Rooter vendors often don’t care too much about code quality, so vulnerabilities are not uncommon. Today, routers are a priority target of network attacks allowing to steal money and data bypassing local security systems. How to check firmware quality and adequacy of settings? Free utilities, online verification services and this article will help you to do it.
Consumer-level routers have always been criticized for their unreliability, but high price does not guarantee high security. Last December, the specialists of Check Point company discovered more than 12 million routers (including top models) and DSL-modems, which can be hacked because of the vulnerability in the mechanism of obtaining automatic settings. It is widely used to quickly set up client side network equipment (CPE – client premises equipment). For the last ten years providers have been using CWMP (CPE WAN Management Protocol) for this purpose. The specification of TR-069 provides the ability to send settings and connect services through an Auto Configuration Server (ACS – Auto Configuration Server). Check Point employees have found that many routers have an error in processing CWMP requests, and providers further complicate the situation: most of them do not encrypt the connection between ACS and client equipment and do not restrict access by IP or MAC addresses. Together this creates conditions for an easy man-in-the-middle attack.
Through the vulnerable CWMP implementation, an attacker can do almost anything: set and read configuration parameters, reset settings to default values and remotely reboot the device. The most common type of attack consists of DNS address spoofing in the router settings to servers controlled by the cracker. They filter web requests and redirect to spoofed pages those that contain access to banking services. Fake pages were created for all popular payment systems: PayPal, Visa, MasterCard, QIWI and others.
The peculiarity of such attack is that the browser works in a clean OS and sends a request to the correct address of the real payment system. Checking the network settings of the computer and searching for viruses on it do not reveal any problems. Moreover, the effect is preserved if you connect to the payment system through a compromised router from another browser and even from another device on the home network.
Since most people rarely check the settings of the router (or trust the ISP technicians to do so at all) the problem goes unnoticed for a long time. They usually find out about it by an exception method – after the money was stolen from the accounts and the computer check did not give anything.
To connect to a router via CWMP, the attacker uses one of the most common vulnerabilities typical for entry-level network devices. For example, they contain a third-party RomPager web-server written by Allegro Software. Many years ago an error in cookies processing was detected in it, which was quickly fixed, but the problem still remains. Since this web-server is a part of the firmware, it is impossible to update it on all devices in one go. Each manufacturer had to release a new release for hundreds of already sold models and convince their owners to download the update as soon as possible. As practice has shown, none of the home users have done so. That’s why vulnerable devices count in the millions even ten years after the patch was released. Moreover, the manufacturers themselves continue to use in their firmware the old vulnerable version of RomPager to this day.
Besides routers, the vulnerability affects VoIP phones, network cameras and other equipment that allows remote configuration via CWMP. Usually port 7547 is used for this purpose. You can check its status on router with free Steve Gibson Shields Up service. To do this, type his URL (grc.com) and then add /x/portprobe=7547.
The screenshot shows only a positive result. A negative one does not yet guarantee that there is no vulnerability. To exclude it you will need to run a full penetration test – for example, using a Nexpose scanner or the
Write Secure DNS
It’s a good idea to check the router settings more often and immediately prescribe alternative addresses of DNS servers by hand. Here are some of them, available for free.
- Comodo Secure DNS: 18.104.22.168 and 22.214.171.124
- Norton ConnectSafe: 126.96.36.199, 188.8.131.52
- Google Public DNS: 184.108.40.206, 2001:4860:4860:8888 – for IPv6
- OpenDNS: 220.127.116.11, 18.104.22.168
All of them block only infected and phishing sites, not restricting access to resources “for adults”.
Unplug and pray
There are other long known problems that the owners of network devices or (less often) their manufacturers are unwilling to fix. Two years ago, DefenseCode experts discovered a whole set of vulnerabilities in routers and other active network equipment of nine major firms. All of them are related to incorrect software implementation of key components. In particular – UPnP stack in firmware for Broadcom chips or using old versions of open libupnp library. Together with Rapid7 and CERT specialists DefenseCode staff found about seven thousand vulnerable device models. During six months of active IPv4 random address range scanning, more than 80 million hosts were detected that responded to a standard UPnP request on a WAN port. One in five of them supported the SOAP (Simple Object Access Protocol) service, and 23 million allowed arbitrary code execution without authorization. In most cases, an attack on routers with such a hole in UPnP is carried out through a modified SOAP request, which leads to a data processing error and gets the rest of the code into an arbitrary area of the router RAM, where it is executed with superuser rights. On home routers it’s better to disable UPnP at all and make sure that requests to port 1900 are blocked. The same Steve Gibson service will help. UPnP (Universal Plug and Play) protocol is enabled by default on most routers, network printers, IP cameras, NAS and too smart home appliances. It is activated by default on Windows, OS X and many versions of Linux. If it is possible to fine-tune its use it is still half the trouble. If only “on” and “off” options are available then it is better to choose the latter. Sometimes manufacturers intentionally implement bookmarks in network hardware. Most likely, this happens on the orders of special services, but in case of a scandal, the official answers always mention “technical necessity” or “branded service to improve the quality of communication”. Built-in backdoors were found in some Linksys and Netgear routers. They opened port 32764 to receive remote commands. Since this number does not correspond to any well-known service, this problem is easy to detect, for example, with an external port scanner.
