Router Security Router Bugs Flaws Hacks and Vulnerabilities Website by     
Michael Horowitz 
Home | Introduction | Router Bugs | Security Checklist | Tests | Resources | About |
 

If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on. This list is far from complete.

You may be thinking that all software is buggy but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose to allow spying or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible. Security is not the prime directive. You can tell this just by looking at the box a router ships in. None of them brag about security.

Many others have also pointed out the sad state of consumer router software/firmware.

Be sure to read about the port 32764 issue from January 2014 and April 2014. The way the backdoor was hidden, after being discovered, shows that someone is keeping back doors in routers on purpose, and hiding them really well. Another flaw not to be missed is the Misfortune Cookie from December 2014. Some huge flaws do not yet get their full due here. WPS, for one. WPS is like having a "hack me" sign on your back and yet its required for a router to be certified by the Wi-Fi Alliance. Another huge flaw was the one with UPnP.

2016

MAY 2016

Industrial company Moxa has buggy routers

Serious Vulnerabilities Found in Moxa Industrial Secure Routers
by Eduard Kovacs of Security Week   May 19, 2016
Frankly, I had never heard of Moxa. The article calls them an "Industrial networking, computing and automation solutions provider" and says that their EDR-G903 series is an industrial router used in the United States, Europe and South America. Multiple high severity flaws, that can be exploited remotely, were discovered in January by Maxim Rupp. Configuration files store passwords in plain text. Both configuration and log files can be accessed with a specific URL by an unauthenticated attacker. A remote attacker can also cause the device to enter a DoS condition by sending it malicious requests. Patches have been issued, but they have not yet been verified to work.

Another business class company, Ubiquiti, has bugs

Worm infects unpatched Ubiquiti wireless devices
by Lucian Constantin of IDG News   May 20, 2016
Quoting: "Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability. The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually." The bug has been fixed, but devices were not updated with patched firmware. The Resources page of this site lists routers that can self-update. Affected devices include the airMAX M Series, AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber. The bug was easy to exploit. The latest worm creates a backdoor account, then adds a firewall rule that blocks legitimate administrators from accessing the Web-based management interface.

26 bugs in Aruba Networks devices

Aruba fixes networking device flaws
by Lucian Constantin of IDG News Service   May 9, 2016
The interesting part of this story is that all the bugs were found by Google. The last time I was in a Google office, I noticed that they use Aruba for their Wi-Fi. The vulnerabilities affect ArubaOS, Aruba's AirWave Management Platform (AMP) and Aruba Instant (IAP). There 26 different issues range from privileged remote code execution to information disclosure, insecure updating mechanism and insecure storage of credentials and private keys. Under certain circumstances, attackers can compromise devices. There are also design flaws in an Aruba proprietary management and control protocol dubbed PAPI.

APRIL 2016

Malware changes router DNS settings

Mobile Devices Used to Execute DNS Malware Against Home Routers
by Chisato Rokumiya of Trend Micro   April 11,2016
Trend Micro discovered a JavaScript based router attack that originated in December 2015. For whatever reason the malicious code only runs from websites loaded by mobile devices. The malware targets routers from D-Link, TP-LINK, ZTE and perhaps others as the code is constantly changing. There are two infection vectors. The first is brute force, the malware tries 1,400 combinations of popular or default userids/passwords. It also targets "a specific vulnerability that currently exists in ZTE-based routers." The malware has been seen world-wide with the top countries being Taiwan, Japan, China, the United States, and France. This type of brute force attack is to be expected. It is why, on the home page of this site, changing the router password is the first suggestion. And, it is why I also suggest changing the userid used to logon to the router, when possible.

Quanta routers have every bug ever made

Multiple vulnerabilities found in Quanta LTE routers
by Pierre Kim   April 4, 2016
Quoting: "Quanta Computer Incorporated is a Taiwan-based manufacturer of electronic hardware. It is the largest manufacturer of notebook computers in the world. The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. It's available in a number of countries to provide Internet with a LTE network." Some of the bugs that Kim found: Hardcoded SSH Server key, Backdoor accounts, Router DoS, WebInterface Information Leak, two remote code execution flaws, two Backdoors, two flaws with WPS, Remote Firmware Over The Air, arbitrary file browsing and reading, etc. The buggy firmware seems to be used in many routers. My favorite part was Mr. Kims opinion: "... at best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The company will not fix any of these bugs. As I say elsewhere on this site, avoid all consumer routers.

MARCH 2016

Telnet being abused by Remaiten bot

Your Linux-based home router could succumb to a new Telnet worm, Remaiten
by Lucian Constantin of IDG News Service   March 31, 2016
Remaiten is a a new worm, discovered by ESET, that infects routers and other devices by taking advantage of weak Telnet passwords. The page on this site that lists services many/most people should turn off on their routers, includes Telnet. The software, also called KTN-Remastered, connects to random IP addresses on port 23. When a Telnet server is found, the software tries to login with assorted common passwords. The bot supports a variety of denial-of-service attacks. The Test Your Router page on this site links to assorted firewall testers that can tell you if your router has exposed a Telnet server.

Netgear router password flaw

Optus cable routers let anyone change passwords, says tech
by Darren Pauli of The Register   March 17, 2016
There is a password flaw in the web interface of Netgear CG3000v2 gateways (combo router/modem/telephone adapter) provided by Australian ISP Optus. Specifically, the SetPassword.asp page, which prompts for the old and new password, ignores the old password and changes the password to the new one all the time. The flaw was discovered by Paul Szabo of the University of Sydney. When he informed both Netgear and Optus, they ignored him. Back in April 2014, this same Netgear box was the subject of another security flaw, it had both Telnet and SSH active with the same default password on every box. See Default password leaves tens of thousands of Optus cable subscribers at risk. Yet more proof not to use hardware provided by an ISP.

Modems can be buggy too

Cisco patches serious flaws in cable modems and home gateways
by Lucian Constantin of IDG News Service March 10, 2016
Quoting: "Cisco Systems has patched high-impact vulnerabilities in several of its cable modem and residential gateway devices ... The embedded Web server in the Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203 contains a buffer overflow vulnerability that can be exploited remotely without authentication ... [the] Cisco DPC3941 Wireless Residential Gateway with Digital Voice and Cisco DPC3939B Wireless Residential Voice Gateway are affected by a vulnerability that could lead to information disclosure [by] an unauthenticated, remote attacker ... The Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA is affected by a separate vulnerability ... that could lead to a denial-of-service condition."

FEBRUARY 2016

A ton of new router flaws discovered

New firmware analysis framework finds serious flaws in Netgear and D-Link devices
by Lucian Constantin of IDG News Service   Feb 29, 2016
Been there done that. Once again, a group of researchers looked at many router firmwares and found a ton of bugs. The bug hunting was done with a framework called FIRMADYNE built by Daming Chen, Maverick Woo and David Brumley from Carnegie Mellon University and Manuel Egele from Boston University. They found 887 firmware images that were vulnerable to at least one of 74 known exploits. They also found 14 previously unknown vulnerabilities in 69 firmware images used by 12 products. The Web management interface of six Netgear devices (WN604, WN802Tv2, WNAP210, WNAP320, WNDAP350 and WNDAP360) contain several pages that can be accessed without authentication and could allow attackers to pass input directly to the command line. In addition, the Netgear WN604, WNAP210, WNAP320, WND930, WNDAP350 and WNDAP360 also include Web pages that can be accessed without authentication and they expose the WPS PIN code. WPS bad. As for D-Link, the web server used in the D-Link DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2660, DAP-2690 and DAP-2695 have a buffer overflow vulnerability that can be triggered when processing a cookie. And, more. Six other devices (the D-Link DAP-1353, DAP-2553 and DAP-3520 and the Netgear WNAP320, WNDAP350 and WNDAP360) expose wireless passwords and admin credentials over SNMP. Perhaps the most important issue here is that D-Link never responded to the researchers reporting these bugs. Netgear will have fixes out by mid March.

FTC goes after ASUS routers for bad security

ASUS Settles FTC Charges That Insecure Home Routers and "Cloud" Services Put Consumers' Privacy At Risk
by the FTC   February 23, 2016
The security of ASUS routers was flawed in many ways. What seems to have brought the U.S. Government down on them were the flaws with the security of storage devices plugged into a USB port in the router. The two features are called AiCloud and AiDisk. The bugs are listed on the bugs page of this site. The password protection was easy to bypass, so much so, that good guys would leave messages for people warning that their router was easily hacked. All this while ASUS was bragging about how secure this was. Manuals suggested that users all use the same userid and password. The FTC claims that ASUS did not take reasonable steps to secure the software on their routers. Then too, the usual behavior from consumer router companies: ignoring reports of bad security for months on end and even when updated firmware is finally made available, the router incorrectly reports that there is no available update. ASUS agreed to pay a fine and to security audits every two years. In summary, more proof to my argument that all consumer routers should be avoided.

A warning about configuring Asus routers

Poor UX leads to poorly secured SoHo routers
by David Longenecker blogging at Security For Real People   Feb. 7, 2016
Asus routers with an RT in the model name suffer from a user interface design flaw. If the firewall is disabled, remote administration (which Asus calls "Web Access from WAN") is enabled, even if remote administration is specifically disabled by the user. That is, the firewall setting over-rides the remote admin setting and nothing about this is externalized to the end user. Longenecker stumbled across this by accident while checking his public IP address in Shodan. He found over 135,000 Asus wireless routers that can be logged into from the Internet. I take this as yet another reason to always change the remote admin port number, even if you have disabled remote administration.

Building router hacked

Building automation systems are so bad IBM hacked one for free
by Darren Pauli of The Register   Feb 11, 2016
Quoting: "An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security ... they found exposed administration ports ... gaining access to a D-Link panel enabled to allow remote monitoring ... by adding an extra carriage return after the page request it was possible to bypass the router's authentication. They found command injection vulnerabilities in the router and found a list of commands in the firmware source code. They found a cleartext password in the router's var directory that not only granted more router pwnage but, thanks to password-reuse, allowed them to compromise the building management system." No mention of who made the router, let alone a model number.

