pfSense is no magic bullet
New Features and Changes in v2.2.6
by pfSense December 21, 2015
Lots of bugs were fixed in this release, including: multiple vulnerabilities in OpenSSL, a Local File Inclusion vulnerability in the WebGUI, a SQL Injection vulnerability in the captive portal logout, multiple XSS and CSRF vulnerabilities in the WebGUI and two other captive portal bugs. Unlike consumer routers however, it seems that pfSense includes updated component software, a good thing. For example, it is noted that upgrading the included strongSwan to v5.3.5 fixes several bugs.
NSA and GCHQ target Juniper routers
NSA helped British spies find security holes in Juniper Firewalls
by Ryan Gallagher and Glenn Greenwald of The Intercept December 23, 2015
Quoting: A top-secret document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks ... [this] raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper last week ... the agencies found ways to penetrate the NetScreen line of security products, which help companies create online firewalls and virtual private networks, or VPNs ... GCHQ’s capabilities clustered around an operating system called ScreenOS, which powers only a subset of products sold by Juniper ... Juniper’s other products, run a different operating system called JUNOS.
High End Routers from Juniper hacked twice
Juniper warns about spy code in
by Jeremy Kirk of IDG News Service Dec. 17, 2015
Two hacks were discovered by Juniper themselves in an internal review. What prompted the review is unknown. The first hack was a hard-coded master password that could allow remote administrative access to a ScreenOS device over Telnet or SSH. The second hack had to do with random numbers generated by the Juniper VPN server. By making them not-so-random, a spy agency able to monitor Internet backbone traffic could decrypt everything inside the VPN without being detected. The hard-coded master password has been present since 2012 or 2013. Juniper is a very high end company. These attacks show how valuable it can be gain control over a router.
Multiple bugs in multiple Cisco Routers
Cisco Warning of Vulnerabilities in Routers,
Data Center Platforms
by Chris Brook of Kaspersky Threatpost December 9, 2015
Cisco published five advisories, each marked as "medium" severity. The EPC3928 is a wireless residential gateway that does a poor job validating input which opens it up to XSS attacks. It also has an authentication bug that lets an attacker send a malicious HTTP request to execute some admin functions without authentication. Another residential gateway, the DPQ3925, is vulnerable to a CSRF attack. If a victim clicks on a malicious link, they could submit arbitrary requests to the device via a web browser. Finally, the DPC3939 router has a bug in its web interface that could allow an attacker execute arbitrary commands on the system.
Linksys ignores router bug report
Linksys routers vulnerable through CGI
by Richard Chirgwin of The Register December 8, 2015
A security company, KoreLogic, has disclosed bugs in the Linksys EA6100-6300 routers. Its not clear to me how many routers are vulnerable. Buggy scripts in the web-based administrative interface provide an attacker with unauthenticated access, which, in turn, lets the bad guy learn the routers administrative password. A very interesting aspect of this bug is the timeline that KoreLogic reported. They submitted the details of this multiple times to Linksys and never heard back. Thus we learn how much Linksys cares about the security of their routers.
Arris cable modems have backdoors, bugs and hard coded passwords
Backdoor In A Backdoor Identified
in 600,000 Arris Modems
by Chris Brook of ThreatPost November 23, 2015
Thousands of Arris cable modems suffer from XSS and CSRF vulnerabilities, hard-coded passwords, and a backdoor in a backdoor. The problems were discovered by Brazilian researcher Bernardo Rodrigues (@bernardomr) who estimates that more than 600,000 externally accessible devices are vulnerable to the backdoor and that TG862A, TG860A, and DG860A modems are all affected. To me, the most important sentence in this article is "Rodrigues claims Arris was less than receptive when he first reported the flaws, but that CERT/CC proved helpful and aided in bringing them to the company's attention". I take this to mean they would have ignored this if they could. Next time I buy a modem, Arris is not on my shopping list. When it comes to the firmware in a modem, we are generally at the mercy of our ISP. The firmware is not something we can update ourselves.
