It’s becoming cliché to say it’s trivial to pop a small office or home router. Vendors are making it easy, since most are interested in cramming features such as print, file and media servers into these boxes and less so on basic security measures. Therefore, it sometimes helps to illustrate the triviality of popping a home router.
Take Tripwire security researcher Craig Young, the big winner at last week’s SOHOpelessly Broken contest at DEF CON, for instance. With a presentation to prepare, and under the illusion that others would find bugs as relatively quickly as he was, Young decided not to put more than a handful of hours in over the course of two nights.
Yet Young and colleague Ian Turner walked away with top honors in the event with nine different zero-days in Asus, Netgear, DLink, Belkin and Linksys routers that were eligible in the contest put on by Independent Security Evaluators. In all, 15 zero days were disclosed during the contest, including seven full router compromises and one exploit that could lead to corruption of an internal network, organizers said.
“Tripwire ordered most of the routers on the list, yet we found that several were [version two] of the hardware and did not support the firmware in the contest. We found more vulnerabilities that applied to V2 that were not in V1,” Young said. “It was interesting they went from something that was more secure to less secure. They introduced a diagnostic functionality in version two that made for a backdoor big enough to drive a truck through.”
The seven full router compromises were performed against the ASUS RT-AC66U, the Netgear Centria WNDR4700 (which suffered two separate hacks), the Belkin N900, the TRENDnet TEW-812DRU and a router made by Actiontec Electronics and provided by Verizon Communications to its subscribers, ISE Executive Partner Ted Harrington said.
“The biggest message from the contest is that a lot of the exploits that can be used in the latest versions are similar if not the same as exploits disclosed by other researchers including ISE a year ago, and router vendors have been unresponsive to issues,” Young said.
Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.
“Far and away, I saw that several brands of the routers use the same base firmware and have common errors across them,” Young said. “I used a cookie-cutter formula to get them.”
Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.
All of this puts home and small office at risk to DNS traffic redirection attacks, or other attacks that put credentials and other data moving through the gateway at risk. Vendors, meanwhile, are slow or sloppy at patching vulnerabilities. Young said in addition to zero days he disclosed to some vendors, others bugs that have been disclosed in the patch are fixed only on the particular versions on which they were found and still linger in older or later versions.
“We’re seeing more routers with media servers in them and open source print and file servers that introduce new vulnerabilities,” Young said. “It might be OK software, but in some cases, it was written as a proof-of-concept and then because the company wants to ship it as quickly as possible, they will integrate it within the product without a security lifecycle behind it.”
Enterprise-grade routers, meanwhile, not only sell for a lot more money than a $100 home router, but there are large development teams behind them at the Ciscos and Junipers of the world making code reliable and hardening web servers.
“They’re taking security seriously. There’s more of a profit margin and reputations on the line,”? Young said. “While the consumer market, there’s lower price margins and more of a competition to get features in the product.”
Some small office and home routers are starting to be shipped with automatic update checkers that can be enabled during installation. But, Young said, few routers sign their firmware meaning that attackers could figure out how to replace existing firmware with a modified firmware that could trick the router into thinking that it’s always up to date, for example.
“If you could poison and hijack those connections to the vendor update sites, you could compromise updates,” Young said.