Two issues in Cambium Networks ePMP1000 router

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
SNMP is enabled by default and the default configuration has community strings "public" and "private" for read and write respectively. This allows a remote attacker to potentially reboot the device using the SNMP write community. There are also multiple default userids and passwords and SSH is enabled by default. Default user/pswd admin/admin is allowed unrestricted access via SSH. Three additional userid/password pairs are installer/installer (an admin), home/home (readonly) and read-only/read-only (also readonly).

Two issues in Ubiquiti AirOS and EdgeMax routers

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
Mostly quoting: All current products have the default userid/password of ubnt/ubnt and have SSH enabled by default. The ubnt user also has sudo access via sudo -s. This gives remote attackers the ability to make changes ... This is very well known to attackers, and Ubiquiti devices make for a great target as they can support SOCKS proxying, and a wide variety of malware.
Mostly quoting: When an AirOS device switches back to factory defaults, it copies the /usr/etc/system.cfg to /tmp/system.cfg; saves and then reboots. An attacker ... can thus make changes to this default configuration to maintain persistence on a device ... current versions of the EdgeMax EdgeOS store the factory default configuration as well as other configurations in /opt/vyatta/etc/. An attacker can modify these configs, thus maintaining persistence across factory resets. Also, it would very easy for a remote attacker to reset the device to defaults.

Mikrotik RouterOS default passwords

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of CARI.net Feb. 5, 2016
Mostly quoting: A long standing problem in the Mikrotik RouterOS is the default username and password. All versions including the 6.34 release have default user of "admin" with no password ... many devices are compromised within the first few hours of being put on line. During our tests, a device with the username "admin" and no password was compromised within 15 minutes and had 9 unique pieces of malware running within 20 minutes ... also allows SSH access without a password.

JANUARY 2016

Default TP-LINK router password needs only 70 guesses

The Wi-Fi router with a password that takes just 70 guesses
by Paul Ducklin of Sophos   January 27, 2016
Some TP-LINK routers have unique default passwords. But the passwords require, at most, 70 guesses. Most of the password is based on the publicly advertised MAC address of the router. The remaining byte has, in theory, 256 possible values, but some detective work showed where this byte comes from and it has only 70 possible values. Not the first time something like has happened. Never use the default router password.

Another attack on the HNAP protocol

Threat Group Uses Dating Sites to Build a Botnet of Vulnerable Home Routers
by Catalin Cimpanu of Softpedia   Jan. 21, 2016
Some dating websites are spreading a worm to their visitors, infecting their routers and adding it to a botnet. The worm is a new variant of TheMoon, which was first discovered in February 2014. It takes advantage of weaknesses in the Home Network Administration Protocol (HNAP). An iframe checks to see if the router supports HNAP. If so, it calls home, informing its creators of the good news. Then a second URL delivers the worm, which is a Linux ELF binary. The worm prevents users from using some inbound ports, and opens outbound ports through which it spreads to other routers. If you take the advice offered here, you would be safe from this because it only looks for the usual suspects regarding the routers IP address.

Asus routers may never log you off

Administrator logout flaw in ASUS wireless routers
by David Longenecker blogging at Security for Real Peple   January 19, 2016
One item on my router security checklist is that a router should log you off after a certain period of time. Prior to April 2014, Asus did not offer this feature. Now they do, however, they do it wrong. Longennecker found that ASUS routers, up to and including firmware from Dec 29, 2015, rely on JavaScript in the browser to enforce the auto-logout function. This means if you close the browser window without logging off, the router will keep you logged in forever (really until the router reboots). The same holds if JavaScript is blocked in the browser. If you have an ASUS router be sure to always log yourself off. Furthering my argument to avoid consumer routers, is the fact that Longenecker first reported this to ASUS in December 2014 and they never bothered fixing it.

A hard coded SSH password found in Fortinet devices

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears
by Dan Goodin of Ars Technica   Jan 12, 2016
The hard coded SSH password was FGTAbc11*xy+Qqz27 and it was active in 2013 and 2014. Fortinet says it is not a backdoor writing: "This issue was resolved and a patch was made available in July 2014 as part of Fortinets commitment to ensuring the quality and integrity of our codebase. This was not a 'backdoor' vulnerability issue but rather a management authentication issue." In response, the top promoted comment at Ars says: "So they're saying there was no malice, just an astounding level of incompetence in the area in which they are supposed to be experts?". Fortinet said nothing to their customers when they disabled the password in 2014. And, it appears they never removed it. Ars was told by a researcher that the password is still in the firmware.

FRITZ!Box vulnerable on the LAN side but fixes are available

FRITZ!Box home broadband routers' security FRITZed
by Richard Chirgwin of The Register   Jan. 12, 2016
FRITZ!Box routers are popular in Germany and Australia. German security company RedTeam Pentesting found that program dsl_control listens for commands on TCP port 8080 on the LAN side. They then found that with the right SOAP request the program offers up a list of the commands that it supports, and, that it will execute these commands without authorization. Come and get it, open to all. Perhaps technically, this is not remotely exploitable, but LAN side attacks can be executed from malicious web pages loaded by a LAN side device. The flaw lets a bad guy gain root access. The bug was found in Feb. 2015 but was not made public to give the vendor time to create and distribute a fix. FRITZ!Box routers can self-update and new firmware is available. All told, well handled by everyone involved.

2015

DECEMBER 2015

pfSense is no magic bullet

New Features and Changes in v2.2.6
by pfSense   December 21, 2015
Lots of bugs were fixed in this release, including: multiple vulnerabilities in OpenSSL, a Local File Inclusion vulnerability in the WebGUI, a SQL Injection vulnerability in the captive portal logout, multiple XSS and CSRF vulnerabilities in the WebGUI and two other captive portal bugs. Unlike consumer routers however, it seems that pfSense includes updated component software, a good thing. For example, it is noted that upgrading the included strongSwan to v5.3.5 fixes several bugs.

High End Routers from Juniper hacked twice

Juniper warns about spy code in firewalls
by Jeremy Kirk of IDG News Service   Dec. 17, 2015
Two hacks were discovered by Juniper themselves in an internal review. What prompted the review is unknown. The first hack was a hard-coded master password that could allow remote administrative access to a ScreenOS device over Telnet or SSH. The second hack had to do with random numbers generated by the Juniper VPN server. By making them not-so-random, a spy agency able to monitor Internet backbone traffic could decrypt everything inside the VPN without being detected. The hard-coded master password has been present since 2012 or 2013. Juniper is a very high end company. These attacks show how valuable it can be gain control over a router.

Multiple bugs in multiple Cisco Routers

Cisco Warning of Vulnerabilities in Routers, Data Center Platforms
by Chris Brook of Kaspersky Threatpost   December 9, 2015
Cisco published five advisories, each marked as "medium" severity. The EPC3928 is a wireless residential gateway that does a poor job validating input which opens it up to XSS attacks. It also has an authentication bug that lets an attacker send a malicious HTTP request to execute some admin functions without authentication. Another residential gateway, the DPQ3925, is vulnerable to a CSRF attack. If a victim clicks on a malicious link, they could submit arbitrary requests to the device via a web browser. Finally, the DPC3939 router has a bug in its web interface that could allow an attacker execute arbitrary commands on the system.

Linksys ignores router bug report

Linksys routers vulnerable through CGI scripts
by Richard Chirgwin of The Register   December 8, 2015
A security company, KoreLogic, has disclosed bugs in the Linksys EA6100-6300 routers. Its not clear to me how many routers are vulnerable. Buggy scripts in the web-based administrative interface provide an attacker with unauthenticated access, which, in turn, lets the bad guy learn the routers administrative password. A very interesting aspect of this bug is the timeline that KoreLogic reported. They submitted the details of this multiple times to Linksys and never heard back. Thus we learn how much Linksys cares about the security of their routers.

NOVEMBER 2015

Arris cable modems have backdoors, bugs and hard coded passwords

Backdoor In A Backdoor Identified in 600,000 Arris Modems
by Chris Brook of ThreatPost November 23, 2015
Thousands of Arris cable modems suffer from XSS and CSRF vulnerabilities, hard-coded passwords, and a backdoor in a backdoor. The problems were discovered by Brazilian researcher Bernardo Rodrigues (@bernardomr) who estimates that more than 600,000 externally accessible devices are vulnerable to the backdoor and that TG862A, TG860A, and DG860A modems are all affected. To me, the most important sentence in this article is "Rodrigues claims Arris was less than receptive when he first reported the flaws, but that CERT/CC proved helpful and aided in bringing them to the company's attention". I take this to mean they would have ignored this if they could. Next time I buy a modem, Arris is not on my shopping list. And, how do you update the firmware on a modem??

CSRF Bugs in the D-Link DIR-816L Router

D-link wireless router DIR-816L Cross-Site Request Forgery (CSRF) vulnerability
by Bhadresh Patel of HelpAG   Nov. 10, 2015
The good news is that cross-site request forgery (CSRF) bugs are hard for bad guys to exploit. A web browser needs to be logged in to the router in one tab and visiting a malicous web page in another tab. In that case, the flaws let bad guys submit commands to DIR-816L router and gain control of the router. A fix is available from D-Link.

600,000 Ubiquiti routers easily hacked - come and get em

The Omnipresence of Ubiquiti Networks Devices on the Public Web
by SEC Consult   November 5, 2015
Quoting: "There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices ... Most devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000)..." These flaws have been reported previously but the scope is new. Many ISPs ship Ubiquiti routers with Remote Administration enabled. This opens up them up to HTTP/HTTPS and SSH access. Ubiquiti blames the ISPs. If each ISP used a different TCP/IP port and gave customers unique passwords, no big woop. But, no. There are at least 600,000 vulnerable routers on the Internet. They also found 1.1 million Ubiquiti devices using a digital certificate whose private key is easily obtained from the firmware. This make it easy for bad guys to find vulnerable routers to attack.