Other articles in the issue:
Another way to perform a free home network audit is to download and run Avast antivirus. Its new versions contain Network check wizard which detects known vulnerabilities and dangerous network settings.
The default is for lambs
The most common problem with router protection remains the factory settings. These are not only common internal IP addresses, passwords and admin login, but also included services that increase convenience at the cost of security. In addition to UPnP, the Telnet remote management protocol and WPS (Wi-Fi Protected Setup) service are often enabled by default. Critical errors are often found in Telnet requests processing. For example, D-Link routers DIR-300 and DIR-600 series allowed to remotely receive shell and execute any command via telnetd daemon without any authorization. On Linksys E1500 and E2500 routers it was possible to inject code through regular ping. The ping_size parameter was not checked in them and as a result the backdoor was filled with one line to the router using the GET method. In the case of E1500 did not require any additional tricks during authorization. A new password could simply be set without entering the current one. A similar problem was detected with the Netgear SPH200D VoIP phone. Additionally, when analyzing the firmware, it turned out that a hidden service account with the same password is active. With Shodan you can find vulnerable router in a couple of minutes. They still allow changing any settings remotely and without authorization. You can take advantage of it immediately or you can do a good thing: find it in Skype (by IP or by name) and send it a couple of recommendations – for example, change the firmware and read this article.
Super-recovery of massive holes
Trouble rarely comes alone: activation of WPS automatically causes UPnP to be enabled. In addition, the standard pin code or pre-authentication key used in WPS negates the entire cryptographic protection level WPA2-PSK.
Due to firmware errors, WPS often remains enabled even after being disabled via the web interface. You can find out about this with the help of Wi-Fi-scanner – for example, the free application Wifi Analyzer for smartphones with Android. If the vulnerable services are used by the administrator himself, it will not be possible to reject them. Well, if the router allows you to at least somehow secure them. For example, do not accept commands on the WAN port or set a specific IP address to use Telnet. Sometimes there is no possibility to configure or simply disable a dangerous service in the web interface and it is impossible to close the hole with standard means. The only way out in this case is to look for new or alternative firmware with an extended set of functions.
The most popular open firmware became DD-WRT, OpenWRT and its fork Gargoyle. You can install them only on routers from the list of supported – that is, those for which the chipset manufacturer has disclosed the full specifications. For example, Asus has a separate series of routers, originally designed with a scope for DD-WRT (bit.ly/1xfIUSf). It already has twelve models from entry-level to enterprise-level. MikroTik routers run on RouterOS, which is as flexible as the *WRT family. It is also a complete network operating system on the Linux kernel which supports absolutely every service and every conceivable configuration. Alternative firmware can be installed on many routers today but be careful and check the full name of the device. With the same model number and appearance routers can have different revisions behind which they can hide completely different hardware platforms.
You can check for OpenSSL vulnerability with free ScanNow utility by Rapid7 (bit.ly/18g9TSf) or its simplified online version (bit.ly/1xhVhrM). Online check takes a few seconds. In a separate program you can specify the range of IP addresses, so the test lasts longer. By the way, registration fields of ScanNow utility are not checked in any way.
After checking you will see a report and a suggestion to try more advanced Nexpose vulnerability scanner focused on companies’ networks. It is available for Windows, Linux and VMware. Depending on the version, the free trial period is limited to 7 to 14 days. Restrictions apply to the number of IP addresses and test areas.
Unfortunately, installing an alternative OPRS firmware is just a way to increase protection, and it will not provide complete security. All firmware is built on a modular principle and combines a number of key components. When a problem is detected in them, it affects millions of devices. For example, a vulnerability in the open OpenSSL library has also affected routers with *WRT. Its cryptographic functions were used to encrypt remote access sessions over SSH, organize VPN, manage local web server and other popular tasks. The vendors started releasing updates quite quickly, but it is still not possible to fix the problem completely.
New vulnerabilities in routers are always present, and some of them can be exploited even before the fix is released. All the router owner can do is disable unnecessary services, change default settings, limit remote management, check settings more often and update firmware.