|Router Security||Router Bugs Flaws Hacks and Vulnerabilities||
Website by |
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on. This list is far from complete.
You may be thinking that all software is buggy but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose to allow spying or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible. Security is not the prime directive. You can tell this just by looking at the box a router ships in. None of them brag about security.
Many others have also pointed out the sad state of consumer router software/firmware.
Be sure to read about the port 32764 issue from January 2014 and April 2014. The way the backdoor was hidden, after being discovered, shows that someone is keeping back doors in routers on purpose, and hiding them really well. Another flaw not to be missed is the Misfortune Cookie from December 2014. Some huge flaws do not yet get their full due here. WPS, for one. WPS is like having a "hack me" sign on your back and yet its required for a router to be certified by the Wi-Fi Alliance. Another huge flaw was the one with UPnP.
BHU Networks router is terribly insecure
VULNERABILITIES IDENTIFIED IN 'UTTERLY BROKEN' BHU ROUTERS
by Chris Brook of Kaspersky Threatpost August 19, 2016
Another high end vendor, Ruckus, found vulnerable
Ruckus Raucous: Finding Security Flaws in Enterprise-Class Hardware
by Craig Young of Tripwire August 3, 2016
I started this page to highlight bugs in consumer routers, yet the big boys are buggy too. At first, Young tested a Ruckus ZoneFlex. Quoting: "Within a few minutes of setting up the device, I found a command injection, which is exploitable through a forged request due to a general lack of CSRF tokens. As with many of the consumer routers I had tested, the ZoneFlex offers ... a simple ping test, with apparently no input sanitization." Consumer routers commonly have all processes running as root. Same with Ruckus. Young also found an Authentication Bypass: "All requests containing a particular string received '200 OK' responses. By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries. This is a behavior I have observed in routers from NETGEAR, TrendNET and Asus." And, two other flaws: a Denial of Service and an Information Disclosure (the serial number is exposed). To me, the worst issue was that Young could not get in touch with Ruckus. This is a disgrace. My favorite router vendor, Peplink, has an online Forum where experts respond to questions and problems.
120 D-Link devices may be buggy, including routers
D-Link Wi-Fi Camera Flaw Extends to 120 Products
by Michael Mimoso of Kaspersky Threatpost July 7, 2016
"A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company. Researchers at Senrio, who found the original vulnerability, disclosed today additional details of product vulnerabilities related to the component after collaborating with D-Link. Senrio said the flaw also puts D-Link Connected Home products at risk, including other cameras, routers, models and storage devices." There are no patches, yet. There are three flaws. The most severe is an unbounded/unchecked string copy that can be exploited to cause remote code execution.
TP-LINK lets domain lapse
TP-Link routers exposed to potential security flaw after domain registration lapses
by Boyd Chan Neowin July 4, 2016
One way that hardware vendors try to make the initial configuration of a router easier is by telling users to browse to a domain name rather than an IP address. TP-LINK uses both tplinklogin.net and tplinkwifi.net and they forgot to renew their ownership of tplinklogin.net. Its now owned by someone outside of the company and TP-LINK has, so far, refused to buy it back. This was discovered by Amitay Dan who also claims that TP-LINK is updating their documentation. I checked the TP-LINK website and found one item that says to use either an IP address or the domain they still own (tplinkwifi.net) and another item that says to use tplinklogin.net. Dan claimed that TP-LINK stopped talking to him after he brought this to their attention. If true, its a rare chance to see how much a company really cares about security. I blogged about this and did some testing. It is not a security issue for owners of TP-LINK routers. They intercept requests to tplinklogin.net and direct them to the router rather than the Internet. However, it could well be a problem for everyone else. I also found another domain that TP-LINK lost control of.
Apple routers are buggy and Apple offers no details at all
fixes serious flaw in AirPort wireless routers
by Lucian Constantin in PC World June 21, 2016
Apple has released firmware updates for its AirPort routers to fix a memory corruption bug stemming from DNS data parsing. Yet again, Apple deals with security problems by saying nothing. This tells me they can't be trusted.
Quoting: "As is typical for Apple security announcements, the company did not release details about possible exploitation scenarios and did not assign a severity rating for the flaw ... What is not clear is whether the data parsing issue is in the DNS server or DNS client functionality.... If the error is in the parsing of queries received from LAN computers, it would limit the attack to the local network. Whereas, if the flaw is in the parsing of DNS responses, it could be exploited remotely... Another unknown is the privilege with which attackers would execute malicious code if this flaw is successfully exploited. If the code is executed under the root account, it could lead to a full device compromise."
It appears the bug was first known about back in September 2015. Pretty slow response. Apple routers do not self-update, installing the new firmware requires you to use either AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS. This means customers may have to update the AirPort utility before they can update the router.
Don't hold your breath waiting for Cisco bug fixes
Cisco Won't Patch Critical RV Wireless Router Vulnerability Until Q3
by Michael Mimoso of Kaspersky Threatpost June 16, 2016
The Cisco RV series of wireless VPN firewalls and routers have flaws in their web interface that allow for remote code execution. Workarounds are not available, yet Cisco plans on fixing this in the third quarter of 2016. To exploit the bug, just send the device a malicious HTTP request. If remote management is enabled, this can be exploited remotely. Effected models are the RV110W Wi-Fi VPN Firewall, RV130W Wi-Fi VPN Router and the RV215W Wi-Fi VPN Router. Not buggy enough? There are also cross-site scripting and buffer overflow bugs in the same devices.
MyD-Link devices are vulnerable
D-LINK patches weak crypto in MYD-LINK devices
by Michael Mimoso of Kaspersky Threatpost June 14, 2016
A couple flaws were found in My-DLink devices such as the DIR-810L cloud router. Other vulnerable devices include IP Cameras and home routers. One flaw is not verifying certificates after making an SSL connection, the other is using SSL v2 and SSL v3, both of which are known to haver security flaws. The flaws were found by Firmalyzer and D-Link released updated firmware. However, I looked for DIR-810L firmware on the D-Link website and could not find anything. The articles did not link to it either.
Update: a reader emailed me to point out that updated firmware is available for the B model of DIR-810L but not for the A model (see link below). The firmware is dated June 13th and marked as BETA.
Netgear issues bug fixes
Netgear router update removes hardcoded
by Michael Mimoso of Kaspersky Threatpost June 11, 2016
Netgear has released firmware updates for two of its router products lines, patching vulnerabilities that were reported in January. Models D6000 and D3600 are known to be vulnerable, but other models and firmware versions could also be susceptible to the same issues. One issue is an authentication bypass vulnerability, the other is a hard-coded cryptographic key. The devices are vulnerable to attack on the LAN side and remotely, if remote management is enabled. Abusing the flaws, an attacker can gain administrator access. A remote attacker able to access the /cgi-bin/passrec.asp password recovery page may be able to view the administrator password in clear text by examining the source code of the page. Two things are required to work around the problem: the password recovery feature must be enabled and remote management must be disabled. Netgear says "The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification .. NETGEAR is working on a firmware fix and will email the download information to all registered users when the firmware becomes available. To register your product, visit https://my.netgear.com/register/ "
IPv6 Ping of Death hits Cisco and Junipter
Cisco warns IPv6 ping-of-death vuln is everyone's problem
by Shaun Nichols of The Register June 2, 2016
Cisco devices running IOS XR, Cisco IOS, Cisco IOS XE and Cisco NX-OS software have a flaw in their processing of IPv6 Neighbor Discovery (ND) packets. Exploitation of this bug could cause high CPU usage, the suspension of processing all IPv6 traffic or the temporary loss of services for traffic that terminates on the device, in addition to IPv6 traffic. Cisco is working on fixes, but there is no timetable. Juniper has three bugs with IPv6 Neighbor Discovery processing in Junos OS.