OCTOBER 2015

Multiple bugs in Cisco devices

Patch Cisco ASA ASAP: DNS, DHCPv6, UDP packets will crash them
by Shaun Nichols of The Register   October 23, 2015
Four bugs have been discovered in assorted Cisco routers, firewalls and other hardware in their Adaptive Security Appliance (ASA) line. Exploiting the flaws can render the hardware useless by forcing it repeatedly reset. Both a specially crafted DHCPv6 packet and/or a DNS packet can cause the devices to reset. They can also be made to restart with a malicious UDP packet that exploits a flaw in the Internet Key Exchange protocol.

The German government agrees with me

German Govt mulls security standards for SOHOpeless routers
by Darren Pauli of The Register   October 21, 2015
The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to mine, routers will be given points for features that increase security. Sadly, the article says that "Routers that advise users of an available firmware update on login to the web admin interface are winners". So, having a router company email their customers when there is new firmware is something we can't even hope for? What this article does not mention is the background. Germany now (Nov. 2015) requires ISP customers to use a router from their ISP. This law is expected to change in early 2016, thus the need to review the security of newly available routers.

Still more bugs in ZHONE routers

Boffin's easy remote hijack hack pops scores of router locks
by Darren Pauli of The Register   October 11, 2015
For the second time this year, Vantage Point has warned of multiple security flaws in routers. The flaws are in Zhone routers provided to customers by an un-named major telco in Singapore. The buggs routers are also used by un-named companies around the world. Among the bugs is a remote zero day exploit that lets a bad guy totally hijack the router. Lyon Yang, who found the flaws, is quoted saying "When the ISP ships the router, it comes with a shitload of vulnerabilities". He also said that the remote hijacking is easily done. In all there are seven vulnerabilities. Interestingly, a remote hijack bug is in the router's ping functionality. Some of the bugs have been patched but will never get installed. The ISP in question does not give their customers the userid/password needed to logon to the router, so they can't update the firmware.

Multiple bugs in multiple ZyXEL routers

ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
by CERT   October 13, 2015
Vulnerability Note VU#870744. Several ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. One issue shared by many models is a weak default password of "1234" for the admin account. In the worst case, these bugs can enable a remote unauthenticated attacker to modify the system configuration. The issues were reported to ZyXEL in Aug. 2015 and there are multiple responses. Some routers are too old and won't be fixed. Some bugs have already been addressed with new firmware and other bugs will be fixed later this month.

Multiple Netgear routers vulnerable if WAN administration enabled

Hackers exploiting 'serious' flaw in Netgear routers
by Zack Whittaker of ZDNet October 13, 2015
A techie discovered that his own router had been hacked, that the DNS servers had been changed. The bug has been documented by both Compass Security and Shellshock Labs. It lets a bad guy get full remote unauthenticated root access, if WAN administration is enabled. Netgear released updated firmware for these routers: JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4 and WNR2020v2. Netgear customers will be informed of the update if they logon to their router, or, if they have the Netgear genie app installed.

A good worm infects routers

Home routers "vaccinated" by benign virus
by the BBC   October 2, 2015
According to Symantec the Wifatch worm has harden more than 10,000 home routers against cyber-attacks. Non-techies should say thank you. The worm targets routers that have miserable security to begin with. Wifatch was first discovered in late 2014 and Symantec estimates that it has infected tens of thousands of routers. This is a good thing as Wifatch tries to disinfect routers that have been infected with malware. The source for Wifatch is available and it has no malicious components. In addition, Symantec has been monitoring it for months and has not seen any malicious actions. Heck, Wifatch even leaves a message on the router telling the owner to change the default passwords and update the firmware.

Huawei Bug fixes? Fuggedabowdit

Huawei routers riddled with security flaws won't be patched
by Zack Whittaker at ZDNet October 7, 2015
The Huawei B260a router is widely used by ISPs in Europe and Africa but its old, so Huawei will not issue bug fixes for it. As I say elsewhere on this site, avoid all hardware from your ISP. Multiple security flaws were discovered by Pierre Kim. The flaws are as bad as it gets, allowing for overwriting the router firmware without authentication. The flaws are not limited to a single model (they never are), other devices in the B-series and E-series product lines are also buggy.

Bugs in the Huawei E3272 4G USB Modem

Remote code exec hijack hole found in Huawei 4G USB modems
by Darren Pauli of The Register   October 7, 2015
OK, its a modem rather than a router, but I felt it was close enough to include here. Timur Yunusov and Kirill Nesterov of Positive Technologies found both a remote execution flaw and denial of service vulnerabilities in the Huawei E3272 4G USB modem. Exploiting the bugs gives bad guys pretty much everything. The researchers report that "By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal" In addition there are SMS attacks on the SIM card. The good news is the bugs have been fixed. The bad news is that I didn't see a link to updated firmware.

SEPTEMBER 2015

Cisco business routers hacked

Attackers slip rogue, backdoored firmware onto Cisco routers
by Lucian Constantin of IDG News Service September 15, 2015
Researchers from Mandiant have detected Cisco routers running malicious firmware. These are business routers, so this story does not really belong on this page, but it further illustrates the importance of router software. The attacked, known as SYNful Knock was found on 14 Cisco 1841, 8211 and 3825 routers in four countries. It is thought that rather than abusing a bug, the software was installed using stolen or default passwords. That Cisco has default passwords is disgraceful, even some consumer routers force you to chose a password at first boot.

Five bugs in the Belkin N600 DB router

Popular Belkin Wi-Fi routers plagued by unpatched security flaws
by Lucian Constantin of IDG News Service   September 1, 2015
The Belkin N600 DB router contains five bugs for which there are no practical work-arounds and, as yet (11 days after the first report) no fixes either. In fact, the Belkin website has nothing on the problem. I take that as all I need to know about using Belkin routers. In fairness, they did tell one reporter that they are working on fixes. As for the bugs themselves, one is a poor implementation of DNS which lets a man-in-the-middle (MITM) attacker respond to DNS queries and thus redirect victims to malicious websites. The router also checks for new firmware using HTTP which can be manipulated by a MITM attacker. On the LAN side, the N600 does not, by default, require a password for accessing the management interface. And, even if you set a password, an attacker on the LAN can login to the router without knowing the password. This is due to the router using client side authentication. In addition, it is vulnerable to CSRF attacks on the LAN side. In my opinion, anyone using this router should just throw it away.

AUGUST 2015

More routers with hidden admin accounts

Some routers vulnerable to remote hacking
by Lucian Constantin of IDG News Service   August 27, 2015
Quoting: "Several DSL routers from different manufacturers contain a guessable hard-coded password that allows the devices to be accessed with a hidden administrator account ... the affected device models are: Asus DSL-N12E, Digicom DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300 ... For most of the routers, the username corresponding to the hard-coded password is admin, while for the PLDT SpeedSurf 504AN it's adminpldt ... The vulnerability is not new and was independently reported by separate researchers in 2014 for the ZTE ZXV10 W300 and in May for the Observa Telecom RTA01N." The passwords are different for each device and include the last four characters of the MAC address but this can be obtained. Telnet provides access to the routers.

Insecure routers being used for DDoS attacks

Attackers are using insecure routers and other home devices for DDoS attacks
by Lucian Constantin of IDG News Service August 18, 2015
"Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks. A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise." Akamai points out that very few organizations have the infrastructure necessary to deal with DDoS attacks, and, of course, they sell the cure. SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors. The use of SSDP for DDoS started in the last quarter of 2014. SSDP is part of UPnP which was intended to be used on Local Area Networks only. Despite this, many routers and other devices respond to SSDP queries over the Internet. How many? According to the Shadowserver Foundation, there are roughly 12 million IP addresses on the Internet that have an open SSDP service. You can't make this stuff up. You can test your router, from the inside, by visiting upnp-check.rapid7.com. A good result looks like this.

Trojan for Linux infects routers

New Trojan for Linux infects routers
by Doctor Web security researchers   August 4, 2015
"The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures. Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can ... brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol." The attack starts by brute forcing router passwords. the malware attacks Linksys routers trying to exploit a vulnerability in HNAP (Home Network Administration Protocol) and the CVE-2013-2678 vulnerability. It also exploits ShellShock and a vulnerability in Fritz!Box routers. An infected router can launch various DDoS attacks (including ACK Flood, SYN Flood , and UDP Flood) and execute intruder-issued commands.

JULY 2015

Bug fix issued for Cisco ASR 1000 routers

Cisco Fixes DoS Vulnerability in ASR 1000 Routers
by Dennis Fisher   of Kaspersky   July 30, 2015
A bug in the way Cisco ASR 1000 routers handle fagmented packets can cause a Denial Of Service. The ASR 1000 line of routers are designed for enterprise and service provider environments. The bug affects IOS XE versions 2.1, 2.2, 2.3, 2.4, and 2.5. It is fixed in version 2.5.1. Versions 2.6 and 3.x are not vulnerable.

Huge number of TotoLink router bugs

TotoLink Routers Plagued By XSS, CSRF, RCE Bugs
by Chris Brook   of Kaspersky ThreatPost   July 16, 2015
There are a large number of bugs in a large number of TotoLink routers. It's a lot to keep track of.
"Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials". The remote code execution flaws affect 15 different TotoLink products and let an attacker bypass authentication using either HTTP or DHCP. This can be used to install hacked firmware on the routers. A different problem, a backdoor, affects nearly 50,000 routers and makes them vulnerable on the WAN side. Four other routers suffer from a different backdoor, one that gives a LAN side attacker root privileges. The CSRF and XSS attacks affect the iPuppy, iPuppy3, N100RE, and N200RE models. TotoLink released new firmware on July 13th to fix some of these problems, but not nearly all. The bugs were discovered by Pierre Kim and Alexandre Torres. According to Kim, TOTOLINK is a brother brand of ipTIME which wins over 80% of SOHO markets in South Korea.

