It’s the ultimate what-if scenario: What if an attacker could own all the customer premises equipment (CPE) doled out by ISPs such as routers and modems? Would it be trivial with available scanning equipment and other tools to find vulnerable gear, and then modify and re-upload the firmware to be able do anything such as control Web traffic, launch DDoS attacks, or even disconnect large blocks of machines from the Internet?

The answer to those questions, and several related ones, appears to be yes. Two researchers took a stab at what would happen if enough home Internet connections were pieced together for such purposes and learned that a dangerous mix of lax security and insecure default configurations from ISPs and vendors alike are contributing to this risk.

“Although most people consider these CPEs to be little magic boxes that do not need any sort of provisioning, in fact these plug-and-play devices are a key yet weak link behind many major attacks occurring across the web today,” said IOActive researchers Sofiane Talmat and Ehab Hussein in a blogpost.

For ease of manageability, ISPs and hardware makers push out this gear with dd-wrt-supported firmware that can be updated and often don’t require the consumer change the default password that comes with the box. Once they’re connected to the Internet, the boxes are often accessible over HTTP or telnet.

That’s all well and good, but the attacker still has to find the boxes online. Talmat and Hussein were able to leverage a couple of tools, the Hurricane Electric BGP Toolkit and IPInfoDB to build a robust list of netblocks owned and managed by ISPs. The tools will also pull descriptions of what’s in the netblock, such as ADSL customer IP addresses or ADSL clients. An attacker could then go to whois and do further data mining to gather more information on ADSL, Wi-Fi and Internet users to then create filtered lists of IP addresses per ISP or country, for example.

“The first thing we [exploited] was the default passwords; we were able to see more than 1 million of them,” Hussein said in an interview with Threatpost. “Not a lot of people are buying CPEs from their ISPs. Plus, exploitDB has a lot of exploits for bypassing authentication on routers. Our main target was default passwords. We were quite amazed at countries with ISPs that do not filter [for default passwords] on their ADSL networks.”

Hussein and Talmat said they tested their attack on their own routers and were able to modify dd-wrt supported firmware to ignore default settings, even after a factory reset. Their first enumeration of default passwords returned 400,000 in a five-hour period.

“An attacker could have pinpointed a lot of ADSL network so they have minimized the effort required to scan the entire Internet,” the researchers wrote. “With a database gathered and sorted by ISP and country, an attacker can, if they want, control a specific country or ISP.”

In their initial sample of 400,000 boxes, Talmat and Hussein conducted telnet or http scans looking for default passwords. Once they find and are able to find CPEs using default credentials, an attacker could then use another set of tools to modify firmware’s hardcoded DNS server connections, insert new IP table rules, or remove the “upload new firmware” page in order to maintain persistence on the box, Talmat and Hussein said.

“As soon as the attacker is comfortable with his reverse-engineered and modified firmware he can categorize them by CPE model and match them to the realm received from the CPE under attack,” Talmat and Hussein said, adding that an attacker can also automate the process, including additional firmware updates.

“When you put new firmware on the router, you put on your modified settings that replace the factory settings,” Talmat said. “When you set it back to factory settings, you’re setting it back to our modified firmware.”

At this point, an attacker can have a large number of boxes under their control and could redirect traffic to malicious sites or profitable click-fraud schemes, shut down Internet access for a large block of users, use those CPEs to launch denial of service attacks, or even clone sites to commit identity theft or banking fraud.

“In the end it would be almost impossible to take back control of all the CPEs that were compromised through the attack strategies described above,” Talmat and Hussein said. “The only way an ISP could recover from this kind of incident would be to make all their subscribers buy new modems or routers, or alternatively provide them with new ones.”

Talmat and Hussein also said that vendors could help curb the problem by requiring that users change default passwords before the box is fully functional. Also, ISPs could block their subscribers who haven’t changed default settings, among other means of detection and protection.

“The Internet is about traffic from a source to a destination and most of it is generated by users. If users cannot reach their destination then the Internet is useless,” Talmat and Hussein said. “ISPs should make sure that end users are secure and users should demand ISPs to implement rules to keep them secure.”

The researchers said they will not release a toolkit they developed during the project.

“This is very serious,” Hussein said. “With minimal work, I was able to script the parts I wanted to automate. Coming up with an attack, linking it and making money at it, that’s the hardest part of this. At a minimum, someone beginning in programming could pull off an attack like this without resistence.”

Categories: Vulnerabilities

Comment (1)

  1. Iain Collins

    Both ISP’s and manufacturers continue to be lazy when it comes to setting the defaults in them too, even knowing the problems associated with defaults deeming it “too confusing for the end user” to change the default admin password from “admin” or “password” (despite that it could be easily remedied just by having a sticker with the admin password on the device).

    The prevaling view seems to be that having a psuedo random WiFi password is good enough (and half the time that psuedo random password naturally turns out to be sequentally generated from something like the MAC address…). Obviously that’s wrong but a lot of people have their head in the sand about it and hand wave it away with “too confusing” rather than trying to address it.

    The upshot of this is many routers are open to being exploited by XSS attacks that can be triggered by JavaScript from any website (as most routers don’t have any CSRF protection on their forms – so that even though it’s not possible to read the response, it’s still possible to make changs on the device – including to sliently open it up to WAN access – and in doing so allow you to install trojan firmware on the CPE and then of course you can do what you want).

    I’ve shown this in practice – and in doing so sliently extracted the password from routers in plain text – which is scary when at many ISP’s still uses the users email address (or something in a predictable / similar format that makes it guessable) for their PPP username and that people invariously re-use passwords…

Comments are closed.