Industrial company Moxa has buggy routers
Vulnerabilities Found in Moxa Industrial Secure Routers
by Eduard Kovacs of Security Week May 19, 2016
Frankly, I had never heard of Moxa. The article calls them an "Industrial networking, computing and automation solutions provider" and says that their EDR-G903 series is an industrial router used in the United States, Europe and South America. Multiple high severity flaws, that can be exploited remotely, were discovered in January by Maxim Rupp. Configuration files store passwords in plain text. Both configuration and log files can be accessed with a specific URL by an unauthenticated attacker. A remote attacker can also cause the device to enter a DoS condition by sending it malicious requests. Patches have been issued, but they have not yet been verified to work.
Another business class company, Ubiquiti, has bugs
infects unpatched Ubiquiti wireless devices
by Lucian Constantin of IDG News May 20, 2016
Quoting: "Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability. The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually." The bug has been fixed, but devices were not updated with patched firmware. The Resources page of this site lists routers that can self-update. Affected devices include the airMAX M Series, AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber. The bug was easy to exploit. The latest worm creates a backdoor account, then adds a firewall rule that blocks legitimate administrators from accessing the Web-based management interface.
26 bugs in Aruba Networks devices
Aruba fixes networking device flaws
by Lucian Constantin of IDG News Service May 9, 2016
The interesting part of this story is that all the bugs were found by Google. The last time I was in a Google office, I noticed that they use Aruba for their Wi-Fi. The vulnerabilities affect ArubaOS, Aruba's AirWave Management Platform (AMP) and Aruba Instant (IAP). There 26 different issues range from privileged remote code execution to information disclosure, insecure updating mechanism and insecure storage of credentials and private keys. Under certain circumstances, attackers can compromise devices. There are also design flaws in an Aruba proprietary management and control protocol dubbed PAPI.
Malware changes router DNS settings
Mobile Devices Used to Execute DNS Malware Against Home Routers
by Chisato Rokumiya of Trend Micro April 11,2016
Quanta routers have every bug ever made
Multiple vulnerabilities found in Quanta LTE routers
by Pierre Kim April 4, 2016
Quoting: "Quanta Computer Incorporated is a Taiwan-based manufacturer of electronic hardware. It is the largest manufacturer of notebook computers in the world. The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. It's available in a number of countries to provide Internet with a LTE network." Some of the bugs that Kim found: Hardcoded SSH Server key, Backdoor accounts, Router DoS, WebInterface Information Leak, two remote code execution flaws, two Backdoors, two flaws with WPS, Remote Firmware Over The Air, arbitrary file browsing and reading, etc. The buggy firmware seems to be used in many routers. My favorite part was Mr. Kims opinion: "... at best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The company will not fix any of these bugs. As I say elsewhere on this site, avoid all consumer routers.
Arris cable modem issue
ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw
by David Longenecker April 1, 2016
In a poor design decision, the Arris SB6141 cable modem can be rebooted and reset without requiring a password. This, combined with its having a dedicated IP address means that a malicious web page can knock you off-line, for a bit. This is not a bug or a flaw, that's the way it was designed. The same flaw existed in the older SURFboard 5100 model at least as early as 2008 and it also exists in the 6121 model. Longenecker first reported the problem to Arris in January 2016 and he was ignored, until this got widely picked up in the press. When they were shamed into it, Arris changed the design. But, anyone with an effected modem is at the mercy of their ISP to install the update. It has been two months since Arris released new firmware, as I am writing this, and Time Warner has not yet rolled out the update. In fact, I was told by a Time Warner rep on the phone that its not their job to do so.
Telnet being abused by Remaiten bot
Your Linux-based home router could succumb to a new Telnet worm, Remaiten
by Lucian Constantin of IDG News Service March 31, 2016
Remaiten is a a new worm, discovered by ESET, that infects routers and other devices by taking advantage of weak Telnet passwords. The page on this site that lists services many/most people should turn off on their routers, includes Telnet. The software, also called KTN-Remastered, connects to random IP addresses on port 23. When a Telnet server is found, the software tries to login with assorted common passwords. The bot supports a variety of denial-of-service attacks. The Test Your Router page on this site links to assorted firewall testers that can tell you if your router has exposed a Telnet server.
Netgear router password flaw
Optus cable routers let anyone change passwords, says tech
by Darren Pauli of The Register March 17, 2016
There is a password flaw in the web interface of Netgear CG3000v2 gateways (combo router/modem/telephone adapter) provided by Australian ISP Optus. Specifically, the SetPassword.asp page, which prompts for the old and new password, ignores the old password and changes the password to the new one all the time. The flaw was discovered by Paul Szabo of the University of Sydney. When he informed both Netgear and Optus, they ignored him. Back in April 2014, this same Netgear box was the subject of another security flaw, it had both Telnet and SSH active with the same default password on every box. See Default password leaves tens of thousands of Optus cable subscribers at risk. Yet more proof not to use hardware provided by an ISP.
Modems can be buggy too
patches serious flaws in cable modems and home gateways
by Lucian Constantin of IDG News Service March 10, 2016
Quoting: "Cisco Systems has patched high-impact vulnerabilities in several of its cable modem and residential gateway devices ... The embedded Web server in the Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203 contains a buffer overflow vulnerability that can be exploited remotely without authentication ... [the] Cisco DPC3941 Wireless Residential Gateway with Digital Voice and Cisco DPC3939B Wireless Residential Voice Gateway are affected by a vulnerability that could lead to information disclosure [by] an unauthenticated, remote attacker ... The Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA is affected by a separate vulnerability ... that could lead to a denial-of-service condition."
A ton of new router flaws discovered
New firmware analysis framework finds serious flaws in Netgear and D-Link devices
by Lucian Constantin of IDG News Service Feb 29, 2016
Been there done that. Once again, a group of researchers looked at many router firmwares and found a ton of bugs. The bug hunting was done with a framework called FIRMADYNE built by Daming Chen, Maverick Woo and David Brumley from Carnegie Mellon University and Manuel Egele from Boston University. They found 887 firmware images that were vulnerable to at least one of 74 known exploits. They also found 14 previously unknown vulnerabilities in 69 firmware images used by 12 products. The Web management interface of six Netgear devices (WN604, WN802Tv2, WNAP210, WNAP320, WNDAP350 and WNDAP360) contain several pages that can be accessed without authentication and could allow attackers to pass input directly to the command line. In addition, the Netgear WN604, WNAP210, WNAP320, WND930, WNDAP350 and WNDAP360 also include Web pages that can be accessed without authentication and they expose the WPS PIN code. WPS bad. As for D-Link, the web server used in the D-Link DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2660, DAP-2690 and DAP-2695 have a buffer overflow vulnerability that can be triggered when processing a cookie. And, more. Six other devices (the D-Link DAP-1353, DAP-2553 and DAP-3520 and the Netgear WNAP320, WNDAP350 and WNDAP360) expose wireless passwords and admin credentials over SNMP. Perhaps the most important issue here is that D-Link never responded to the researchers reporting these bugs. Netgear will have fixes out by mid March.
FTC goes after ASUS routers for bad security
FTC Charges That Insecure Home Routers and "Cloud" Services Put Consumers' Privacy At Risk
by the FTC February 23, 2016
The security of ASUS routers was flawed in many ways. What seems to have brought the U.S. Government down on them were the flaws with the security of storage devices plugged into a USB port in the router. The two features are called AiCloud and AiDisk. The bugs are listed on the bugs page of this site. The password protection was easy to bypass, so much so, that good guys would leave messages for people warning that their router was easily hacked. All this while ASUS was bragging about how secure this was. Manuals suggested that users all use the same userid and password. The FTC claims that ASUS did not take reasonable steps to secure the software on their routers. Then too, the usual behavior from consumer router companies: ignoring reports of bad security for months on end and even when updated firmware is finally made available, the router incorrectly reports that there is no available update. ASUS agreed to pay a fine and to security audits every two years. In summary, more proof to my argument that all consumer routers should be avoided.