Multiple ipTIME router flaws

By Pierre Kim July 1, 3, 5 and April 20, 2015
Mr. Kim has written four blog postings (below) with details on assorted flaws in ipTIME routers. According to Kim, there are about 10 million ipTIME devices in South Korea. The July 6th writeup details a vulnerability in 127 routers that allows a LAN side user to send a single HTTP request that will bypass the admin authentication and allow complete root access. The July 3rd writeup is about the ipTIME n104r3 but Kim says it is likely to affect other models too. CSRF and XSS flaws allow a LAN side attacker to take over most of the configuration and settings. For example, the attacker can turn on remote management, change DNS servers, update the firmware and more. The July 1st writeup offers sample exploit code for the 127 devices running ipTIME firmware prior to v9.58. They are vulnerable to a remote code execution flaw which gives the attacker root access. The April 20th writeup seems to be the first report of the LAN side remote control vulnerability with a single HTTP request.

DDoS attacks abuse ancient RIP v1 protocol

Attackers abuse legacy routing protocol to amplify DDoS attacks
by Lucian Constantin   of IDG News   July 2, 2015
"DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes. RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996..." Attackers used about 500 SOHO routers to reflect and amplify their malicious traffic.
Akamai found 53,693 devices online that support RIPv1. Some had their web UI exposed to the Internet, allowing Akamai to identify the make/model. Around 19,000 were Netopia 3000 and 2000 series DSL routers distributed by ISPs. More than 4,000 were ZTE ZXV10 ADSL modems.

JUNE 2015

Hacked routers serving up Windows malware

Crooks Use Hacked Routers to Aid Cyberheists
by Brian Krebs   June 29, 2015
Quoting: "New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware ... Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim's credentials and send them to the attackers ... researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers - particularly routers powered by MikroTik and Ubiquiti's AirOS." It is not known if vulnerabilities in the firmware are being exploited or whether defaults passwords are at fault. This sounds much like the botnet discovered by Incapsula in May 2015 (see below), in part, because a "disturbing number" of the hacked routers had the telnet port open.

Linksys router turns off WiFi when plug something into USB port

Review: Linksys WRT1200AC dual-band gigabit Wi-Fi router
by Jon Andrews of WeGotServed   June 18, 2015
Quoting: "I had a number of issues sharing data ... whenever I plugged in an external drive, the WRT1200AC's wireless signal completely cut out. I tried a reboot of both the router and the PCs I was trying to work from but it didn't make any difference. As soon as I disconnected the external hard drive (in this instance it was a 2 TB external USB 3.0 powered drive formatted in NTFS) the Wi-Fi came back to life. Even with the latest firmware onboard, the WRT1200AC suffered from what looks like a pretty nasty bug." No mention in the article about the other issues sharing data.

MAY 2015

22 routers examined -> 60 bugs found

More than 60 undisclosed vulnerabilities affect 22 SOHO routers
by security researchers doing an IT Security Masters Thesis at Universidad Europea de Madrid May 28, 2015
The routers were from Observa Telecom, Comtrend, Belkin, D-Link, Sagem, Linksys, Amper, Huawei, Zyxel, Astoria and Netgear.
14 of the bugs are Universal Plug and Play (UPnP). Not bugs in UPnP, just its existence. While I agree, in concept, the UPnP is bad for security, and I recommend turning it off in a router, counting it as a vulnerability, is a matter of opinion. To me, this is really 46 bugs.
An information disclosure bug was found in the D-Link DSL-2750B, a wireless ADSL2 gateway. The device coughs up critical information to anyone who knows to try http://1.2.3.4/hidden_info.html, where 1.2.3.4 is the LAN side IP address of the device. All D-Link owners should test this. The report does not say if this works on the WAN side too.
Four routers from three different companies have a USB Device Bypass Authentication flaw which has nothing to do with the NetUSB flaw. Quoting "An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router ... In order to do so, the attacker only needs to access the router IP followed by the 9000 port". You can test if a router has port 9000 open on the WAN side here grc.com/x/portprobe=9000.
Two Huawei routers have a Bypass Authentication flaw. Quoting "An external attacker, without requiring any login process, is able to reset the router settings to default ones ... an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials". Ouch.
The Observa Telecom RTA01N has a hidden admin user. Quoting "In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet". The report does not say if disabling remote administration defends against this.

Still another attack on routers with default IPs and passwords

DNS Changer Malware Sets Sights on Home Routers
by Fernando Merces of Trend Micro   May 28, 2015
Nothing very new here. Trend Micro found malicious websites, mostly in Brazil, that run a brute-force attack script against a router to change the DNS servers. Quoting: "While this type of malware is not new, we've been seeing a growing number of links in phishing attacks in Brazil."

Moose worm attacks miserably defended devices

Moose - the router worm with an appetite for social networks
by Graham Cluley writing for ESET May 26, 2015
ESET researchers discovered a new worm, they call Linux/Moose, that infects routers in order to commit social networking fraud. The worm also infects other Linux-based devices and eradicates existing malware infections on the devices. It could potentially be used for DDoS attacks, network exploration, eavesdropping and DNS hijacking. It was first detected in July 2014. ESET researchers were unable to make a reliable estimate of the number of affected routers. They did confirmed that these companies products were affected: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone. The worm spreads by compromising systems with weak or default credentials. No vulnerabilities are exploited, so it should be easy to defend against simply by changing default passwords. It gets in via Telnet on port 23, so insure that port 23 is closed or stealth using the common ports scan of Shields UP! It also uses port 10073 which you can test here: https://www.grc.com/x/portprobe=10073.

A web based (CSRF) router attack that changes DNS servers

An Exploit Kit dedicated to CSRF Pharming
by Kafeine   an independent security researcher   May 22, 2015
Yet another web based attack, delivered by either a compromised website or a malicious ad, designed to replace the DNS servers used in a router. The malware looks for any of 55 routers from a dozen vendors including: Asus, Belkin, D-Link, Edimax Technology, Linksys, Medialink, Microsoft, Netgear, Shenzhen Tenda Technology, TP-Link, Netis Systems, Trendnet, ZyXEL and HooToo. It uses both known flaws (command injection vulnerabilities) and a dictionary attack with common administrative credentials. This seems to be widely used, on May 9, 2015 the command and control center was visited almost a million times. Slow days in the first week of may saw roughly 250,000 unique visitors a day. It has been found in the U.S., Russia, Australia, Brazil, India and other countries. As with other DNS changing malware, the bad DNS server is placed first, backed up by a Google public DNS server. This lets infected routers continue to function normally even if the malicious DNS server is taken off-line.

NetUSB flaw is industry wide (possibly millions of routers are vulnerable)

KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide
by the SEC Consult Vulnerability Lab   May 19, 2015
There is a bug/vulnerability in a software component called NetUSB. Quoting: "NetUSB is a proprietary technology developed by the Taiwanese company KCodes, intended to provide 'USB over IP' functionality. USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated 'USB over IP' box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X ... The user experience is like that of a USB device physically plugged into a client system." If the NetUSB server is given data longer than it expects, it suffers a stack buffer overflow. 26 companies are thought to use the NetUSB software. SEC Consult tested routers from five of these companies: D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL. They found 92 products contained the NetUSB software. They did not test products from the other 21 companies. It seems to be mostly, but not exclusvely a LAN side issue. Quoting again: "While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. " Sometimes NetUSB can be disabled via the web interface, sometimes not. On NETGEAR routers the only defense is to buy a new router. KCodes was not helpful when contacted by SEC Consult. TP-LINK was the best at fixing the problem. By far.

An example of what malicious DNS servers can do

New Router Attack Displays Fake Warning Messages
by Jaydeep Dave   of Trend Micro   May 20, 2015
This blog offers an example of what malicious DNS servers might do - get the victim to call an 800 number for tech support that is not needed. The author works for Trend Micro and found his home router was using malicious DNS servers. How it happened, he doesn't know. The advice offered is lame, basically just plugs for their products.

Routers with default passwords hacked up the wazoo

Malware infected home routers used to launch DDoS attacks
by Lucian Constantin   of IDG News Service   May 12, 2015
ISPs in Thailand and Brazil seem to be distributing insecure routers to their customers. Not only are they configured with default passwords, they are also accessible from the Internet using both HTTP and SSH. In a new report, Incapsula found thousands of these routers infected with multiple copies of malware. The headline in the media was that Anonymous was using the router botnet for DDoS attacks. The report says that it is likely more than one group had infected the routers with malware.

Not all router bugs are security related

Yes, sometimes turning it off and on really is the best fix
by Dwight Silverman   of the Houston Chronicle   May 6, 2015
Tech blogger has a MacBook Pro and a Mac mini. The mini has problems. Two different instant messaging services are failing with a network error. And, Microsoft's OneDrive doesn't think it has an Internet connection. Other cloud storage apps such as Google Drive and Dropbox work fine. The same apps on the MacBook Pro work fine. The apps are configured the same on each machine. The light at the end of the tunnel comes when he connects the problematic Mac mini to a different WiFi network and everything works fine. The problem was his network. Re-booting the router, a Linksys WRT1900AC, fixes everything. What happened? A techie suggests a "bad NAT implementation in consumer router product". I can believe this based on my own experience, years back, with a consumer router. Every now and then all websites would fail to load. Email, and any other Internet traffic, worked fine. In my case too, rebooting the router fixed it.

Pixie Dust expands attacks on WPS

Security Now! Episode 506
by Steve Gibson   of GRC   May 5, 2015
Software has been released, dubbed Pixie Dust, that exploits a flaw in three implementations of WPS. The protocol is bad enough by itself, even if programmed perfectly. In three cases, the programming is not done well and thus WPS can be broken in seconds. Passwords? We don't need no stinking passwords. This research was first report in Aug. 2014 by Dominique Bongard (see below). Flaws have been found in hardware from Ralink, Broadcom, and Realtek. Similar coding flaws in WPS implementations were found by Craig Heffner in Oct. 2014 (see below). As I say elsewhere on this site, do not use any router that supports WPS.

