UPDATE
Consumers lucky enough to have blazing-fast 1Gbps internet access in their homes are likely to use the internet more than lower-broadband households; however, millions of them are at risk for hackers to gain wide-ranging access to their internet activities (including being able to view full browsing histories).
A comprehensive assessment of various GPON home routers by vpnMentor has uncovered a way to bypass all authentication on the devices (CVE-2018-10561). That flaw can be found within the HTTP servers on GPON networks, which check for specific paths when authenticating the router. The attacker can bypass authentication by simply affixing an image suffix to the URL.
Even worse, thanks to the initial authentication bypass, vpnMentor researchers were also able to find a command injection vulnerability (CVE-2018-10562) to execute commands on the device.
“During our analysis of GPON firmware, we found two different critical vulnerabilities that could, when combined, allow complete control on the device and therefore the user’s [home network],” the firm said.
Since this post was originally posted a patch is now available for this issue. In a statement the company said: “It is critical that users know about the patch and can use it to fix their routers,” vpnMentor said. “We created a tool that allows them to do this, even if they don’t have a technical background.”
Researchers originally said of the vulnerability: “While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter. Since the router saves ping results…and transmits [them] to the user…it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.”
Not only can attackers use the vulnerabilities to see the IP address of specific routers, matching them to physical addresses in some cases, but they can also see what the user is doing on the web. Further, they can also set up specially crafted man-in-the-middle (MiTM) phishing pages to harvest credentials.
And that’s not all. “There’s a privacy aspect here too,” explained Ariel Hochstadt, co-founder of vpnMentor, in an interview. “It’s possible to take an entire browsing history for someone from the last 30 days and send it to all of their friends, via Facebook or mail, because you have access to the browsing history and you can skim credentials.”
GPON is a fiber-based passive optical network (PON) that supports 1Gbps broadband to the home. It isn’t the most common type of ISP network in the U.S., given that fiber-to-the-home (FTTH) deployments are limited as yet. However, it’s commonly seen as the future of broadband, as consumers demand ever-more bandwidth to support video streaming and other activities. In some countries, like Mexico, it has become mainstream.
vpnMentor posted a video showing millions of vulnerable routers discoverable on Shodan.
“We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them,” the vpnMentor researchers said. “Because so many people use these types of routers, this vulnerability can result in an entire network compromise.”
GPON customers should also contact their ISPs about updates, Hochstadt added.