A warning about configuring Asus routers
Poor UX leads to poorly secured SoHo
by David Longenecker blogging at Security For Real People Feb. 7, 2016
Asus routers with an RT in the model name suffer from a user interface design flaw. If the firewall is disabled, remote administration (which Asus calls "Web Access from WAN") is enabled, even if remote administration is specifically disabled by the user. That is, the firewall setting over-rides the remote admin setting and nothing about this is externalized to the end user. Longenecker stumbled across this by accident while checking his public IP address in Shodan. He found over 135,000 Asus wireless routers that can be logged into from the Internet. I take this as yet another reason to always change the remote admin port number, even if you have disabled remote administration.
Building router hacked
Building automation systems
are so bad IBM hacked one for free
by Darren Pauli of The Register Feb 11, 2016
Quoting: "An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security ... they found exposed administration ports ... gaining access to a D-Link panel enabled to allow remote monitoring ... by adding an extra carriage return after the page request it was possible to bypass the router's authentication. They found command injection vulnerabilities in the router and found a list of commands in the firmware source code. They found a cleartext password in the router's var directory that not only granted more router pwnage but, thanks to password-reuse, allowed them to compromise the building management system." No mention of who made the router, let alone a model number.
Two issues in Cambium Networks ePMP1000 router
CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
SNMP is enabled by default and the default configuration has community strings "public" and "private" for read and write respectively. This allows a remote attacker to potentially reboot the device using the SNMP write community. There are also multiple default userids and passwords and SSH is enabled by default. Default user/pswd admin/admin is allowed unrestricted access via SSH. Three additional userid/password pairs are installer/installer (an admin), home/home (readonly) and read-only/read-only (also readonly).
Two issues in Ubiquiti AirOS and EdgeMax routers
CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
Mostly quoting: All current products have the default userid/password of ubnt/ubnt and have SSH enabled by default. The ubnt user also has sudo access via sudo -s. This gives remote attackers the ability to make changes ... This is very well known to attackers, and Ubiquiti devices make for a great target as they can support SOCKS proxying, and a wide variety of malware.
Mostly quoting: When an AirOS device switches back to factory defaults, it copies the /usr/etc/system.cfg to /tmp/system.cfg; saves and then reboots. An attacker ... can thus make changes to this default configuration to maintain persistence on a device ... current versions of the EdgeMax EdgeOS store the factory default configuration as well as other configurations in /opt/vyatta/etc/. An attacker can modify these configs, thus maintaining persistence across factory resets. Also, it would very easy for a remote attacker to reset the device to defaults.
Mikrotik RouterOS default passwords
CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
Mostly quoting: A long standing problem in the Mikrotik RouterOS is the default username and password. All versions including the 6.34 release have default user of "admin" with no password ... many devices are compromised within the first few hours of being put on line. During our tests, a device with the username "admin" and no password was compromised within 15 minutes and had 9 unique pieces of malware running within 20 minutes ... also allows SSH access without a password.
Default TP-LINK router password needs only 70 guesses
The Wi-Fi router with a
password that takes just 70 guesses
by Paul Ducklin of Sophos January 27, 2016
Some TP-LINK routers have unique default passwords. But the passwords require, at most, 70 guesses. Most of the password is based on the publicly advertised MAC address of the router. The remaining byte has, in theory, 256 possible values, but some detective work showed where this byte comes from and it has only 70 possible values. Not the first time something like has happened. Never use the default router password.
Another attack on the HNAP protocol
Threat Group Uses
Dating Sites to Build a Botnet of Vulnerable Home Routers
by Catalin Cimpanu of Softpedia Jan. 21, 2016
Some dating websites are spreading a worm to their visitors, infecting their routers and adding it to a botnet. The worm is a new variant of TheMoon, which was first discovered in February 2014. It takes advantage of weaknesses in the Home Network Administration Protocol (HNAP). An iframe checks to see if the router supports HNAP. If so, it calls home, informing its creators of the good news. Then a second URL delivers the worm, which is a Linux ELF binary. The worm prevents users from using some inbound ports, and opens outbound ports through which it spreads to other routers. If you take the advice offered here, you would be safe from this because it only looks for the usual suspects regarding the routers IP address.
Asus routers may never log you off
Administrator logout flaw in ASUS wireless routers
by David Longenecker blogging at Security for Real Peple January 19, 2016
A hard coded SSH password found in Fortinet devices
Et tu, Fortinet?
Hard-coded password raises new backdoor eavesdropping fears
by Dan Goodin of Ars Technica Jan 12, 2016
The hard coded SSH password was FGTAbc11*xy+Qqz27 and it was active in 2013 and 2014. Fortinet says it is not a backdoor writing: "This issue was resolved and a patch was made available in July 2014 as part of Fortinets commitment to ensuring the quality and integrity of our codebase. This was not a 'backdoor' vulnerability issue but rather a management authentication issue." In response, the top promoted comment at Ars says: "So they're saying there was no malice, just an astounding level of incompetence in the area in which they are supposed to be experts?". Fortinet said nothing to their customers when they disabled the password in 2014. And, it appears they never removed it. Ars was told by a researcher that the password is still in the firmware.
FRITZ!Box vulnerable on the LAN side but fixes are available
FRITZ!Box home broadband routers' security
by Richard Chirgwin of The Register Jan. 12, 2016
FRITZ!Box routers are popular in Germany and Australia. German security company RedTeam Pentesting found that program dsl_control listens for commands on TCP port 8080 on the LAN side. They then found that with the right SOAP request the program offers up a list of the commands that it supports, and, that it will execute these commands without authorization. Come and get it, open to all. Perhaps technically, this is not remotely exploitable, but LAN side attacks can be executed from malicious web pages loaded by a LAN side device. The flaw lets a bad guy gain root access. The bug was found in Feb. 2015 but was not made public to give the vendor time to create and distribute a fix. FRITZ!Box routers can self-update and new firmware is available. All told, well handled by everyone involved.
pfSense is no magic bullet
New Features and Changes in v2.2.6
by pfSense December 21, 2015
Lots of bugs were fixed in this release, including: multiple vulnerabilities in OpenSSL, a Local File Inclusion vulnerability in the WebGUI, a SQL Injection vulnerability in the captive portal logout, multiple XSS and CSRF vulnerabilities in the WebGUI and two other captive portal bugs. Unlike consumer routers however, it seems that pfSense includes updated component software, a good thing. For example, it is noted that upgrading the included strongSwan to v5.3.5 fixes several bugs.
High End Routers from Juniper hacked twice
Juniper warns about spy code in
by Jeremy Kirk of IDG News Service Dec. 17, 2015
Two hacks were discovered by Juniper themselves in an internal review. What prompted the review is unknown. The first hack was a hard-coded master password that could allow remote administrative access to a ScreenOS device over Telnet or SSH. The second hack had to do with random numbers generated by the Juniper VPN server. By making them not-so-random, a spy agency able to monitor Internet backbone traffic could decrypt everything inside the VPN without being detected. The hard-coded master password has been present since 2012 or 2013. Juniper is a very high end company. These attacks show how valuable it can be gain control over a router.
Multiple bugs in multiple Cisco Routers
Cisco Warning of Vulnerabilities in Routers,
Data Center Platforms
by Chris Brook of Kaspersky Threatpost December 9, 2015
Cisco published five advisories, each marked as "medium" severity. The EPC3928 is a wireless residential gateway that does a poor job validating input which opens it up to XSS attacks. It also has an authentication bug that lets an attacker send a malicious HTTP request to execute some admin functions without authentication. Another residential gateway, the DPQ3925, is vulnerable to a CSRF attack. If a victim clicks on a malicious link, they could submit arbitrary requests to the device via a web browser. Finally, the DPC3939 router has a bug in its web interface that could allow an attacker execute arbitrary commands on the system.
Linksys ignores router bug report
Linksys routers vulnerable through CGI
by Richard Chirgwin of The Register December 8, 2015
A security company, KoreLogic, has disclosed bugs in the Linksys EA6100-6300 routers. Its not clear to me how many routers are vulnerable. Buggy scripts in the web-based administrative interface provide an attacker with unauthenticated access, which, in turn, lets the bad guy learn the routers administrative password. A very interesting aspect of this bug is the timeline that KoreLogic reported. They submitted the details of this multiple times to Linksys and never heard back. Thus we learn how much Linksys cares about the security of their routers.