APRIL 2015

Hacking Netgear routers to upload malicious firmware

Broken, Abandoned, and Forgotten Code, Part 1
by Zachary Cutlip   April 23, 2015
Quoting: "This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers ... I'll describe the process of specially crafting a malicious firmware image and a SOAP request in order to route around the many artifacts of incomplete implementation in order to gain persistent control of the router ... An unauthenticated firmware upload is an opportunity to persist undetected on the gateway device for months or even years ... Universal Plug and Play services on SOHO routers make for a nice attack surface ... " The primary router tested was the Netgear R6200. Preliminary analysis of other devices, including the R6300 v1, indicates presence of the same vulnerabilities. The only tested firmware was v1.0.0.28.

Realtek SDK: Yet another industry-wide flaw leaves routers vulnerable to remote hacks

No patch for remote code-execution bug in D-Link and Trendnet routers
by Dan Goodin   of Ars Technica   Apr 28, 2015
Routers from D-Link, Trendnet and untold other vendors can be remotely hacked. Without needing a password, bad guys can execute arbitrary code on the routers. Vulnerable routers use the Realtek software development kit. The bug is a failure to sanitize user data by the miniigd SOAP service. Not bad enough? The bug was found by security researcher Ricky "HeadlessZeke" Lawshae and reported to HP's Zero Day Initiative (ZDI) in August 2013. HP then tried, many times, to report the bug to RealTek. Twenty months later, there is still no fix.

Three bugs in the Netgear WNR2000v4 router

Untitled report
by endeavor@rainbowsandpwnies.com   April 21, 2015
There are three vulnerabilities in the WNR2000v4: Reflected XSS to execute javascript from origin of the http admin interface, Abuse password recovery feature to retrieve auth details and Exploit a command injection vulnerability in setting WEP passwords for code execution on the device. Netgear has confirmed this and says risk is only from the LAN side. They are apparently working on a fix.

NCC Service Command Injection flaw in several routers

D-Link/TRENDnet NCC Service Command Injection
by Michael Messner, Peter Adkins and Tiago Caetano Henriques   of Packet Storm   April 16, 2015
There is a remote command injection vulnerability in several routers. The vulnerability exists in the ncc service, while handling ping commands. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03, and TRENDnet TEW-731BR (Rev 2) v2.01b01.

D-Link screws up fixing their bugs

D-Link: sorry we're SOHOpeless
by Richard Chirgwin   of The Register   April 21, 2015
Quoting: " D-Link's SOHOpeless HNAP vulnerability has not been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists. The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that "fix" blew a hole in the device's authentication routines. Tactical Network Solutions' Craig Heffner called out the error, saying that 'this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions ...' " In all, 17 D-Link routers are buggy.

Multiple D-Link devices can be exploited via HNAP

Hacking the D-Link DIR-890L
by Craig Heffner   at devttys0.com   April 10, 2015
The D-Link DIR-890L is a new top-of-the-line $300 router with every feature a router could possibly have, including a software bug. The flaw is in the validation of HNAP requests. A malicious SOAPAction header can be used to pass arbitrary commands to the router. A telnetd command, for example, can spawn a telnet server that provides an unauthenticated root shell. If remote administration is enabled, the flaw can be exploited remotely. The bug has been confirmed in both the v1.00 and v1.03 firmware. Other D-Link devices are also vulnerable including: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L, DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR and TEW-733GR.

Multiple TP-LINK routers leak sensitive files to unauthenticated users

Unauthenticated Local File Disclosure
by Stefan Viehbock of SEC Consult Vulnerability Lab   April 10, 2015
The good news here is that TP-LINK responded, when notified of the flaw, and issued updated firmware in a timely manner. Quoting: "Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed." The fix for the flaw was available when the problem was made public. Vulnerable routers were TP-LINK Archer C5, Archer C7, Archer C8, Archer C9, TL-WDR3500, TL-WDR3600, TL-WDR4300, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND.

Another case of breaking WPS in seconds

Reversing Belkins WPS Pin Algorithm
by Craig Heffner   at devttys0.com   April 10, 2015
WPS is a security disaster. Given a few hours, any router with WPS enabled can be hacked into. There are so few pin codes that it's just a matter of time (typically 10 hours) to guess them all, assuming the bad guy knows nothing about the WPS pin code. Looking at the firmware, Craig Heffner found that on many Belkin routers, the WPS pin code is derived from the LAN MAC address and the serial number of the router. That could make it reasonably random, but there is a fatal flaw: 802.11 probe response packets include the serial number in the WPS information element. Since WiFi probe request/response packets are not encrypted, a single probe provides all the inputs to the formula that creates the WPS pin code. 24 Belkin routers were tested and 80% of them were using the the algorithm Heffner found in the firmware for their WPS pin code. These routers can now be hacked, via WPS, in seconds: F9K1001v4, F9K1001v5, F9K1002v1, F9K1002v2, F9K1002v5, F9K1103v1, F9K1112v1, F9K1113v1, F9K1105v1, F6D4230-4v2, F6D4230-4v3, F7D2301v1, F7D1301v1, F5D7234-4v3, F5D7234-4v4, F5D7234-4v5, F5D8233-4v1, F5D8233-4v3 and F5D9231-4v1. And, this is not limited to Belkin, it appears to be specific to Arcadyan, an ODM for many companies.

Arris/Motorola SURFboard SBG6580 Series gateways have 3 flaws

CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems
by Tod Beardsley of Rapid7   April 8, 2015
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. These bugs were discovered by independent security researcher Joe Vennix. Although the article refers to the SURFboard SBG6580 as a "modem" it is, in fact, a gateway device. That is, it combines the functions of both a router and a modem. It also refers only to the "web interface" of the device without differentiating between LAN and WAN side access, so its not clear if the device can be remotely exploited. It seems that all exploits are LAN side. Reading between the lines, it also seems that Arris never responded to the bug reports. The timeline says that they were contacted roughly 2.5 months prior to public disclosure of the flaws and then nothing about their response. The workarounds do not say to upgrade the firmware, so I have to guess that Arris blew the guy off. Keep this in mind the next time you shop for a Arris/Motorola device. The backdoor flaw is a hard coded userid/password for logging in to the device. Userid: technician Password: yZgO8Bvj. Anyone taking my recommendations would have been immune to this attack as it requires knowing the LAN side IP address of the router.

Bell routers in Canada have guessable WiFi passwords

Bell's Default Password Policy Leaves Tens of Thousand of Users Exposed
by Viktor Stanchev   April 6, 2015
The default WiFi passwords, set by Canadian ISP Bell on their gateway devices, are short enough that they can be brute forced in a few days. Reminds me of WPS. The passwords are 8 hex characters. With hashcat and good hardware the password could be brute forced in less than 12 hours. Stanchev used lower end hardware which took him 3 days. This is not the first issue with default WiFi passwords set by an ISP. You should change all default passwords set by your ISP. Better yet, don't use any hardware from an ISP.

MARCH 2015

Hotel router rsync flaw - Things do not get much worse than this

Hotel Wi-Fi router security hole: will this be the Ultimate Pwnie Award Winning Bug for 2015?
By Paul Ducklin   of Sophos   March 30, 2015
This is as bad as a bug can get - simple to exploit and unlimited in what it lets a bad guy do. ANTlabs InnGate devices are routers used by hotels and convention centers to run guest/visitor networks. They have a misconfigured rsync service that lets a bad guy connect to TCP port 873 using rsync and then read and write any file on the device. No password needed. There is no end to the number of bad things an attacker might do. The flaw was discovered by Justin W. Clarke of Cylance Inc. Scanning the Internet, Cylance found 277 InnGate devices in 29 countries. They found vulnerable devices belonging to 8 of the worlds top 10 hotel chains. This is, however, the tip of the iceberg as vulnerable devices behind a firewall can likely be exploited from the hotels local network. A fix was issued by ANTlabs at the time the flaw was made public. The defense here is nothing new: when traveling always use a VPN. Period.

Google Analytics abused to inject ads and porn

Ad-Fraud Malware Hijacks Router DNS - Injects Ads Via Google Analytics
by Sergei Frankoff of Sentrant (previously Ara Labs)   March 25, 2015
Yet another account of DNS servers being changed in routers. No details are offered on the routers being targeted or how they are hacked into. The interesting wrinkle here is the targeting of Google Analytics, the most widely used traffic analytics service. Its popularity makes it a perfect target for bad guys. JavaScript is loaded from a malicious website pretending to be Google Analytics and it injects extra ads onto web pages. The rogue DNS server is 91.194.254.105. The tester page of this site lists a couple websites that you can use to see what your current DNS servers are.

Vulnerable D-Link DSL routers in the UK

Some UK TalkTalk D-Link DSL-3680 Routers Vulnerable to DNS Hijack
By Mark Jackson   of ISPreview   March 27, 2015
A couple Talk Talk customers noticed that the DNS servers in their D-Link routers had been changed. The problem affects model DSL-3680 with remote administration enabled. Exploiting the routers is trivially easy, all you need to know is a secret URL and the public IP address of the router. Quoting: "The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it is hard to know which one is the actual culprit. On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year."

Multiple bugs in multiple ADSL routers

At least 700K routers given to customers by ISPs can be hacked
By Lucian Constantin   IDG News Service   March 19, 2015
Quoting: "More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a "directory traversal" flaw...that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models. Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers ... On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough ... around 60 percent have another flaw, a hidden support account with an easy-to-guess hard-coded password."
These routers were only discovered because they can be attacked remotely. Others may be vulnerable from the LAN side. Among the vulnerable devices are routers from ZTE, D-Link, Sitecom, FiberHome, Planet, Digisol and Observa Telecom. The vast majority of buggy routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics. Attempts to notify the company went unanswered.

