How Vulnerable Is Your Router?

Many router manufacturers still have problems with the quality of their code. Security vulnerabilities are very common in this segment. Today, routers are among the primary targets of network attacks. How can regular users check the quality of the router firmware and apply adequate security settings? Online services, free utilities, and this post will come in handy.

CPE WAN Management Protocol

Consumer-oriented routers have long been criticized for being unreliable. Even a high price does not mean increased security. Several years ago, Check Point researchers discovered 12 million exploitable routers and DSL modems that could be breached using a vulnerability in the mechanism for obtaining automatic settings. This mechanism is used to promptly configure customer-premises equipment (CPE). For the past decade, providers have been using the CPE WAN Management Protocol (CWMP) in order to send settings and connect services through an Auto Configuration Server (ACS).

Security researchers found that many routers were incorrectly processing CWMP requests, thus introducing a severe vulnerability. Service providers made the situation even worse by not encrypting the connection between the client’s equipment and auto-configuration servers (ACS). In addition, there were no access restrictions based on MAC or IP addresses. Both factors created good conditions for a man-in-the-middle attack.

Using vulnerable CWMP, attackers can do many bad things. They can read and change configuration parameters, reset all settings to defaults, reboot the device, etc. The most prevalent attacks involved DNS spoofing. Cyber crooks filtered web requests and redirect users to scam pages and fake pages of payment systems or banks. Hackers created fake PayPal pages as well as fake online banking pages.

Attacking routers this way is a very cunning approach as scanning for viruses or checking the network settings do not show any problems. And, as users almost never check their router settings, the problem may remain undetected for a long time.

Connecting to a router via CWMP, attackers usually exploit vulnerabilities typical for unexpensive entry-level devices. Some of these devices, for example, use a RomPager web server created by Allegro Software. This web server had a bug associated with processing cookies. Although it was quickly patched, the problem is still there as this web server is part of the firmware. It is not possible to update it quickly on all devices. Different manufacturers released updates for thousands of already sold router models and informed customers to download and install the update. As we see, home users did not do this. And so, the number of defenseless devices still goes into hundreds of thousands even after ten years.

Besides routers, this vulnerability affects VoIP phones, IP cameras, and other devices that use CWMP for remote configuration. Port 7547 is usually used. You can check your equipment using Steve Gibson's Shields Up service.

Please mind that the negative result of the test does not guarantee that there are no vulnerabilities. A full-fledged penetration test is needed (using, for example, the Metasploit framework) in order to be sure you have no vulnerabilities.

Intentional bugs

Sometimes manufacturers intentionally implement bugs into their equipment. Different government agencies and secret services are believed to be involved in this. Backdoors have been found in popular router models produced by major companies such as Netgear, Cisco, and Linksys. For example, one backdoor involved port 32764 to receive remote commands. Since this number does not correspond to any well-known service, this problem is easy to detect - for example, using an external port scanner.

UPnP

There are many other known security problems that manufactures, and owners of network devices are in no hurry to fix. Several years ago, security experts found a set of vulnerabilities that touched the nine largest companies. These vulnerabilities are associated with the incorrect implementation of the Universal Plug and Play (UPnP).

Specialists from and DefenseCode found around 7K vulnerable device models. Over 80 million hosts responded to a standard UPnP request. 20% of them allowed third party code to be executed without any authorization. In most cases, a modified SOAP request is used to attack routers with a UPnP flaw. UPnP is enabled by default on most routers, IP cameras, network printers, NAS, and smart home devices. It is advised to disable UPnP on home routers completely. In addition, it is good to block requests to port 1900.

Default Settings

Routers’ factory settings represent the main security problem these days. These are not only login names, passwords, and IP addresses common to the entire lineups of devices, but also different services added for convenience at the cost of security. Besides the UPnP, WPS (Wi-Fi Protected Setup) and Telnet remote control protocol are often enabled by default.

Sever errors are regularly found in the processing of Telnet requests. For instance, D-Link models DIR-600 and DIR-300 could receive a shell and execute commands through the telnetd daemon without authorization. Moreover, Linksys E2500 and E1500 routers allowed code injection via regular ping. It was possible to send your malware to the router using the GET method as the ping_size parameter was not checked at all. And the attackers did not even need to think about bypassing authorization as the new password could be set without entering the old password. A similar problem was found in the Netgear SPH200D VoIP phone. Using IoT search engines like Shodan, cyber crooks ma find a vulnerable router in several minutes.

More issues

One problem triggers many others. If you activate WPS, it will automatically turn UPnP on. In addition, the pre-authentication key or standard PIN used in WPS negates all WPA2-PSK crypto-protection. Some models have firmware drawbacks that allow WPS to stay on even after users turn it off using the web interface.

For many users, it is really hard to refuse from vulnerable services if they are imposed by the provider or network administrator. You are lucky if the router model allows you to secure them at least partially. For example, to set a specific IP address for Telnet or block commands on the WAN port.

But often, there is no opportunity to change or disable an unsafe service using the web interface. The only way out is to search for an alternative firmware with an extended set of functions.

Alternative services

OpenWRT and DD-WRT are very popular opensource firmware. They are suited not for all routers but only those for which the chipset manufacturer has provided full specifications.

Alternative firmware can be installed on plenty of modern routers. However, users should be careful and thoroughly verify the full name and model of the device. Even having the same model number and look, routers may still have different revisions, which may involve different hardware platforms.

Keep in mind that installing alternative opensource firmware does not guarantee complete protection. It is just a way to increase it. All firmware projects are built using a modular principle that combines several key components. So, when an issue gets found, it affects millions of devices as it happened with the OpenSSL library vulnerability that affected routers. Yes, router manufacturers started to release updates, but after eight years, the problem is still there.

New vulnerabilities are being found on a regular basis. To be on the safe side, router owners can change the default settings, turn off unnecessary services, restrict remote access, and update the firmware.