Arris cable modems have backdoors, bugs and hard coded passwords
Backdoor In A Backdoor Identified
in 600,000 Arris Modems
by Chris Brook of ThreatPost November 23, 2015
Thousands of Arris cable modems suffer from XSS and CSRF vulnerabilities, hard-coded passwords, and a backdoor in a backdoor. The problems were discovered by Brazilian researcher Bernardo Rodrigues (@bernardomr) who estimates that more than 600,000 externally accessible devices are vulnerable to the backdoor and that TG862A, TG860A, and DG860A modems are all affected. To me, the most important sentence in this article is "Rodrigues claims Arris was less than receptive when he first reported the flaws, but that CERT/CC proved helpful and aided in bringing them to the company's attention". I take this to mean they would have ignored this if they could. Next time I buy a modem, Arris is not on my shopping list. And, how do you update the firmware on a modem??
CSRF Bugs in the D-Link DIR-816L Router
D-link wireless router DIR-816L Cross-Site Request
Forgery (CSRF) vulnerability
by Bhadresh Patel of HelpAG Nov. 10, 2015
The good news is that cross-site request forgery (CSRF) bugs are hard for bad guys to exploit. A web browser needs to be logged in to the router in one tab and visiting a malicous web page in another tab. In that case, the flaws let bad guys submit commands to DIR-816L router and gain control of the router. A fix is available from D-Link.
600,000 Ubiquiti routers easily hacked - come and get em
The Omnipresence of Ubiquiti Networks Devices on the Public Web
by SEC Consult November 5, 2015
Quoting: "There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices ... Most devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000)..." These flaws have been reported previously but the scope is new. Many ISPs ship Ubiquiti routers with Remote Administration enabled. This opens up them up to HTTP/HTTPS and SSH access. Ubiquiti blames the ISPs. If each ISP used a different TCP/IP port and gave customers unique passwords, no big woop. But, no. There are at least 600,000 vulnerable routers on the Internet. They also found 1.1 million Ubiquiti devices using a digital certificate whose private key is easily obtained from the firmware. This make it easy for bad guys to find vulnerable routers to attack.
Multiple bugs in Cisco devices
Patch Cisco ASA ASAP: DNS, DHCPv6, UDP packets will crash them
by Shaun Nichols of The Register October 23, 2015
Four bugs have been discovered in assorted Cisco routers, firewalls and other hardware in their Adaptive Security Appliance (ASA) line. Exploiting the flaws can render the hardware useless by forcing it repeatedly reset. Both a specially crafted DHCPv6 packet and/or a DNS packet can cause the devices to reset. They can also be made to restart with a malicious UDP packet that exploits a flaw in the Internet Key Exchange protocol.
The German government agrees with me
German Govt mulls security standards
for SOHOpeless routers
by Darren Pauli of The Register October 21, 2015
The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to mine, routers will be given points for features that increase security. Sadly, the article says that "Routers that advise users of an available firmware update on login to the web admin interface are winners". So, having a router company email their customers when there is new firmware is something we can't even hope for? What this article does not mention is the background. Germany now (Nov. 2015) requires ISP customers to use a router from their ISP. This law is expected to change in early 2016, thus the need to review the security of newly available routers.
Still more bugs in ZHONE routers
Boffin's easy remote hijack hack pops scores of router locks
by Darren Pauli of The Register October 11, 2015
For the second time this year, Vantage Point has warned of multiple security flaws in routers. The flaws are in Zhone routers provided to customers by an un-named major telco in Singapore. The buggs routers are also used by un-named companies around the world. Among the bugs is a remote zero day exploit that lets a bad guy totally hijack the router. Lyon Yang, who found the flaws, is quoted saying "When the ISP ships the router, it comes with a shitload of vulnerabilities". He also said that the remote hijacking is easily done. In all there are seven vulnerabilities. Interestingly, a remote hijack bug is in the router's ping functionality. Some of the bugs have been patched but will never get installed. The ISP in question does not give their customers the userid/password needed to logon to the router, so they can't update the firmware.
Multiple bugs in multiple ZyXEL routers
ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
by CERT October 13, 2015
Vulnerability Note VU#870744. Several ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. One issue shared by many models is a weak default password of "1234" for the admin account. In the worst case, these bugs can enable a remote unauthenticated attacker to modify the system configuration. The issues were reported to ZyXEL in Aug. 2015 and there are multiple responses. Some routers are too old and won't be fixed. Some bugs have already been addressed with new firmware and other bugs will be fixed later this month.
Multiple Netgear routers vulnerable if WAN administration enabled
Hackers exploiting 'serious' flaw in Netgear routers
by Zack Whittaker of ZDNet October 13, 2015
A techie discovered that his own router had been hacked, that the DNS servers had been changed. The bug has been documented by both Compass Security and Shellshock Labs. It lets a bad guy get full remote unauthenticated root access, if WAN administration is enabled. Netgear released updated firmware for these routers: JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4 and WNR2020v2. Netgear customers will be informed of the update if they logon to their router, or, if they have the Netgear genie app installed.
A good worm infects routers
Home routers "vaccinated" by benign virus
by the BBC October 2, 2015
According to Symantec the Wifatch worm has harden more than 10,000 home routers against cyber-attacks. Non-techies should say thank you. The worm targets routers that have miserable security to begin with. Wifatch was first discovered in late 2014 and Symantec estimates that it has infected tens of thousands of routers. This is a good thing as Wifatch tries to disinfect routers that have been infected with malware. The source for Wifatch is available and it has no malicious components. In addition, Symantec has been monitoring it for months and has not seen any malicious actions. Heck, Wifatch even leaves a message on the router telling the owner to change the default passwords and update the firmware.
Huawei Bug fixes? Fuggedabowdit
Huawei routers riddled with security flaws won't be patched
by Zack Whittaker at ZDNet October 7, 2015
The Huawei B260a router is widely used by ISPs in Europe and Africa but its old, so Huawei will not issue bug fixes for it. As I say elsewhere on this site, avoid all hardware from your ISP. Multiple security flaws were discovered by Pierre Kim. The flaws are as bad as it gets, allowing for overwriting the router firmware without authentication. The flaws are not limited to a single model (they never are), other devices in the B-series and E-series product lines are also buggy.
Bugs in the Huawei E3272 4G USB Modem
Remote code exec hijack hole
found in Huawei 4G USB modems
by Darren Pauli of The Register October 7, 2015
OK, its a modem rather than a router, but I felt it was close enough to include here. Timur Yunusov and Kirill Nesterov of Positive Technologies found both a remote execution flaw and denial of service vulnerabilities in the Huawei E3272 4G USB modem. Exploiting the bugs gives bad guys pretty much everything. The researchers report that "By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal" In addition there are SMS attacks on the SIM card. The good news is the bugs have been fixed. The bad news is that I didn't see a link to updated firmware.
Cisco business routers hacked
slip rogue, backdoored firmware onto Cisco routers
by Lucian Constantin of IDG News Service September 15, 2015
Researchers from Mandiant have detected Cisco routers running malicious firmware. These are business routers, so this story does not really belong on this page, but it further illustrates the importance of router software. The attacked, known as SYNful Knock was found on 14 Cisco 1841, 8211 and 3825 routers in four countries. It is thought that rather than abusing a bug, the software was installed using stolen or default passwords. That Cisco has default passwords is disgraceful, even some consumer routers force you to chose a password at first boot.
Five bugs in the Belkin N600 DB router
Belkin Wi-Fi routers plagued by unpatched security flaws
by Lucian Constantin of IDG News Service September 1, 2015
The Belkin N600 DB router contains five bugs for which there are no practical work-arounds and, as yet (11 days after the first report) no fixes either. In fact, the Belkin website has nothing on the problem. I take that as all I need to know about using Belkin routers. In fairness, they did tell one reporter that they are working on fixes. As for the bugs themselves, one is a poor implementation of DNS which lets a man-in-the-middle (MITM) attacker respond to DNS queries and thus redirect victims to malicious websites. The router also checks for new firmware using HTTP which can be manipulated by a MITM attacker. On the LAN side, the N600 does not, by default, require a password for accessing the management interface. And, even if you set a password, an attacker on the LAN can login to the router without knowing the password. This is due to the router using client side authentication. In addition, it is vulnerable to CSRF attacks on the LAN side. In my opinion, anyone using this router should just throw it away.
