vulnerability-in-some-routers

    SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend.

    (0Day) Realtek SDK miniigd AddPortMapping SOAP Action Command Injection Remote Code Execution Vulnerability
    http://www.zerodayinitiative.com/advisories/ZDI-15-155/

    Reply
  43. Tomi Engdahl says:

    Millions of Routers Vulnerable to Attacks Due to NetUSB Bug
    http://www.securityweek.com/millions-routers-vulnerable-attacks-due-netusb-bug

    A serious vulnerability affecting the NetUSB kernel driver developed by Taiwan-based tech company KCodes exposes millions of routers to hack attacks, researchers have warned.

    According to its website, KCodes is one of the leading developers and suppliers of USB over IP solutions. The company says over 20% of world’s networking devices include KCodes technology.

    The NetUSB (USB over IP) kernel driver developed by the company is designed to allow users to connect over their network to USB devices plugged into a router, access point, or other Linux-based embedded system. Users can access speakers, printers, hard drives, webcams and other USB devices by connecting to a NetUSB server via the Windows or OS X client.

    Researchers at SEC Consult discovered that the NetUSB driver is plagued by a kernel stack buffer overflow vulnerability (CVE-2015-3036) that can be exploited by an unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition. The flaw, caused by insufficient input validation, can be triggered by specifying a computer name that is longer than 64 characters when the client connects to the server.

    KCodes’ NetUSB driver is integrated into products from several vendors, including Netgear, TP-Link, ZyXEL, and TRENDnet. The feature is advertised with various names, such as “print sharing,” “USB share port” and “ReadySHARE.”

    The vulnerability can be exploited by an attacker on the local network, but in some cases exploitation over the Internet might also be possible through TCP port 20005, the port used by the server for client connections.

    Reply
  44. Tomi Engdahl says:

    Blackhat hack trick wallops popular routers
    Sneaky DNS change doesn’t need remote management.
    http://www.theregister.co.uk/2015/05/26/new_dns_router_attack/

    A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models.

    The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings.

    This bypasses the need to target only routers with vulnerable remote services. Kafeine says the most popular routers can be targeted including Netgear, D-Link, and Asus to name a few.

    The hacker says the attackers’ have set up a dodgy DNS service that doesn’t direct traffic faithfully. Instead, Kafeine says victims are pointed to phishing sites whenever, for example, they attempt to log into internet banking portals.

    One such dodgy DNS server received up to a million unique hits on 9 May, he says.

    “Knowing that CVE-2015-1187 has been released on 2 March I guess this attack is pretty effective since the percentage of routers updated in the past two months is probably really low,” he says

    Users should apply router firmware patches when released, and consider hardened firmware alternatives where possible.
    https://openwrt.org/

    Reply
  45. Tomi Engdahl says:

    Linux/Moose Worm Targets Routers, Modems, and Embedded Systems
    http://linux.slashdot.org/story/15/05/26/1854207/linuxmoose-worm-targets-routers-modems-and-embedded-systems

    Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It’s also capable of hijacking DNS settings. The people controlling the system use it for selling “follows,” “likes,” and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.

    The Moose is loose: Linux-based worm turns routers into social network bots
    Malware can infect IoT devices—including medical devices—with weak authentication.
    http://arstechnica.com/security/2015/05/the-moose-is-loose-linux-based-worm-turns-routers-into-social-network-bots/

    A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers’ DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add “follows” to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.

    The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

    The worm begins to scan both other Internet addresses within the same ISP network, other random IP addresses, and local network addresses for other vulnerable devices. Infected devices advertise themselves on port 10073; the worm attempts to connect to this port first before launching Telnet attacks, and it moves on if it gets a successful connection. The malware also attempts to use shell commands on the infected router to change DNS settings, replacing existing domain name servers with malicious ones that could route Web requests by the router’s users to lookalike sites—or sites laden with exploit malware.

    The main purpose of Moose, however, appears to be to create a network of covert HTTP proxies that can be used by the worm’s command and control (C&C) servers to communicate with social networks.

    While not intended to target Internet of Things devices specifically, Bilodeau and Dupuy found that Moose could infect a number of such devices, including medical ones. “Based on recent security research, we have evidence to state that even medical devices like the Hospira Drug Infusion Pump could be infected with Linux/Moose,” the pair wrote. While these infections were essentially just “collateral damage,” the worm could have an impact on the safe operation of these devices.

    Fortunately, Linux/Moose apparently has no persistence on a router or other embedded computing device. Once the router is powered off, it restarts without the worm present. But if left poorly configured, routers that are reset could quickly be re-infected by other routers or devices on the local network that have been compromised.

    Reply
  46. Tomi Engdahl says:

    New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models
    http://it.slashdot.org/story/15/06/02/2235254/new-soho-router-security-audit-uncovers-over-60-flaws-in-22-models

    Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models.

