Exploiting SOHO Routers

ISE researchers discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. These vulnerabilities allow a remote attacker to take full control of the router's configuration settings; some allow a local attacker to bypass authentication directly and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

UPDATE: We have posted an additional study of security vulnerabilities in extraneous, non-router services running on SOHO routers.

UPDATE: Learn more about this on CNET's article on our router hacks and its accompanying video.

INQUIRIES: For more information on this routers project, you can contact us at . For general inquiries, click here to contact ISE.

Introduction

ISE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

  • All 13 routers evaluated can be taken over from the local network
    • 4 of these attacks require no active management session.
  • 11 of 13 routers evaluated can be taken over from the WAN
    • 2 of these attacks require no active management session.

 

Motivation

Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.

ISE initially set out to evaluate the security of ten popular, off-the-shelf SOHO wireless routers. The final scope of the research project was expanded to include thirteen unique devices. Our research indicates that a moderately skilled adversary with LAN or WLAN access can exploit all thirteen routers. We also found that nearly all devices had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control. At least half of the routers that provided network attached storage (NAS) were found to be accessible by a remote adversary (full details will be disclosed in a future article).

We further categorize these remotely and locally accessible vulnerabilities by indicating their associated attack requirements:

  • Trivial attacks can be launched directly against the router with no human interaction or access to credentials.
  • Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials.
  • Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.

 

We considered client-side attacks to be in scope, so long as they consist entirely of HTML and JavaScript code running in a web browser.

Summary

  Remote Adversary Local Adversary
Router Trivial Unauthenticated Authenticated Trivial Unauthenticated Authenticated
Linksys WRT310Nv2     X     X
Belkin F5D8236-4 v2     X     X
Belkin N300   X X X X X
Belkin N900   X X X X X
Netgear WNDR4700       X X X
TP-Link WR1043N     X     X
Verizon Actiontec     X     X
D-Link DIR-865L     X     X
ASUS RT-N56U     X     X
ASUS RT-AC66U     X     X
Linksys EA6500           X
Netgear WNR3500     X X X X
TRENDnet TEW-812DRU     X     X

 

Important notes

  • Disclaimer. ISE did not exhaustively evaluate these routers, and in no way asserts that other product vulnerabilities do not exist. Many of these routers enable by default—or provide the capability to enable—telnet, ftp, and other services that have not been fully investigated. Our research was directed at assessing the ubiquity of these vulnerabilities, and not the number of issues present in any specific router model, or through any particular service or form of attack.
  • Remote services. None of the routers evaluated enabled remote administration by default, or any remote services . However, this option is available to administrators, and if enabled, drastically increases the router's exploitability in each case. ISE recommends administrators not enable remote administration, or remote services under any circumstances.
  • Remote compromise definition. We define remote compromise as full control of a router at the operating-system level by an adversary inside or outside of the router's domain.
  • Fully updated. Prior to our evaluation, all routers were updated to the latest firmware, and tested with out-of-the-box configuration settings.

Impact; new threats

SOHO router vulnerabilities impact consumers in a number of ways that differ from the vulnerabilities that typically afflict end-systems, and through those vulnerabilities new threats arise. The number of parties affected by an individual or widespread router compromise is expanded, there could be lasting damage to users or soho networking device vendors, and detecting or recovering from an exploit of this type can be difficult.

Affected parties: who is the victim?

A typical end-system compromise pegs the end-user as the victim. Certainly, advanced threats leverage end-system compromise to gain a network foothold and attempt to compromise lateral systems, but in general there is one victim, and one party responsible for cleaning up the mess.

A SOHO router compromise not only affects that device, but the many end-systems it supports, the infrastructure of which it is a part, the community of sites visited by the end-users, and even the soho networking device vendor.

Implications

The impact of these routers' security flaws is exacerbated by the fact that unauthenticated attacks can target not only the administrator of a victim router's (W)LAN, but any user on the (W)LAN. A parent or child in the case of the home, any or all students behind a university router, or any guest or untrained user of a small office or enterprise network can be targeted and leveraged to gain full control of the SOHO networking device, which may also lead to additional attacks being launched against other users.

Significance of compromise

Once compromised, any router—SOHO or otherwise—may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router's domain. This includes sniffing and rerouting all non-SSL protected traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers. Worse still, is that these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended.