More routers with hidden admin accounts
Some routers vulnerable to remote hacking
by Lucian Constantin of IDG News Service August 27, 2015
Quoting: "Several DSL routers from different manufacturers contain a guessable hard-coded password that allows the devices to be accessed with a hidden administrator account ... the affected device models are: Asus DSL-N12E, Digicom DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300 ... For most of the routers, the username corresponding to the hard-coded password is admin, while for the PLDT SpeedSurf 504AN it's adminpldt ... The vulnerability is not new and was independently reported by separate researchers in 2014 for the ZTE ZXV10 W300 and in May for the Observa Telecom RTA01N." The passwords are different for each device and include the last four characters of the MAC address but this can be obtained. Telnet provides access to the routers.
Insecure routers being used for DDoS attacks
are using insecure routers and other home devices for DDoS attacks
by Lucian Constantin of IDG News Service August 18, 2015
"Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks. A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise." Akamai points out that very few organizations have the infrastructure necessary to deal with DDoS attacks, and, of course, they sell the cure. SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors. The use of SSDP for DDoS started in the last quarter of 2014. SSDP is part of UPnP which was intended to be used on Local Area Networks only. Despite this, many routers and other devices respond to SSDP queries over the Internet. How many? According to the Shadowserver Foundation, there are roughly 12 million IP addresses on the Internet that have an open SSDP service. You can't make this stuff up. You can test your router, from the inside, by visiting upnp-check.rapid7.com. A good result looks like this.
Trojan for Linux infects routers
New Trojan for Linux infects routers
by Doctor Web security researchers August 4, 2015
"The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures. Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can ... brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol." The attack starts by brute forcing router passwords. the malware attacks Linksys routers trying to exploit a vulnerability in HNAP (Home Network Administration Protocol) and the CVE-2013-2678 vulnerability. It also exploits ShellShock and a vulnerability in Fritz!Box routers. An infected router can launch various DDoS attacks (including ACK Flood, SYN Flood , and UDP Flood) and execute intruder-issued commands.
Bug fix issued for Cisco ASR 1000 routers
Cisco Fixes DoS Vulnerability in ASR 1000 Routers
by Dennis Fisher of Kaspersky July 30, 2015
A bug in the way Cisco ASR 1000 routers handle fagmented packets can cause a Denial Of Service. The ASR 1000 line of routers are designed for enterprise and service provider environments. The bug affects IOS XE versions 2.1, 2.2, 2.3, 2.4, and 2.5. It is fixed in version 2.5.1. Versions 2.6 and 3.x are not vulnerable.
Huge number of TotoLink router bugs
TotoLink Routers Plagued By XSS, CSRF,
by Chris Brook of Kaspersky ThreatPost July 16, 2015
There are a large number of bugs in a large number of TotoLink routers. It's a lot to keep track of.
"Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials". The remote code execution flaws affect 15 different TotoLink products and let an attacker bypass authentication using either HTTP or DHCP. This can be used to install hacked firmware on the routers. A different problem, a backdoor, affects nearly 50,000 routers and makes them vulnerable on the WAN side. Four other routers suffer from a different backdoor, one that gives a LAN side attacker root privileges. The CSRF and XSS attacks affect the iPuppy, iPuppy3, N100RE, and N200RE models. TotoLink released new firmware on July 13th to fix some of these problems, but not nearly all. The bugs were discovered by Pierre Kim and Alexandre Torres. According to Kim, TOTOLINK is a brother brand of ipTIME which wins over 80% of SOHO markets in South Korea.
Multiple ipTIME router flaws
By Pierre Kim July 1, 3, 5 and April 20, 2015
Mr. Kim has written four blog postings (below) with details on assorted flaws in ipTIME routers. According to Kim, there are about 10 million ipTIME devices in South Korea. The July 6th writeup details a vulnerability in 127 routers that allows a LAN side user to send a single HTTP request that will bypass the admin authentication and allow complete root access. The July 3rd writeup is about the ipTIME n104r3 but Kim says it is likely to affect other models too. CSRF and XSS flaws allow a LAN side attacker to take over most of the configuration and settings. For example, the attacker can turn on remote management, change DNS servers, update the firmware and more. The July 1st writeup offers sample exploit code for the 127 devices running ipTIME firmware prior to v9.58. They are vulnerable to a remote code execution flaw which gives the attacker root access. The April 20th writeup seems to be the first report of the LAN side remote control vulnerability with a single HTTP request.
DDoS attacks abuse ancient RIP v1 protocol
abuse legacy routing protocol to amplify DDoS attacks
by Lucian Constantin of IDG News July 2, 2015
"DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes. RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996..." Attackers used about 500 SOHO routers to reflect and amplify their malicious traffic.
Akamai found 53,693 devices online that support RIPv1. Some had their web UI exposed to the Internet, allowing Akamai to identify the make/model. Around 19,000 were Netopia 3000 and 2000 series DSL routers distributed by ISPs. More than 4,000 were ZTE ZXV10 ADSL modems.
Hacked routers serving up Windows malware
Crooks Use Hacked Routers to Aid
by Brian Krebs June 29, 2015
Quoting: "New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware ... Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim's credentials and send them to the attackers ... researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers - particularly routers powered by MikroTik and Ubiquiti's AirOS." It is not known if vulnerabilities in the firmware are being exploited or whether defaults passwords are at fault. This sounds much like the botnet discovered by Incapsula in May 2015 (see below), in part, because a "disturbing number" of the hacked routers had the telnet port open.
Linksys router turns off WiFi when plug something into USB port
WRT1200AC dual-band gigabit Wi-Fi router
by Jon Andrews of WeGotServed June 18, 2015
Quoting: "I had a number of issues sharing data ... whenever I plugged in an external drive, the WRT1200AC's wireless signal completely cut out. I tried a reboot of both the router and the PCs I was trying to work from but it didn't make any difference. As soon as I disconnected the external hard drive (in this instance it was a 2 TB external USB 3.0 powered drive formatted in NTFS) the Wi-Fi came back to life. Even with the latest firmware onboard, the WRT1200AC suffered from what looks like a pretty nasty bug." No mention in the article about the other issues sharing data.
22 routers examined -> 60 bugs found
More than 60 undisclosed vulnerabilities affect 22 SOHO routers
by security researchers doing an IT Security Masters Thesis at Universidad Europea de Madrid May 28, 2015
The routers were from Observa Telecom, Comtrend, Belkin, D-Link, Sagem, Linksys, Amper, Huawei, Zyxel, Astoria and Netgear.
14 of the bugs are Universal Plug and Play (UPnP). Not bugs in UPnP, just its existence. While I agree, in concept, the UPnP is bad for security, and I recommend turning it off in a router, counting it as a vulnerability, is a matter of opinion. To me, this is really 46 bugs.
An information disclosure bug was found in the D-Link DSL-2750B, a wireless ADSL2 gateway. The device coughs up critical information to anyone who knows to try http://18.104.22.168/hidden_info.html, where 22.214.171.124 is the LAN side IP address of the device. All D-Link owners should test this. The report does not say if this works on the WAN side too.
Four routers from three different companies have a USB Device Bypass Authentication flaw which has nothing to do with the NetUSB flaw. Quoting "An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router ... In order to do so, the attacker only needs to access the router IP followed by the 9000 port". You can test if a router has port 9000 open on the WAN side here grc.com/x/portprobe=9000.
Two Huawei routers have a Bypass Authentication flaw. Quoting "An external attacker, without requiring any login process, is able to reset the router settings to default ones ... an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials". Ouch.