    New SOHO router security audit uncovers over 60 flaws in 22 models
    http://www.itworld.com/article/2930295/new-soho-router-security-audit-uncovers-over-60-flaws-in-22-models.html

    In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.

    The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.

    The vulnerable models listed by the researchers were: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.

    Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers’ management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.

    Even though ISPs have the ability to remotely update the firmware on the routers they distribute to customers, they often don’t and in some cases the users can’t do it either because they only have restricted access on the devices.

    More than 60 undisclosed vulnerabilities affect 22 SOHO routers
    http://seclists.org/fulldisclosure/2015/May/129

    Reply
  47. Tomi Engdahl says:

    SOHOpeless: Belkin router redirection zero-day
    DNS response fondling confounds security
    http://www.theregister.co.uk/2015/09/02/sohopeless_belkin_router_redirection_zero_day/

    Security bod Joel Land has reported zero-day holes in a popular model of Belkin router allowing attackers to yank cleartext credentials, spoof DNS responses, and pop admin interfaces.

    The Belkin N600 DB Wireless Dual Band N+ box released in 2012 and selling for around AUD$150 contains five vulnerabilities from slack randomness (CVE-2015-5987) to cleartext violations and cross-site request forgery (CVE-2015-5990).

    Reply
  48. Tomi Engdahl says:

    Vulnerability Note VU#201168
    Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities
    http://www.kb.cert.org/vuls/id/201168

    Reply
  49. Tomi Engdahl says:

    Your dual-band Belkin router is a threat at the heart of your communications
    We thought money was the router of all evil …
    http://www.theinquirer.net/inquirer/news/2424491/your-dual-band-belkin-router-is-a-threat-at-the-heart-of-your-communications

    STEP AWAY FROM YOUR INTERNET. If you are using a dual-band Belkin router you could be at risk from multiple vulnerabilities.

    We know. It’s an alert that could be applied to the internet in general. The thing is, you really don’t want anything that you buy as part of your online accessing system to be part of that threat network.

    We aren’t making this up. We have a real security heavyweight as the source. It is the Computer Emergency Response Team (CERT) that provides the guidance, and it warned that the vulnerabilities can combine to wrest control from a user and give it to a hacker.

    The hardware at issue is the N600 Wireless Dual-Band N+ Router. CERT’s advisory said that various problems can be exploited, including the use of HTTP in the transmittance of updates, and plain text information. It warned that an attacker with man-in-the-middle skills could make the best of their worst of this.

    Reply
  50. Tomi Engdahl says:

    Jai Vijayan / darkREADING:
    Researchers find curious Linux.WiFatch malware on tens of thousands of routers and IoT devices that appears to be securing infected systems

    And Now A Malware Tool That Has Your Back
    http://www.darkreading.com/vulnerabilities—threats/and-now-a-malware-tool-that-has-your-back/d/d-id/1322451

    In an unusual development, white hat malware is being used to secure thousands of infected systems, not to attack them, Symantec says.
    Security researchers at Symantec have been tracking a malware tool that, for a change, most victims wouldn’t actually mind have infecting their systems–or almost, anyway.

    The threat dubbed Linux.Wifatch compromises home routers and other Internet-connected consumer devices. But unlike other malware, this one does not steal data, snoop silently on victims, or engage in other similar malicious activity.

    Instead, the author or authors of the malware appear to be using it to actually secure infected devices. Symanetc believes the malware has infected tens of thousands of routers and other IoT systems around the world. Yet, in the two months that the security vendor has been tracking Linux.Wifatch it has not seen the malware tool being used maliciously even once.

    Wifatch has one module that attempts to detect and remediate any other malware infections that might be present on a device that it has infected. “Some of the threats it tries to remove are well known families of malware targeting embedded devices,” Ballano wrote.

    Another module appears designed specifically to protect Dahua DVR and CCTV systems. The module allows Wifatch to set the configuration of the device so as to cause it to reboot every week, presumably as a way to get rid of any malware that might be present or running on the system.

    Most Wifatch infections that Symantec has observed have been over Telnet connections to IoT devices with weak credentials, according to the vendor.

    In keeping with its vigilante role, once Wifatch infects a device it tries to prevent other malicious attackers from doing the same by shutting down the Telnet service. It also connects to a peer-to-peer network to receive periodic updates.

    Wifatch is mostly written in Perl and targets IoT devices based on ARM, MIPS and SH4 architectures. The hitherto white hat malware tool ships with a separate static Perl interpreter for each targeted architecture.

    “Whether the author’s intentions are to use their creation for the good of other IoT users—vigilante style—or whether their intentions are more malicious remains to be seen,” the researcher said.

    Router infections can be hard for end users to detect. However, it is possible to get rid of Wifatch on an infected device simply by rebooting it. Users should also consider updating their device software and changing default passwords on home routers and IoT devices, Ballano said.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*