Difficult Recovery; Persistent issue

The overall community impact could be much worse. Considering that many soho networking device administrators are not computer or security savvy, default settings are undoubtedly prevalent. Even in the case where the vulnerabilities identified here and elsewhere are addressed by the vendor, it may not be reasonable to expect that SOHO networking device owners know about these issues, or will upgrade/patch their routers' firmware, which is the predominant distribution mechanism for SOHO networking device updates. In such cases, the vulnerabilities may remain unresolved indefinitely.

"Bricking" of SOHO networking devices could also become an issue due to the cumbersome and unauthenticated nature of the firmware upgrade process. As we've identified, in all routers evaluated a remote adversary can replace a vendor's firmware with their own. If such firmware were (intentionally) faulty, it could render a device unusable. The damage to users and vendors could be significant depending upon the number of devices in the field, the rate at which they can be compromised or "bricked," and the cost to replace or repair them.

Large-scale threats

So far we have acknowledged that users belonging to an affected router's domains are at risk, but if any ISP deploys a router at scale with these types of vulnerabilities—or has many customers using routers with these types of vulnerabilities—an adversary may leverage the vulnerabilities to directly attack the provider, core infrastructure, or other organizational targets, e.g., corporations and nation-states. This also presents a large surface for new botnet deployment or command and control (C2) strategies to facilitate DDoS attacks and cybercrime activities.

Mitigations

Unfortunately, there is little the average end-user can do to fully mitigate these attacks. Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims).

Recommendations for Vendors

SOHO networking device VENDORS should take the following actions to help mitigate these issues.

  • Prepare and make available firmware upgrades that address these issues.
  • Notify registered users of these vulnerabilities, and distribute instructions on how to upgrade device firmware.
  • Regularly audit devices for security vulnerabilities, produce and distribute security patches in a timely manner, and notify registered customers.

 

SOHO networking device VENDORS should incorporate the following design changes in to their product lines.

  • Using authenticated (digitally signed, and verifiable by the router) firmware updates.
  • Designing a method for automatic firmware updates, that can be opted out of by users.
  • Perform regular security audits to ensure devices are as hardened as possible.

Recommendations for Device Administrators

SOHO networking device ADMINISTRATORS should take the following actions to help mitigate these issues.

  • Upgrade your firmware regularly.
  • Disable (or do not enable) remote administration.
  • Disable (or do not enable) network services that are not utilized within the LAN, e.g., FTP, SMB, UPnP.
  • Log out from, and restart, your SOHO networking device after logging in for administrative tasks.
  • Clear browser cookies and active logins after logging out from your router.
  • Choose a non-standard (W)LAN IP address range (subnet), which will make generic automated attacks less effective against your network.
  • If possible, enable HTTPS for all administrative connections. For all of the routers we evaluated that had this feature, it was disabled by default.
  • Make sure your WLAN is protected using WPA2 encryption and is not left as an open WiFi network or protected with the outdated WPA or WEP standards.
  • ONLY install firmware from the router manufacturers website.
  • Choose a secure router administration password consisting of upper/lowercase alphanumeric and special characters that is at least 12 characters in length.
  • If your SOHO device is behind an additional firewall, restrict inbound access to this device from the greater WAN.

Recommendations for End Users

END-USERS behind SOHO networking devices should take the following actions to help mitigate these issues.

  • Do not discount browser or other software warnings of potential MITM attacks.
  • Do not follow links sent through email or by other means, especially ones that are directed to what could potentially be a SOHO networking device (e.g., 192.168.2.1).
  • Be diligent, and browse safely.

 

Disclosures

For all vulnerabilities identified in this research, ISE has disclosed the issues to the product vendors through their typical vulnerability reporting mechanism, as well as any other channels for which we had access. We've given what we believe is adequate time to address the issues disclosed, and to the extent it has been reasonable, we've helped those vendors develop or implement mitigations. We welcome all vendor feedback, and are happy to assist with any additional information that may facilitate a quick resolution to any of these vulnerabilities.

Beyond the vulnerabilities listed in this case study, our research has brought to light 17 issues that have received Common Vulnerabilities and Exposure (CVE) numbers, and 21 CVE submissions pending.