CSRF Bugs in the D-Link DIR-816L Router
D-link wireless router DIR-816L Cross-Site Request
Forgery (CSRF) vulnerability
by Bhadresh Patel of HelpAG Nov. 10, 2015
The good news is that cross-site request forgery (CSRF) bugs are hard for bad guys to exploit. A web browser needs to be logged in to the router in one tab and visiting a malicous web page in another tab. In that case, the flaws let bad guys submit commands to DIR-816L router and gain control of the router. A fix is available from D-Link.
600,000 Ubiquiti routers easily hacked - come and get em
The Omnipresence of Ubiquiti Networks Devices on the Public Web
by SEC Consult November 5, 2015
Quoting: "There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices ... Most devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000)..." These flaws have been reported previously but the scope is new. Many ISPs ship Ubiquiti routers with Remote Administration enabled. This opens up them up to HTTP/HTTPS and SSH access. Ubiquiti blames the ISPs. If each ISP used a different TCP/IP port and gave customers unique passwords, no big woop. But, no. There are at least 600,000 vulnerable routers on the Internet. They also found 1.1 million Ubiquiti devices using a digital certificate whose private key is easily obtained from the firmware. This make it easy for bad guys to find vulnerable routers to attack.
Multiple bugs in Cisco devices
Patch Cisco ASA ASAP: DNS, DHCPv6, UDP packets will crash them
by Shaun Nichols of The Register October 23, 2015
Four bugs have been discovered in assorted Cisco routers, firewalls and other hardware in their Adaptive Security Appliance (ASA) line. Exploiting the flaws can render the hardware useless by forcing it repeatedly reset. Both a specially crafted DHCPv6 packet and/or a DNS packet can cause the devices to reset. They can also be made to restart with a malicious UDP packet that exploits a flaw in the Internet Key Exchange protocol.
The German government agrees with me
German Govt mulls security standards
for SOHOpeless routers
by Darren Pauli of The Register October 21, 2015
The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to mine, routers will be given points for features that increase security. Sadly, the article says that "Routers that advise users of an available firmware update on login to the web admin interface are winners". So, having a router company email their customers when there is new firmware is something we can't even hope for? What this article does not mention is the background. Germany now (Nov. 2015) requires ISP customers to use a router from their ISP. This law is expected to change in early 2016, thus the need to review the security of newly available routers.
Still more bugs in ZHONE routers
Boffin's easy remote hijack hack pops scores of router locks
by Darren Pauli of The Register October 11, 2015
For the second time this year, Vantage Point has warned of multiple security flaws in routers. The flaws are in Zhone routers provided to customers by an un-named major telco in Singapore. The buggs routers are also used by un-named companies around the world. Among the bugs is a remote zero day exploit that lets a bad guy totally hijack the router. Lyon Yang, who found the flaws, is quoted saying "When the ISP ships the router, it comes with a shitload of vulnerabilities". He also said that the remote hijacking is easily done. In all there are seven vulnerabilities. Interestingly, a remote hijack bug is in the router's ping functionality. Some of the bugs have been patched but will never get installed. The ISP in question does not give their customers the userid/password needed to logon to the router, so they can't update the firmware.
Multiple bugs in multiple ZyXEL routers
ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
by CERT October 13, 2015
Vulnerability Note VU#870744. Several ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. One issue shared by many models is a weak default password of "1234" for the admin account. In the worst case, these bugs can enable a remote unauthenticated attacker to modify the system configuration. The issues were reported to ZyXEL in Aug. 2015 and there are multiple responses. Some routers are too old and won't be fixed. Some bugs have already been addressed with new firmware and other bugs will be fixed later this month.
Multiple Netgear routers vulnerable if WAN administration enabled
Hackers exploiting 'serious' flaw in Netgear routers
by Zack Whittaker of ZDNet October 13, 2015
A techie discovered that his own router had been hacked, that the DNS servers had been changed. The bug has been documented by both Compass Security and Shellshock Labs. It lets a bad guy get full remote unauthenticated root access, if WAN administration is enabled. Netgear released updated firmware for these routers: JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4 and WNR2020v2. Netgear customers will be informed of the update if they logon to their router, or, if they have the Netgear genie app installed.