The Observa Telecom RTA01N has a hidden admin user. Quoting "In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet". The report does not say if disabling remote administration defends against this.
Still another attack on routers with default IPs and passwords
Changer Malware Sets Sights on Home Routers
by Fernando Merces of Trend Micro May 28, 2015
Nothing very new here. Trend Micro found malicious websites, mostly in Brazil, that run a brute-force attack script against a router to change the DNS servers. Quoting: "While this type of malware is not new, we've been seeing a growing number of links in phishing attacks in Brazil."
Moose worm attacks miserably defended devices
Moose - the router worm with an appetite for social networks
by Graham Cluley writing for ESET May 26, 2015
ESET researchers discovered a new worm, they call Linux/Moose, that infects routers in order to commit social networking fraud. The worm also infects other Linux-based devices and eradicates existing malware infections on the devices. It could potentially be used for DDoS attacks, network exploration, eavesdropping and DNS hijacking. It was first detected in July 2014. ESET researchers were unable to make a reliable estimate of the number of affected routers. They did confirmed that these companies products were affected: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone. The worm spreads by compromising systems with weak or default credentials. No vulnerabilities are exploited, so it should be easy to defend against simply by changing default passwords. It gets in via Telnet on port 23, so insure that port 23 is closed or stealth using the common ports scan of Shields UP! It also uses port 10073 which you can test here: https://www.grc.com/x/portprobe=10073.
A web based (CSRF) router attack that changes DNS servers
An Exploit Kit dedicated to CSRF
by Kafeine an independent security researcher May 22, 2015
Yet another web based attack, delivered by either a compromised website or a malicious ad, designed to replace the DNS servers used in a router. The malware looks for any of 55 routers from a dozen vendors including: Asus, Belkin, D-Link, Edimax Technology, Linksys, Medialink, Microsoft, Netgear, Shenzhen Tenda Technology, TP-Link, Netis Systems, Trendnet, ZyXEL and HooToo. It uses both known flaws (command injection vulnerabilities) and a dictionary attack with common administrative credentials. This seems to be widely used, on May 9, 2015 the command and control center was visited almost a million times. Slow days in the first week of may saw roughly 250,000 unique visitors a day. It has been found in the U.S., Russia, Australia, Brazil, India and other countries. As with other DNS changing malware, the bad DNS server is placed first, backed up by a Google public DNS server. This lets infected routers continue to function normally even if the malicious DNS server is taken off-line.
NetUSB flaw is industry wide (possibly millions of routers are vulnerable)
KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide
by the SEC Consult Vulnerability Lab May 19, 2015
There is a bug/vulnerability in a software component called NetUSB. Quoting: "NetUSB is a proprietary technology developed by the Taiwanese company KCodes, intended to provide 'USB over IP' functionality. USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated 'USB over IP' box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X ... The user experience is like that of a USB device physically plugged into a client system." If the NetUSB server is given data longer than it expects, it suffers a stack buffer overflow. 26 companies are thought to use the NetUSB software. SEC Consult tested routers from five of these companies: D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL. They found 92 products contained the NetUSB software. They did not test products from the other 21 companies. It seems to be mostly, but not exclusvely a LAN side issue. Quoting again: "While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. " Sometimes NetUSB can be disabled via the web interface, sometimes not. On NETGEAR routers the only defense is to buy a new router. KCodes was not helpful when contacted by SEC Consult. TP-LINK was the best at fixing the problem. By far.
An example of what malicious DNS servers can do
Router Attack Displays Fake Warning Messages
by Jaydeep Dave of Trend Micro May 20, 2015
This blog offers an example of what malicious DNS servers might do - get the victim to call an 800 number for tech support that is not needed. The author works for Trend Micro and found his home router was using malicious DNS servers. How it happened, he doesn't know. The advice offered is lame, basically just plugs for their products.
Routers with default passwords hacked up the wazoo
Malware infected home routers used to launch DDoS attacks
by Lucian Constantin of IDG News Service May 12, 2015
ISPs in Thailand and Brazil seem to be distributing insecure routers to their customers. Not only are they configured with default passwords, they are also accessible from the Internet using both HTTP and SSH. In a new report, Incapsula found thousands of these routers infected with multiple copies of malware. The headline in the media was that Anonymous was using the router botnet for DDoS attacks. The report says that it is likely more than one group had infected the routers with malware.
Not all router bugs are security related
turning it off and on really is the best fix
by Dwight Silverman of the Houston Chronicle May 6, 2015
Tech blogger has a MacBook Pro and a Mac mini. The mini has problems. Two different instant messaging services are failing with a network error. And, Microsoft's OneDrive doesn't think it has an Internet connection. Other cloud storage apps such as Google Drive and Dropbox work fine. The same apps on the MacBook Pro work fine. The apps are configured the same on each machine. The light at the end of the tunnel comes when he connects the problematic Mac mini to a different WiFi network and everything works fine. The problem was his network. Re-booting the router, a Linksys WRT1900AC, fixes everything. What happened? A techie suggests a "bad NAT implementation in consumer router product". I can believe this based on my own experience, years back, with a consumer router. Every now and then all websites would fail to load. Email, and any other Internet traffic, worked fine. In my case too, rebooting the router fixed it.
Pixie Dust expands attacks on WPS
Security Now! Episode 506
by Steve Gibson of GRC May 5, 2015
Software has been released, dubbed Pixie Dust, that exploits a flaw in three implementations of WPS. The protocol is bad enough by itself, even if programmed perfectly. In three cases, the programming is not done well and thus WPS can be broken in seconds. Passwords? We don't need no stinking passwords. This research was first report in Aug. 2014 by Dominique Bongard (see below). Flaws have been found in hardware from Ralink, Broadcom, and Realtek. Similar coding flaws in WPS implementations were found by Craig Heffner in Oct. 2014 (see below). As I say elsewhere on this site, do not use any router that supports WPS.
Hacking Netgear routers to upload malicious firmware
Broken, Abandoned, and Forgotten Code, Part 1
by Zachary Cutlip April 23, 2015
Quoting: "This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers ... I'll describe the process of specially crafting a malicious firmware image and a SOAP request in order to route around the many artifacts of incomplete implementation in order to gain persistent control of the router ... An unauthenticated firmware upload is an opportunity to persist undetected on the gateway device for months or even years ... Universal Plug and Play services on SOHO routers make for a nice attack surface ... " The primary router tested was the Netgear R6200. Preliminary analysis of other devices, including the R6300 v1, indicates presence of the same vulnerabilities. The only tested firmware was v126.96.36.199.
Realtek SDK: Yet another industry-wide flaw leaves routers vulnerable to remote hacks
No patch for remote code-execution bug in D-Link and Trendnet routers
by Dan Goodin of Ars Technica Apr 28, 2015
Routers from D-Link, Trendnet and untold other vendors can be remotely hacked. Without needing a password, bad guys can execute arbitrary code on the routers. Vulnerable routers use the Realtek software development kit. The bug is a failure to sanitize user data by the miniigd SOAP service. Not bad enough? The bug was found by security researcher Ricky "HeadlessZeke" Lawshae and reported to HP's Zero Day Initiative (ZDI) in August 2013. HP then tried, many times, to report the bug to RealTek. Twenty months later, there is still no fix.
Three bugs in the Netgear WNR2000v4 router
by firstname.lastname@example.org April 21, 2015
NCC Service Command Injection flaw in several routers
D-Link/TRENDnet NCC Service Command Injection
by Michael Messner, Peter Adkins and Tiago Caetano Henriques of Packet Storm April 16, 2015
There is a remote command injection vulnerability in several routers. The vulnerability exists in the ncc service, while handling ping commands. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03, and TRENDnet TEW-731BR (Rev 2) v2.01b01.
D-Link screws up fixing their bugs
D-Link: sorry we're SOHOpeless
by Richard Chirgwin of The Register April 21, 2015
Quoting: " D-Link's SOHOpeless HNAP vulnerability has not been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists. The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that "fix" blew a hole in the device's authentication routines. Tactical Network Solutions' Craig Heffner called out the error, saying that 'this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions ...' " In all, 17 D-Link routers are buggy.