  • CVE-2013-0126: Cross-Site Request Forgery
  • CVE-2013-2644: FTP Directory Traversal
  • CVE-2013-2645: Cross-Site Request Forgery
  • CVE-2013-2646: Denial of Service
  • CVE-2013-3064: Unvalidated URL Redirect
  • CVE-2013-3065: DOM Cross-Site Scripting
  • CVE-2013-3066: Information Disclosure
  • CVE-2013-3067: Cross-Site Scripting
  • CVE-2013-3068: Cross-Site Request Forgery
  • CVE-2013-3069: Cross-Site Scripting
  • CVE-2013-3070: Information Disclosure
  • CVE-2013-3071: Authentication Bypass
  • CVE-2013-3072: Unauthenticated Hardware Linking
  • CVE-2013-3073: SMB Symlink Traversal
  • CVE-2013-3074: Media Server Denial of Service
  • CVE-2013-3083: Cross-Site Request Forgery
  • CVE-2013-3084: Cross-Site Scripting
  • CVE-2013-3085: Authentication Bypass
  • CVE-2013-3086: Cross-Site Request Forgery
  • CVE-2013-3087: Cross-Site Scripting
  • CVE-2013-3088: Authentication Bypass
  • CVE-2013-3089: Cross-Site Request Forgery
  • CVE-2013-3090: Cross-Site Scripting
  • CVE-2013-3091: Authentication Bypass
  • CVE-2013-3092: Failure to Validate HTTP Authorization Header
  • CVE-2013-3095: Cross-Site Request Forgery
  • CVE-2013-3096: Unauthenticated Hardware Linking
  • CVE-2013-3097: Cross-Site Scripting

Related Work

As stated earlier in this article, there has been little research published in the area of SOHO router security, however some interesting results have been disclosed by security researchers in recent years.

In March, 2013, Michael Messner disclosed vulnerabilities ranging from minor to critical in D-Link, TP-Link, Netgear, and Linksys routers. The vulnerabilities disclosed included authenticated and unauthenticated arbitrary command injection, information disclosure, unencrypted password storage, directory traversal, and persistent cross-site scripting.

In January, 2013, HD Moore disclosed that numerous home routers exposed UPnP services, including SSDP Discovery and SOAP, to the Internet (WAN) side of the device. This could lead to remote attackers modifying firewall rules or accessing private media files using DLNA. Worse, many of the UPnP implementations had numerous buffer overflow vulnerabilities.

Also in January, 2013, DefenseCode released an advisory describing a remote, unauthenticated format string vulnerability in the Broadcom UPnP software that escalated to root shell access.

At BlackHat 2012, Phil Purviance (Superevr) demonstrated a cross-site file upload vulnerability in the Linksys WRT54GL. In early 2013, Purviance researched the Linksys EA2700 and found numerous vulnerabilities, including cross-site scripting, directory and file traversal, unauthenticated password changes, and source code disclosure vulnerabilities.

In May, 2012, it was disclosed that WiFi Protected Setup (WPS) uses an eight-digit PIN for authentication, and an attacker can determine if the first four digits of an attempted PIN are correct, without regard to the last four. Worse, as this CERT vulnerability disclosed, many home routers fail to implement any rate limiting after successive incorrect PIN attempts.

At BlackHat 2009, Felix Lindner explored the feasibility and techniques that could be used to attack commercial grade routers. He found very few public vulnerabilities in this class of equipment.

Future work

Six months after releasing the advisories for the 13 routers, ISE will upgrade the firmware on all 13 routers and perform a reassessment to determine what—if any—impact deeper scrutiny from the security community has brought to the SOHO router industry. ISE may also expand the scope of the next study to include additional routers.

Attribution and acknowledgments

This research was conducted by Jacob Holcomb of Independent Security Evaluators and directed by Stephen Bono and Sam Small. Jacob Thomspon, Kedy Liu, Ali Jad Khalil, and Vincent Faires made additional contributions.

References

Messner, Michael. Multiple Vulnerabilities in D-Link DIR-600 and DIR-300. Revision B. February 2013.

Beardsley, Tom. Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates. Rapid7 Metasploit Blog. March 28, 2013.

Moore, HD. Security Flaws in Universal Plug and Play. Rapid7, Inc., January 2013.

Broadcom UPnP Remote Preauth Code Execution Vulnerability. January 31, 2013.

Allar, Jared. WiFi Protected Setup (WPS) PIN brute force vulnerability. US CERT Vulnerability #723755. May 10, 2012.

Lindner, Felix. Router Exploitation. Black Hat 2009.

Purviance, Phil. Don't Use Linksys Routers. Superevr. April 5, 2013.

Mimoso, Michael. Serious Vulnerabilities Found in Popular Home Wireless Routers. threatpost. April 8, 2013