D-Link and TRENDnet bugs getting fixed

Security Advisory SAP10052
by D-Link   initial: March 2, 2015 updated: March 16, 2015
There are three separate bugs, see the Feb. 2015 section below, the item attributed to Peter Adkins. One flaw allows unauthenticated access from the local network, if remote administration is enabled, then it also allows unauthenticated access remotely. The third bug is a drive-by CSRF. The affected routers are: D-Link DIR-636L, D-Link DIR-808L, D-Link DIR-810L, D-Link DIR-820L, D-Link DIR-826L, D-Link DIR-830L, D-Link DIR-836L and the TRENDnet TEW-731BR. Other models thought to be affected: D-Link DIR-651, TRENDnet TEW-651BR, TRENDnet TEW-652BRP, TRENDnet TEW-711BR, TRENDnet TEW-810DR and the TRENDnet TEW-813DRU.

Yet another attack on router passwords

Malware Snoops Through Your Home Network
by Kenney Lu of Trend Micro   March 9, 2015
New malware, detected as TROJ_VICEPASS.A, pretends to be an Adobe Flash update. When run, it attempts to connect to the router using a pre-defined list of user names and passwords. It does not limit itself to just the default userids and passwords of common routers. The full list is in the article. If the malware can get into the router, it scans the network looking for connected devices, sends this data back to the mother ship and then deletes itself. It does not detect the IP range of the router, instead it scans only 192.168.[0-6]. For each of these 7 networks it only looks for a final digit between 0 and 11. So, as advised elsewhere on this website, using a non-standard range of IP addresses would have foiled this. Also note that better routers let you change both the userid and the password. Less secure routers only let you change the password.

Security in routers stinks - and some reasons why

Broadband routers: SOHOpeless and vendors don't care
by Darren Pauli   March 5, 2015
"Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing.". First rule of doing a bad job: say nothing -- The Register received no response from major routers vendors when we asked about the lack of security in their products. One good point made here is that features are a common enemy of security.

FEBRUARY 2015

Routers from multiple companies have a back door

Rogue Router Firmware Chaos Backdoor
by Bijay Limbu Senihang   February 22, 2015
Even after changing the router password, you can still login with userid "super" and password "super" to routers from these companies: TrendNet, Digicom, Alpha Network, Pro-Link, Planet Networks, Bless, Realtek, Blue Link and SmartGate. This is exploitable over the Internet as shown in this video.

CSRF flaw in multiple D-Link and TRENDnet routers

D-Link / TRENDnet ncc2 CSRF / Unauthenticated Access
by Peter Adkins   February 27, 2015
Multiple D-Link and TRENDnet devices suffer from cross site request forgery and unauthenticated access vulnerabilities. According to Mr. Adkins, who discovered the problem, "... visiting a webpage with a malicious javascript payload embedded is enough for an attacker to gain full access to the device." Ouch. Adkins contacted each company well before going public. TRENDnet was great about this and they have released updated firmware, version 2.02b01. Good for them. D-Link was the exact opposite. Quoting:
"D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially."
In other words: go away kid, don't bother me.

Brazilian attack on default passwords

Spam Uses Default Passwords to Hack Routers
by Brian Krebs   February 26, 2015
Security firm Proofpoint has detected malicious emails targeting Brazilian Internet users. The emails appear to come from a Brazilian ISP and the scam has to do with an unpaid bill. The emails exploit known vulnerabilities in routers from UT Starcom and TP-Link to change the DNS servers, a very common thing for bad guys to do. Interesting wrinkle is that instead of providing two malicious DNS servers they only provide one and set Googles public DNS (8.8.8.8) as the secondary.

Three Singapore routers vulnerable to multiple flaws

Up to 32,000 could be affected by wireless router vulnerabilities: Security firm
By Kevin Kwang   Feb 26, 2015
Security company Vantage Point reports that three routers have "critical vulnerabilities". Zhone routers have three types of flaws: Remote Code Execution, Privilege Escalation and Admin Password Disclosure. An Aztech router is vulnerable to Remote Command Injection. An Asus router is vulnerable to Authentication Bypass and Cross-Site Scripting. There are no known attacks so far. Up to 32,000 subscribers in Singapore may be vulnerable. The most interesting part of the article is a quote from the researcher that discovered the bugs: "There are many routers with many different kinds of firmware on the market. The problem is that when the firmware is developed in-house by the vendor, security is often an afterthought". This supports my recommendation to avoid all consumer class routers.

Netgear routers FTP flaw

Thousands of Netgear routers accessible via FTP by anyone - second issue in a week
by Jan Willem Aldershoff   February 24, 2015
Quoting: "Thousands of Netgear routers with Network Attached Storage (NAS) can be freely accessed by anyone without permission of the owner. Netgears WNDR4700 routers run an outdated version of the ProFTPd FTP server which not only allows logging-in anonymously, but also contains a vulnerability that allows an attacker to remotely execute code on the router ... By simply logging in anonymously with a FTP client an attacker (and pretty much anyone who knows how to work with a FTP client) can get full write and read permission."
This is the only article on the topic I have seen. Its not clear whether other Netgear routers are also vulnerable.

Netgear routers SOAP flaw

Netgear routers leak passwords using nothing more than malicious HTTP requests
by Lucian Constantin IDG News Service   February 16, 2015
Bad guys can learn the administrator password and wireless passwords along with details of the router such as the model, serial number and firmware version. The flaw can be exploited from the LAN side and, if remote administration is enabled, also from the outside/Internet/WAN. The bug is with validation (or the lack of such) of the SOAP protocol used to communicate with the router. A bad guy just has to send HTTP requests with a blank form and a "SOAPAction" header to exploit the flaw. The vulnerability is confirmed in four Netgear routers and may well exist in other models too. The worst part of this story is trying to contact Netgear:
"Peter Adkins, the researcher who found the flaw, claims that he contacted Netgear but that his attempts to explain the nature of the issue to the companys technical support department failed."
The only defense, for now, is not to use a Netgear router. This confirms my recommendation to avoid consumer routers.

Duplicate SSH keys in Spain

Tens of thousands of home routers at risk with duplicate SSH keys
by Jeremy Kirk IDG News Service   February 19, 2015
Hundreds of thousands of home routers running SSH have identical private and public keys. This comes from John Matherly of the Shodan search engine. In Spain, over 250,000 devices, deployed by Telefonica de Espana, and running the Dropbear SSH software, have the same keys. Another Shodan search found 150,000 devices, mostly in China and Taiwan, with identical keys. It is questionable whether SSH should be running on home router in the first place. Some routers let you turn it off, if yours does, then do so. Disabling remote administration will probably not help here, but the subject did not come up in any of the articles I read.

JANUARY 2015

Pirelli routers totally open to hacking

Is Your ISP Making Your Home Network Insecure?
by Christian Cawley   at MakeUseOf   January 31, 2015
This is as bad as it gets. The administration web pages of Pirelli routers are visible from the Internet and no password is needed to make changes. The routers were supplied by a Spanish ISP which has not responded to the problem. Quoting: " ... security researcher Eduardo Novella discovered that Pirelli P.DGA4001N routers have a rather worrying bug. Its around two years since Novella made the discovery, and in the meantime he has been patiently waiting for something to be done about it. Sadly, its still there. The bug is so simple to exploit that you dont even need to be able to code in order to use it. All you need to do is enter the web-facing IP address of a router, suffix it with wifisetup.html (so something like 111.222.333.444/wifisetup.html) and you can start playing around with the router configuration. "

Bug in ZynOS used by D-Link, TP-Link and ZTE

DNS hijacking vulnerability affects D-Link DSL router, possibly other devices
by Lucian Constantin   January 27, 2015
Todor Donev, member of a Bulgarian security firm called Ethical Hacker says that a flaw in ZynOS can lead to an ever-popular DNS hijack in a router. He confirmed the flaw in a DSL router from D-Link but vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that is used by multiple vendors, including D-Link, TP-Link Technologies and ZTE. Vulnerable devices can be hacked remotely if remote administration is enabled. They can also be hacked from the LAN side. There were no fixes offered when this became public. None of the articles mentioned a way to test if a router is vulnerable.

Hacked Routers used in Denial of Service Attacks

Lizard Stresser Runs on Hacked Home Routers   by Brian Krebs  January 9, 2015
Quoting: "The online attack service launched late last year by the same criminals who knocked Sony and Microsofts gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers... " New terminology (at least to me): a website offering DDOS as a service is known as a "booter" or "stresser" site.

Asus infosvr vulnerability

Got an Asus router? Someone on your network can probably hack it
by Dan Goodin of ArsTechnica January 8, 2015
Anyone connected to your LAN can gain control of an Asus router simply by sending a single packet to the router. Ouch. The bug is in virtually all versions of the firmware. The vulnerable software is the infosvr service which listens for connections on UDP port 9999 on the LAN side. The bug lets an unauthenticated LAN side user execute commands in the router as the root user. This is not exploitable from the WAN side of the router. Infosvr runs as root and is used for device discovery using the "ASUS Wireless Router Device Discovery Utility ". Many of us could live without this service. Joshua Drake, research director at Accuvant first publicized the flaw. He suggests updating to firmware version 3.0.0.4.376.3754 or later. It's not clear if firewalling the port is a valid work-around.

Two vulnerabilities in routers from an Algerian ISP

A vulnerability and a hidden admin account all inside SITEL DS114-W routers !
by Nasro January 4, 2015
The routers have a session management vulnerability. When someone logs in to the router multiple sessions are initialized giving an attacker access to the router, without knowing the password, with a simple brute force attack. Also, the routers are shipped with a backdoor account. This was found in a configuration file. The routers are provided by Algerian ISP "Djaweb". The vendor was notified but did not respond.

