ISP-issued home broadband routers have been a shooting gallery for researchers and hackers alike looking for, and successfully exploiting, shocking vulnerabilities.
One disclosed by a researcher in Spain this week is symptomatic of the problem to a disturbing degree.
Researcher Eduardo Novella disclosed this week critical information disclosure vulnerabilities in ADB Pirelli ADSL2/2+ routers distributed by Movistar Telefonica, the biggest ISP in Spain. The vulnerability is remotely exploitable from outside the local network without authentication, and an attacker is able to access any number of files on the device, stealing data or causing a denial-of-service attack.
Novella provides a long list of more than 150 HTML files that are accessible in his advisory. None of the pages are protected by a password or any kind of authentication, and are accessible remotely. Some of the HTML file names indicate troubling, unprotected access, including: certcaimport, certloadsigned, dnscfg, ifcgateway, ippcfg, password, resetrouter, updatesettings, upload, upnpcfg, wlsecurity, and wlsetup among more than one hundred others.
“I did not check all of them, but you are able to recover sensitive information as for instance: private WPA keys, WPS PINs, admin credentials, certificates, private IP range, tr069 configuration, WAN configuration, and so on,” Novell told Threatpost. “Basically, you could be able to take full control of these devices.”
Novella said he reported the vulnerabilities to Movistar and Pirelli in April 2013 and had not had any contact with either party since.
An attacker could remotely monitor traffic leaving the local network to the Internet, or take over the device as part of a botnet used to launch any number of attacks.
“[The] first mitigation could be either try to update the last version for these routers or install third-party firmware such as OpenWRT or DDWRT on them,” he said. “More recommendable is [to] truly disable the remote connection from the outside. This mitigation would be fair enough to be safe.”
Router security vulnerabilities have run unabated for months. One week ago, a vulnerability was reported in ASUS router firmware that is likely present in all current versions. Researcher Joshua Drake advised to remove a remote command execution function from the devices in order to mitigate the vulnerability in the infosvr service, which helps admins find and configure routers. An exploit was also published for this vulnerability that gives an attacker remote unauthenticated command execution capabilities.
That bit of bad news kicked off the year, and came less than a month after the disclosure of the Misfortune Cookie vulnerability by researchers at Check Point. That bug, actually located in an embedded webserver running inside popular ISP-owned residential gateways, affects 12 million devices, the researchers said.
The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.