Multiple D-Link devices can be exploited via HNAP
Hacking the D-Link DIR-890L
by Craig Heffner at devttys0.com April 10, 2015
The D-Link DIR-890L is a new top-of-the-line $300 router with every feature a router could possibly have, including a software bug. The flaw is in the validation of HNAP requests. A malicious SOAPAction header can be used to pass arbitrary commands to the router. A telnetd command, for example, can spawn a telnet server that provides an unauthenticated root shell. If remote administration is enabled, the flaw can be exploited remotely. The bug has been confirmed in both the v1.00 and v1.03 firmware. Other D-Link devices are also vulnerable including: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L, DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR and TEW-733GR.
Multiple TP-LINK routers leak sensitive files to unauthenticated users
Unauthenticated Local File Disclosure
by Stefan Viehbock of SEC Consult Vulnerability Lab April 10, 2015
The good news here is that TP-LINK responded, when notified of the flaw, and issued updated firmware in a timely manner. Quoting: "Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed." The fix for the flaw was available when the problem was made public. Vulnerable routers were TP-LINK Archer C5, Archer C7, Archer C8, Archer C9, TL-WDR3500, TL-WDR3600, TL-WDR4300, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND.
Another case of breaking WPS in seconds
Reversing Belkins WPS Pin Algorithm
by Craig Heffner at devttys0.com April 10, 2015
WPS is a security disaster. Given a few hours, any router with WPS enabled can be hacked into. There are so few pin codes that it's just a matter of time (typically 10 hours) to guess them all, assuming the bad guy knows nothing about the WPS pin code. Looking at the firmware, Craig Heffner found that on many Belkin routers, the WPS pin code is derived from the LAN MAC address and the serial number of the router. That could make it reasonably random, but there is a fatal flaw: 802.11 probe response packets include the serial number in the WPS information element. Since WiFi probe request/response packets are not encrypted, a single probe provides all the inputs to the formula that creates the WPS pin code. 24 Belkin routers were tested and 80% of them were using the the algorithm Heffner found in the firmware for their WPS pin code. These routers can now be hacked, via WPS, in seconds: F9K1001v4, F9K1001v5, F9K1002v1, F9K1002v2, F9K1002v5, F9K1103v1, F9K1112v1, F9K1113v1, F9K1105v1, F6D4230-4v2, F6D4230-4v3, F7D2301v1, F7D1301v1, F5D7234-4v3, F5D7234-4v4, F5D7234-4v5, F5D8233-4v1, F5D8233-4v3 and F5D9231-4v1. And, this is not limited to Belkin, it appears to be specific to Arcadyan, an ODM for many companies.
Arris/Motorola SURFboard SBG6580 Series gateways have 3 flaws
CSRF, Backdoor, and Persistent XSS
on ARRIS / Motorola Cable Modems
by Tod Beardsley of Rapid7 April 8, 2015
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. These bugs were discovered by independent security researcher Joe Vennix. Although the article refers to the SURFboard SBG6580 as a "modem" it is, in fact, a gateway device. That is, it combines the functions of both a router and a modem. It also refers only to the "web interface" of the device without differentiating between LAN and WAN side access, so its not clear if the device can be remotely exploited. It seems that all exploits are LAN side. Reading between the lines, it also seems that Arris never responded to the bug reports. The timeline says that they were contacted roughly 2.5 months prior to public disclosure of the flaws and then nothing about their response. The workarounds do not say to upgrade the firmware, so I have to guess that Arris blew the guy off. Keep this in mind the next time you shop for a Arris/Motorola device. The backdoor flaw is a hard coded userid/password for logging in to the device. Userid: technician Password: yZgO8Bvj. Anyone taking my recommendations would have been immune to this attack as it requires knowing the LAN side IP address of the router.
Bell routers in Canada have guessable WiFi passwords
Bell's Default Password
Policy Leaves Tens of Thousand of Users Exposed
by Viktor Stanchev April 6, 2015
The default WiFi passwords, set by Canadian ISP Bell on their gateway devices, are short enough that they can be brute forced in a few days. Reminds me of WPS. The passwords are 8 hex characters. With hashcat and good hardware the password could be brute forced in less than 12 hours. Stanchev used lower end hardware which took him 3 days. This is not the first issue with default WiFi passwords set by an ISP. You should change all default passwords set by your ISP. Better yet, don't use any hardware from an ISP.
Hotel router rsync flaw - Things do not get much worse than this
Wi-Fi router security hole: will this be the Ultimate Pwnie Award Winning Bug for 2015?
By Paul Ducklin of Sophos March 30, 2015
This is as bad as a bug can get - simple to exploit and unlimited in what it lets a bad guy do. ANTlabs InnGate devices are routers used by hotels and convention centers to run guest/visitor networks. They have a misconfigured rsync service that lets a bad guy connect to TCP port 873 using rsync and then read and write any file on the device. No password needed. There is no end to the number of bad things an attacker might do. The flaw was discovered by Justin W. Clarke of Cylance Inc. Scanning the Internet, Cylance found 277 InnGate devices in 29 countries. They found vulnerable devices belonging to 8 of the worlds top 10 hotel chains. This is, however, the tip of the iceberg as vulnerable devices behind a firewall can likely be exploited from the hotels local network. A fix was issued by ANTlabs at the time the flaw was made public. The defense here is nothing new: when traveling always use a VPN. Period.
Google Analytics abused to inject ads and porn
Ad-Fraud Malware Hijacks Router DNS - Injects Ads Via Google Analytics
by Sergei Frankoff of Sentrant (previously Ara Labs) March 25, 2015
Vulnerable D-Link DSL routers in the UK
Some UK TalkTalk
D-Link DSL-3680 Routers Vulnerable to DNS Hijack
By Mark Jackson of ISPreview March 27, 2015
A couple Talk Talk customers noticed that the DNS servers in their D-Link routers had been changed. The problem affects model DSL-3680 with remote administration enabled. Exploiting the routers is trivially easy, all you need to know is a secret URL and the public IP address of the router. Quoting: "The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it is hard to know which one is the actual culprit. On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year."
Multiple bugs in multiple ADSL routers
At least 700K routers given to customers by ISPs can be hacked
By Lucian Constantin IDG News Service March 19, 2015
Quoting: "More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a "directory traversal" flaw...that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models. Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers ... On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough ... around 60 percent have another flaw, a hidden support account with an easy-to-guess hard-coded password."
These routers were only discovered because they can be attacked remotely. Others may be vulnerable from the LAN side. Among the vulnerable devices are routers from ZTE, D-Link, Sitecom, FiberHome, Planet, Digisol and Observa Telecom. The vast majority of buggy routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics. Attempts to notify the company went unanswered.
D-Link and TRENDnet bugs getting fixed
Security Advisory SAP10052
by D-Link initial: March 2, 2015 updated: March 16, 2015
There are three separate bugs, see the Feb. 2015 section below, the item attributed to Peter Adkins. One flaw allows unauthenticated access from the local network, if remote administration is enabled, then it also allows unauthenticated access remotely. The third bug is a drive-by CSRF. The affected routers are: D-Link DIR-636L, D-Link DIR-808L, D-Link DIR-810L, D-Link DIR-820L, D-Link DIR-826L, D-Link DIR-830L, D-Link DIR-836L and the TRENDnet TEW-731BR. Other models thought to be affected: D-Link DIR-651, TRENDnet TEW-651BR, TRENDnet TEW-652BRP, TRENDnet TEW-711BR, TRENDnet TEW-810DR and the TRENDnet TEW-813DRU.