2014

DECEMBER 2014

Misfortune Cookie lets bad guys hack 12 MILLION routers

Home office: mis.fortunecook.ie
This is a real bad one. A flaw in the web server software in the router can allow bad guys to remotely take over a vulnerable router with admin privileges. The buggy web server software is RomPager from AllegroSoft. It is found in routers made by D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others. Testing by Check Point, which went public with the problem, found 200 different router models contained the bug. There are at least 12 million such devices in 189 countries across the globe according to Check Point. The bug was introduced in 2002 and fixed by AllegroSoft in 2005, but the updated version never made it to millions of routers. Read the last sentence again. Exploiting the flaw is easy, a bad guy just needs to send HTTP cookie files that corrupt memory. Turning off remote administration does not fix this. Many routers listen on port 7547 for commands using the TR-069 protocol (a.k.a Customer Premises Equipment WAN Management Protocol).
Check Point suggests making sure that your router is not listening on ports 80, 8080, 443 and 7547. This list, however, is not complete. One good way to test these ports is with Steve Gibsons Shields UP! service. Do a "User specified custom port probe" and in the white rectangle enter "80,443,7547,8080". See a sample of a perfect report. That said, The only real way to know if a router is vulnerable to this flaw is to check with the manufacturer. Good luck with that.
I say this often, but not often enough: do not to use a consumer class router.

NOVEMBER 2014

Bug in Belkin N750 router

Serious Root Access Bug in Belkin N750 Router
by Brian Donohue of Kaspersky November 7, 2014
A vulnerability exists in the guest network Web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Router. Guest networks are enabled by default and they do not require a password. Thus, the flaw can be exploited by a local, unauthenticated attacker. The bug allows full control of the router. This was discovered by Marco Vaz of Integrity Labs. The company reported the bug to Belkin on Jan. 24, then they sent a proof-of-concept exploit on Jan. 28th. Belkin issued updated firmware resolving the problem on March 31st.

OCTOBER 2014

D-Link WPS is more insecure than usual

Reversing D-Links WPS Pin Algorithm
by Craig Heffner   October 31, 2014
Consumer routers all have a WPS pin code. You can see it on the label on the bottom. WPS is a huge security flaw. Anyone who knows the WPS pin code can get into all the wireless networks created by the router. Think of it as a back door. WPS should always be disabled. Anyone can turn over your router, take a picture of the label on the bottom and then get into your wifi network(s) forever. That's bad enough. This article makes things even worse.
Quoting: " ... this code is using a simple algorithm to generate the default WPS pin entirely from the NIC portion of the devices WAN MAC address ... Since the BSSID is only off-by-one from the WAN MAC, we can easily calculate any DIR-810Ls WPS pin ... this algorithm ... appears to have been in use for some time, dating all the way back to 2007 when WPS was first introduced. "
In other words: All routers advertise a MAC (Ethernet) address in the clear. WiFi Analyzer is a free popular app for Android that displays the MAC address for each detected WiFi network. Feed this MAC address into a formula and out comes a WPS pin code. With this pin code you can logon to that router forever, regardless of WPA or WPA2 security. WPS is a back door. Lazy work by D-Link to create a formula as opposed to randomly creating WPS pin codes. 2 D-Link routers are confirmed to be vulnerable to this flaw. 16 are not vulnerable. The author later added "WPS pins generated from MAC addresses is not new, several other devices/vendors have been caught doing it in the past."
What to do? Turn off WPS, or better yet, don't buy a router that supports WPS at all.

Three flaws in multiple Linksys routers

Linksys SMART WiFi firmware contains multiple vulnerabilities
Vulnerability Note VU#447516 by Todd Lewellen   October 31, 2014
Bug1: A remote, unauthenticated attacker can read the router's .htpassword file by requesting http(s)://routeripaddress/.htpasswd. This file contains the MD5 hash of the administrator password. Bug2: A remote, unauthenticated attacker can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s)://routeripaddress/JNAP/. Depending on the JNAP action, the attacker may be able to read or modify sensitive information. Bug3: The router exposes multiple ports to the WAN by default. Port 10080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well. Affected models include the EA2700, EA3500, E4200v2, EA4500, EA6200, EA6300, EA6400, EA6500, EA6700 and EA6900. There is updated firmware available to fix these bugs on most, but not all, routers.

NAT-PMP protocol flaws affect over 1 million devices

NAT-PMP Implementation and Configuration Vulnerabilities
by John Hart   from Rapid7   October 21, 2014
Background: NAT-PMP is Network Address Translation - Port Mapping Protocol. It can be found on many routers and other networking devices. NAT-PMP allows LAN side computing devices to poke a hole in the routers firewall (technically to send port mapping instructions to the router). NAT-PMP was designed by Apple who uses it for Back to My Mac. It uses UDP ports 5350 and 5351. NAT-PMP was intended only to be used on the LAN side of a router. As such, it has no security at all. Rapid7 Labs scanned the Internet and found 1.2 million devices that responded to NAT-PMP commands. There should not have been any. Internal good. External bad. It's as if a doctor operated on the wrong leg. This illustrates one of the main reasons to avoid all consumer routers - the people writing the software/firmware stink at their job. This is disgraceful. Bad guys can abuse NAT-PMP in five ways: Intercept Internal NAT Traffic, Intercept External Traffic, Access internal NAT client services, Denial of Service attack and Information Disclosure about the NAT-PMP device. For assorted reasons, Rapid7 did not disclose a list of vulnerable devices. The only defense offered is to disable NAT-PMP. It would also be a good idea to inspect the port mappings in the router every now and then.

Belkin routers could not connect to the Internet for a day

Having problems connecting your Belkin router to the Internet? (They're fixed)
by Mark Hachman of PCWorld October 7, 2014
Several models of Belkin routers refuse to connect to the Internet. The problem was likely with a "heartbeat" server not responding. This, in turn, caused the routers to think that their connection to the Internet was dead, even though it was fine. In addition, the Belkin website was down. Jan Willem Aldershoff reported that "Belkin routers ping heartbeat.belkin.com frequently to diagnose themselves and also that URL is not reachable."

SEPTEMBER 2014

Guessing the router password, then asking for it

Brazilian, U.S. Web Users Targeted by Router-Hacking Group
By Robert Lemos   September 3, 2014
An email message lures potential victims to an attacker-controlled Website where the bad guys use JavaScript to mount a dictionary attack against the router. The attack does not exploit a vulnerability. It appears to have affected 3,300 victims in three days. If the victim has not changed the default password for their router, the bad guys get in silently. If they can't guess the password, "then the Website will pop up a prompt asking you to enter it manually." Abusing non-techies. When they get in, the bad guys change the DNS servers to point to scam copies of Brazilian bank websites.

Compromised website tries to hack router

Compromised Website Used To Hack Home Routers
by Fioravante Souza   of SucuriLabs group   September 11, 2014
Yet another case of a hacked website trying to change the DNS configuration in a router. It first learned the private IP address of the victim, then it guesses the router IP address and brute forces the router admin credentials. Illustrates how important it is to change the router password.

Two implementations of WPS are extra buggy

Using WPS on your Wi-Fi router may be even more dangerous than you think
by Paul Ducklin   of Sophos   September 2, 2014
I already thought that enabling WPS was pretty darn dangerous since it is quite vulnerable to brute force attacks. In fact, I can not recommend any router that supports WPS. I know, you can disable it, but I would rather not have it installed at all. And now, another reason to avoid WPS. A Swiss researcher, Dominique Bongard, discovered a new problem with it. As with most encryption, WPS depends on random numbers. Bongard found that a couple firmwares make poor choices for their random numbers. This opens up a security hole in the protocol making it possible to brute force the WPS pin code much faster than before. Vulnerable routers can now be attacked to yield the WPS pin code in seconds. One firmware was an absolute disgrace, using the exact same "random" number every time.

AUGUST 2014

Two million Netcore/Netis routers hackable through an open UDP port

Netis Routers Leave Wide Open Backdoor
by Tim Yeh   Trend Micro   August 25, 2014
Routers manufactured by Netcore, a popular brand in China, have a wide-open backdoor that can be easily exploited. They are also sold under the Netis brand outside of China. The vulnerability lets bad guys run arbitrary code on the routers. The backdoor is UDP port 53413 being open. The port is accessible from the WAN side of the router. The port is protected by a password but all Netcore/Netis routers have the same password. Almost all Netcore/Netis routers appear to have this vulnerability. We found more than two million IP addresses with the open UDP port - almost all of them in China. This flaw gives an attacker near-complete control of the router.

A hacking contest reveals 15 new router bugs

Fifteen new vulnerabilities reported during router hacking contest
by Lucian Constantin   August 12, 2014
Here is my argument to avoid all consumer routers in a nutshell. Quoting: "... only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition." What a disgrace. These routers were fully compromised: ASUS RT-AC66U, Netgear Centria WNDR4700 (which suffered two separate hacks), Belkin N900, TRENDnet TEW-812DRU and an Actiontec Electronics used by Verizon. Eleven of the 15 bugs were found by Craig Young of Tripwire.

MAY 2014

Buffalo router with DD-WRT would reboot forever

AirStation AC 1750 DD-WRT Router review
by Dong Ngo of CNET   May 15, 2014
The router in question has is pros and cons, but the Editors note at the beginning caught my eye: "This review was delayed for a few months due to a bug that would put the router in an infinite boot loop in certain settings, effectively rendering it useless. This bug has now been fixed via a new firmware version." No need to worship at the feet of DD-WRT.

APRIL 2014

Sercomm backdoor is better hidden rather than removed

The SoHo router backdoor that was "fixed" by hiding it behind another backdoor
by Paul Ducklin of Sophos April 23, 2014
A backdoor was found in routers from Sercomm (a.k.a. Netgear, Cisco/Linksys and Diamond) back in December 2013 and got publicity in January 2014. The flaw was supposed to have been fixed in April 2014 with the release of new firmware, but what instead happened was that the backdoor was just hidden better. Really really really well hidden. So well, that at first, it appears to have been removed. And activating the backdoor was made really hard, but, not impossible. The backdoor can no longer be activated over the Internet. Version 2 can only be activated from inside the LAN (does not scale very well) or by your ISP. A reasonable person might assume that ISPs are complicit in spying. If this doesn't get you angry, nothing will. If this doesn't get you to step away from consumer grade routers, nothing will. For more see the January 2014 section below.

Australian ISP configures Netgear gateways so they are totally vulnerable

Default password leaves tens of thousands of Optus cable subscribers at risk
by Ben Grubb of the Sydney Morning Herald   April 4, 2016
Australian ISP Optus has configured thousands of Netgear CG3000v2 devices (they are gateways, combination modem, router and telephone adapter) with the same default password for both SSH and Telnet. Of course, the password was "admin". Customers can't change the password. Optus did this so that they could administer the devices remotely. Netgear wants no part of this, they said they "did not introduce the configuration problem and [they] added that the CG3000v2 modem was only supplied to Optus, not other telcos". An Optus customer could screw with the devices of other customers including: making and receiving phone calls as another customer, seeing someone else's call history, changing Wi-Fi passwords and more.

A ZyXEL N300 NetUSB router has a ton of bugs

ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities
by an anonymous reporter   April 11, 2014
The buggy router is the ZyXEL Wireless N300 NetUSB NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions. Authentication for content located in any subdirectory of the web root may be bypassed. There is a hard-coded password of qweasdzxc (looking at a keyboard will show where this came from). Six different functions are vulnerable to buffer overflows. Four functions are vulnerable to command injection. A LAN side only process supports five functions that are vulnerable to command injection. No known workarounds. And, in May 2015, the NetUSB function itself had a security flaw.

Things are bad in router-land

Users face serious threat as hackers take aim at routers, embedded devices
By Lucian Constantin   April 3, 2014
Lead: "Home routers and other consumer embedded devices are plagued by basic vulnerabilities and can't be easily secured by non-technical users, which means they'll likely continue to be targeted in what has already become an increasing trend of mass attacks. Computer OSes have advanced considerably from a security standpoint over the last decade ... However, routers, modems, wireless access points and other plug-and-forget devices have lagged behind as their makers lacked strong incentives to secure them. As a result, those devices can now pose a significant threat to the online security of users ... "

Windows malware targeting routers from TP-Link, D-Link, ZTE and Huawei

Sality malware, growing old, takes on a new trick
By Jeremy Kirk of IDG News April 2, 2014
A botnet has taken on a new trick: brute-forcing routers that have easy-to-guess passwords. The malware behind the botnet, called Sality by ESET is targeting 14 routers from TP-Link, three from D-Link, two made by ZTE and one from Huawei. If it can login to the router, it changes the default DNS servers, a popular tactic. If a victim tries to go Facebook or Google, they get redirected to a fake Chrome browser download page.

SFR (a French ISP) ADSL/Fiber Boxes vulnerable

39 Type-1 XSS in SFR DSL/Fiber Box
By alejandr0   April 1, 2014
According to their website, SFR has over 5 million broadband customers. The user has to be logged in to the router for the flaws to be exploited.

MARCH 2014

300,000 routers around the world had DNS servers changed

Hackers hijack 300,000-plus wireless routers, make malicious changes
by Dan Goodin at ArsTechnica March 3, 2014
A report from Team Cymru, an internet security research organization, found routers from D-Link, Micronet, Tenda, and TP-Link were hijacked. That is, they had their DNS servers modified. It is thought that multiple flaws were involved. The telltale sign that a router has been compromised is DNS servers of 5.45.75.11 and 5.45.76.36.

FEBRUARY 2014

Survey: IT folks have vulnerable routers at home

Majority of SOHO Wireless Routers Have Security Vulnerabilities
by Shelley Boose of Tripwire   February 24, 2014
Tripwire studied both IT folks and routers. On the people side, they surveyed 653 IT and security professionals and 1,009 employees who work remotely in the U.S. and U.K. Lots of these people did not change the default passwords on their routers nor the LAN side IP address. They also fail to upgrade the firmware and turn off WPS. On the hardware side they say: "Tripwires Vulnerability and Exposure Research Team (VERT) has analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent of Amazons top 25 best-selling SOHO wireless router models have security vulnerabilities. Of these vulnerable models, 34 percent have publicly documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every vulnerable system they can find."

More on TheMoon

There is now an exploit for "TheMoon" worm targeting Linksys routers
by Lucian Constantin IDG News Service Feb. 17, 2014
Technical details about a vulnerability in Linksys routers have been released along with a proof-of-concept exploit and a list of potentially vulnerable models. Last week, security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon. The following models are potentially vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. Belkin, which now owns Linksys, pointed out that the flaw can only be exploited if Remote Management is enabled and that it is disabled by default.

TheMoon malware on Linksys routers

Bizarre attack infects Linksys routers with self-replicating malware
by Dan Goodin of ArsTechnica Feb. 13, 2014
An ongoing attack infects wireless routers from Linksys with self-replicating malware. Johannes B. Ullrich, CTO of the Sans Institute, confirms that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. Virtually the entire Linksys E product line is thought to be vulnerable. The attack begins with a remote call to the Home Network Administration Protocol (HNAP) which allows ISPs to remotely manage routers. Compromised routers remain infected until they are rebooted. The objective behind the ongoing attack remains unclear.

USB storage devices plugged into Asus routers are visible everywhere

Dear Asus router user: You've been pwned, thanks to easily exploited flaw
by Dan Goodin of ArsTechnica Feb. 17, 2014
Plug an external hard drive into the USB port of an Asus router and everyone in the world can read it. The vulnerability was initially disclosed 8 months ago. Researcher Kyle Lovett found the bug and went public with it only after privately contacting Asus and being told the reported behavior "was not an issue." The bug is un-authenticated directory traversal which results in full sensitive file disclosure. Affected models are: RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16 and RT-N16R. Asus reportedly patched the vulnerabilities late last week. Note that this relates to bugs in the AiCloud feature and not the insecure defaults for Asus FTP which was reported in January 2014.

DNS hijacking in Poland sends victims to scam banking sites

Large-scale DNS redirection on home routers for financial theft
by CERT Polska, the Polish Computer Emergency Response Team Feb. 6, 2014
Thousands of home routers in Poland had their DNS settings changed to enable Man-in-The-Middle attacks on the websites of five Polish banks. Specifically, the bad guys added JavaScript that tricked users into giving up their usernames, passwords and TANs [transaction authentication numbers]. Say good-bye to your money. Quoting PC World: "Polish IT security outfit Niebezpiecznik.pl linked the attacks to a vulnerability reported last month in ZyNOS, a router firmware created by ZyXEL Communications thats apparently also used in some router models from other manufacturers including TP-Link, ZTE, D-Link and AirLive. The vulnerability allows attackers to download a file containing the routers configuration without authentication. The file can then be unpacked and parsed to extract the password for the routers administrative interface."

JANUARY 2014

Sercomm flaw, the beginning

Gaping admin access holes found in SoHo routers from Linksys, Netgear and others
by Paul Ducklin of Sophos   January 3, 2014
A backdoor exists in various router products from Sercomm which allows a remote attacker to gain full access to the device. Sercomm produces routers under its own name, as well as building hardware sold under a diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard. Not all Sercomm-based products use Sercomm's firmware, and not all Sercomm firmware builds include the backdoor. This was discovered by Eloi Vanderbeken, during Christmas 2013. He found a TCP service listening on port 32764. This was ONLY THE BEGINNING! See April 2014 for the conclusion to this.

BrightBox router, provided by EE in the UK, easily hackable

EE BRIGHTBOX ROUTER HACKED - Bares All If You Ask Nicely
by Scott Helme January 14, 2014
Quoting Mr. Helme: "Shortly after having my new fibre broadband installed, I discovered a method to permanently compromise the security of the BrightBox router provided by EE. After a brief period of traffic analysis ... I had found that it is incredibly easy to access sensitive information. This includes the md5 hash of the device admin password and my ISP user credentials, amongst other sensitive data ... this not only leads to a total compromise of the device, but gives an attacker control of your account too." His router was a standard issue from the ISP. As I write this, over a year after the flaw became public, EE still touts this router as "secure". From the LAN, without logging in to the router, merely entering "http://192.168.1.1/cgi/cgi_status.js" yielded all sorts of information about the router. He also found lots of password sloppiness. Back in Jan. 2014 it was estimated that EE had around 714,000 subscribers in the UK.

TP-LINK Routers cough up their passwords

More than 200,000 Algerian TP-LINK Routers are vulnerable to Hackers
by Mohit Kumar of The Hacker News January 15, 2014
Algerie Telecom provides TP-LINK TD-W8951ND routers to customers that can be remotely exploited. The web page that lets you upgrade the firmware also lets anyone, without a password, download a backup file. The file contains the encrypted administrative password of the Router. The password can be decrypted with a free online service.

Asus routers exposing USB devices via insecure FTP

Default settings leave external hard drives connected to Asus routers wide open
by Mikael Ricknas of IDG News Service January 9, 2014
Shared storage that can be remotely accessed via FTP is convenient, but if products aren't configured correctly, personal data can become accessible to anyone with basic technical knowledge. This what happened on many Asus routers, files connected to the USB port were easily accessible over the Internet. Rather than a bug, this was a case of insecure defaults and miserable documentation. If USB access was configured with an Asus wizard, the end user had three options: "limitless access rights", "limited access rights" and "admin rights". What do these mean? It was none of your business. The default was unlimited access. Anyone who chose "limited access rights" then saw an option to set up a user called "Family" and it was suggested that you use the password "family". Ouch. Asus decided to develop a firmware update with better explanations and more secure defaults. Not mentioned in this article, or any others I saw on the subject, is that FTP transmits passwords in clear text and thus should be avoided altogether. There are secure versions of FTP however. For real bugs with the AiCloud feature of Asus routers see the bug reports from Kyle Lovett back in June 2013 and July 2013 and an ArsTechnica follow-up in Feb. 2014.


To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.



Top 
Last Updated: May 22, 2016 5PM CT     
Created: February 4, 2015
Viewed 89,214 times since March 2, 2015
(198/day over 449 days)     
Website by Michael Horowitz      
Feedback: routers_at_michaelhorowitz.com  
Changelog
Copyright 2015 - 2016