Yet another attack on router passwords
Snoops Through Your Home Network
by Kenney Lu of Trend Micro March 9, 2015
New malware, detected as TROJ_VICEPASS.A, pretends to be an Adobe Flash update. When run, it attempts to connect to the router using a pre-defined list of user names and passwords. It does not limit itself to just the default userids and passwords of common routers. The full list is in the article. If the malware can get into the router, it scans the network looking for connected devices, sends this data back to the mother ship and then deletes itself. It does not detect the IP range of the router, instead it scans only 192.168.[0-6]. For each of these 7 networks it only looks for a final digit between 0 and 11. So, as advised elsewhere on this website, using a non-standard range of IP addresses would have foiled this. Also note that better routers let you change both the userid and the password. Less secure routers only let you change the password.
Security in routers stinks - and some reasons why
Broadband routers: SOHOpeless and vendors don't care
by Darren Pauli March 5, 2015
"Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing.". First rule of doing a bad job: say nothing -- The Register received no response from major routers vendors when we asked about the lack of security in their products. One good point made here is that features are a common enemy of security.
Routers from multiple companies have a back door
Rogue Router Firmware Chaos Backdoor
by Bijay Limbu Senihang February 22, 2015
Even after changing the router password, you can still login with userid "super" and password "super" to routers from these companies: TrendNet, Digicom, Alpha Network, Pro-Link, Planet Networks, Bless, Realtek, Blue Link and SmartGate. This is exploitable over the Internet as shown in this video.
CSRF flaw in multiple D-Link and TRENDnet routers
D-Link / TRENDnet ncc2 CSRF
/ Unauthenticated Access
by Peter Adkins February 27, 2015
"D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially."
In other words: go away kid, don't bother me.
Brazilian attack on default passwords
Spam Uses Default Passwords
to Hack Routers
by Brian Krebs February 26, 2015
Security firm Proofpoint has detected malicious emails targeting Brazilian Internet users. The emails appear to come from a Brazilian ISP and the scam has to do with an unpaid bill. The emails exploit known vulnerabilities in routers from UT Starcom and TP-Link to change the DNS servers, a very common thing for bad guys to do. Interesting wrinkle is that instead of providing two malicious DNS servers they only provide one and set Googles public DNS (188.8.131.52) as the secondary.
Three Singapore routers vulnerable to multiple flaws
Up to 32,000 could
be affected by wireless router vulnerabilities: Security firm
By Kevin Kwang Feb 26, 2015
Security company Vantage Point reports that three routers have "critical vulnerabilities". Zhone routers have three types of flaws: Remote Code Execution, Privilege Escalation and Admin Password Disclosure. An Aztech router is vulnerable to Remote Command Injection. An Asus router is vulnerable to Authentication Bypass and Cross-Site Scripting. There are no known attacks so far. Up to 32,000 subscribers in Singapore may be vulnerable. The most interesting part of the article is a quote from the researcher that discovered the bugs: "There are many routers with many different kinds of firmware on the market. The problem is that when the firmware is developed in-house by the vendor, security is often an afterthought". This supports my recommendation to avoid all consumer class routers.
Netgear routers FTP flaw
of Netgear routers accessible via FTP by anyone - second issue in a week
by Jan Willem Aldershoff February 24, 2015
Quoting: "Thousands of Netgear routers with Network Attached Storage (NAS) can be freely accessed by anyone without permission of the owner. Netgears WNDR4700 routers run an outdated version of the ProFTPd FTP server which not only allows logging-in anonymously, but also contains a vulnerability that allows an attacker to remotely execute code on the router ... By simply logging in anonymously with a FTP client an attacker (and pretty much anyone who knows how to work with a FTP client) can get full write and read permission."
This is the only article on the topic I have seen. Its not clear whether other Netgear routers are also vulnerable.
Netgear routers SOAP flaw
Netgear routers leak passwords using nothing more than malicious HTTP requests
by Lucian Constantin IDG News Service February 16, 2015
Bad guys can learn the administrator password and wireless passwords along with details of the router such as the model, serial number and firmware version. The flaw can be exploited from the LAN side and, if remote administration is enabled, also from the outside/Internet/WAN. The bug is with validation (or the lack of such) of the SOAP protocol used to communicate with the router. A bad guy just has to send HTTP requests with a blank form and a "SOAPAction" header to exploit the flaw. The vulnerability is confirmed in four Netgear routers and may well exist in other models too. The worst part of this story is trying to contact Netgear:
"Peter Adkins, the researcher who found the flaw, claims that he contacted Netgear but that his attempts to explain the nature of the issue to the companys technical support department failed."
The only defense, for now, is not to use a Netgear router. This confirms my recommendation to avoid consumer routers.
Duplicate SSH keys in Spain
of thousands of home routers at risk with duplicate SSH keys
by Jeremy Kirk IDG News Service February 19, 2015
Hundreds of thousands of home routers running SSH have identical private and public keys. This comes from John Matherly of the Shodan search engine. In Spain, over 250,000 devices, deployed by Telefonica de Espana, and running the Dropbear SSH software, have the same keys. Another Shodan search found 150,000 devices, mostly in China and Taiwan, with identical keys. It is questionable whether SSH should be running on home router in the first place. Some routers let you turn it off, if yours does, then do so. Disabling remote administration will probably not help here, but the subject did not come up in any of the articles I read.
Pirelli routers totally open to hacking
Is Your ISP Making Your Home
by Christian Cawley at MakeUseOf January 31, 2015
This is as bad as it gets. The administration web pages of Pirelli routers are visible from the Internet and no password is needed to make changes. The routers were supplied by a Spanish ISP which has not responded to the problem. Quoting: " ... security researcher Eduardo Novella discovered that Pirelli P.DGA4001N routers have a rather worrying bug. Its around two years since Novella made the discovery, and in the meantime he has been patiently waiting for something to be done about it. Sadly, its still there. The bug is so simple to exploit that you dont even need to be able to code in order to use it. All you need to do is enter the web-facing IP address of a router, suffix it with wifisetup.html (so something like 111.222.333.444/wifisetup.html) and you can start playing around with the router configuration. "
Bug in ZynOS used by D-Link, TP-Link and ZTE
DNS hijacking vulnerability affects D-Link DSL router, possibly other devices
by Lucian Constantin January 27, 2015
Todor Donev, member of a Bulgarian security firm called Ethical Hacker says that a flaw in ZynOS can lead to an ever-popular DNS hijack in a router. He confirmed the flaw in a DSL router from D-Link but vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that is used by multiple vendors, including D-Link, TP-Link Technologies and ZTE. Vulnerable devices can be hacked remotely if remote administration is enabled. They can also be hacked from the LAN side. There were no fixes offered when this became public. None of the articles mentioned a way to test if a router is vulnerable.
Hacked Routers used in Denial of Service Attacks
Lizard Stresser Runs on Hacked
Home Routers by Brian Krebs January 9, 2015
Quoting: "The online attack service launched late last year by the same criminals who knocked Sony and Microsofts gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers... " New terminology (at least to me): a website offering DDOS as a service is known as a "booter" or "stresser" site.
Asus infosvr vulnerability
Asus router? Someone on your network can probably hack it
by Dan Goodin of ArsTechnica January 8, 2015
Anyone connected to your LAN can gain control of an Asus router simply by sending a single packet to the router. Ouch. The bug is in virtually all versions of the firmware. The vulnerable software is the infosvr service which listens for connections on UDP port 9999 on the LAN side. The bug lets an unauthenticated LAN side user execute commands in the router as the root user. This is not exploitable from the WAN side of the router. Infosvr runs as root and is used for device discovery using the "ASUS Wireless Router Device Discovery Utility ". Many of us could live without this service. Joshua Drake, research director at Accuvant first publicized the flaw. He suggests updating to firmware version 184.108.40.206.376.3754 or later. It's not clear if firewalling the port is a valid work-around.
Two vulnerabilities in routers from an Algerian ISP
A vulnerability and
a hidden admin account all inside SITEL DS114-W routers !
by Nasro January 4, 2015
The routers have a session management vulnerability. When someone logs in to the router multiple sessions are initialized giving an attacker access to the router, without knowing the password, with a simple brute force attack. Also, the routers are shipped with a backdoor account. This was found in a configuration file. The routers are provided by Algerian ISP "Djaweb". The vendor was notified but did not respond.
To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.