A good worm infects routers
Home routers "vaccinated" by benign virus
by the BBC October 2, 2015
According to Symantec the Wifatch worm has harden more than 10,000 home routers against cyber-attacks. Non-techies should say thank you. The worm targets routers that have miserable security to begin with. Wifatch was first discovered in late 2014 and Symantec estimates that it has infected tens of thousands of routers. This is a good thing as Wifatch tries to disinfect routers that have been infected with malware. The source for Wifatch is available and it has no malicious components. In addition, Symantec has been monitoring it for months and has not seen any malicious actions. Heck, Wifatch even leaves a message on the router telling the owner to change the default passwords and update the firmware.
Huawei Bug fixes? Fuggedabowdit
Huawei routers riddled with security flaws won't be patched
by Zack Whittaker at ZDNet October 7, 2015
The Huawei B260a router is widely used by ISPs in Europe and Africa but its old, so Huawei will not issue bug fixes for it. As I say elsewhere on this site, avoid all hardware from your ISP. Multiple security flaws were discovered by Pierre Kim. The flaws are as bad as it gets, allowing for overwriting the router firmware without authentication. The flaws are not limited to a single model (they never are), other devices in the B-series and E-series product lines are also buggy.
Bugs in the Huawei E3272 4G USB Modem
Remote code exec hijack hole
found in Huawei 4G USB modems
by Darren Pauli of The Register October 7, 2015
OK, its a modem rather than a router, but I felt it was close enough to include here. Timur Yunusov and Kirill Nesterov of Positive Technologies found both a remote execution flaw and denial of service vulnerabilities in the Huawei E3272 4G USB modem. Exploiting the bugs gives bad guys pretty much everything. The researchers report that "By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal" In addition there are SMS attacks on the SIM card. The good news is the bugs have been fixed. The bad news is that I didn't see a link to updated firmware.
Cisco business routers hacked
slip rogue, backdoored firmware onto Cisco routers
by Lucian Constantin of IDG News Service September 15, 2015
Researchers from Mandiant have detected Cisco routers running malicious firmware. These are business routers, so this story does not really belong on this page, but it further illustrates the importance of router software. The attacked, known as SYNful Knock was found on 14 Cisco 1841, 8211 and 3825 routers in four countries. It is thought that rather than abusing a bug, the software was installed using stolen or default passwords. That Cisco has default passwords is disgraceful, even some consumer routers force you to chose a password at first boot.
Five bugs in the Belkin N600 DB router
Belkin Wi-Fi routers plagued by unpatched security flaws
by Lucian Constantin of IDG News Service September 1, 2015
The Belkin N600 DB router contains five bugs for which there are no practical work-arounds and, as yet (11 days after the first report) no fixes either. In fact, the Belkin website has nothing on the problem. I take that as all I need to know about using Belkin routers. In fairness, they did tell one reporter that they are working on fixes. As for the bugs themselves, one is a poor implementation of DNS which lets a man-in-the-middle (MITM) attacker respond to DNS queries and thus redirect victims to malicious websites. The router also checks for new firmware using HTTP which can be manipulated by a MITM attacker. On the LAN side, the N600 does not, by default, require a password for accessing the management interface. And, even if you set a password, an attacker on the LAN can login to the router without knowing the password. This is due to the router using client side authentication. In addition, it is vulnerable to CSRF attacks on the LAN side. In my opinion, anyone using this router should just throw it away.
More routers with hidden admin accounts
Some routers vulnerable to remote hacking
by Lucian Constantin of IDG News Service August 27, 2015
Quoting: "Several DSL routers from different manufacturers contain a guessable hard-coded password that allows the devices to be accessed with a hidden administrator account ... the affected device models are: Asus DSL-N12E, Digicom DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300 ... For most of the routers, the username corresponding to the hard-coded password is admin, while for the PLDT SpeedSurf 504AN it's adminpldt ... The vulnerability is not new and was independently reported by separate researchers in 2014 for the ZTE ZXV10 W300 and in May for the Observa Telecom RTA01N." The passwords are different for each device and include the last four characters of the MAC address but this can be obtained. Telnet provides access to the routers.
Insecure routers being used for DDoS attacks
are using insecure routers and other home devices for DDoS attacks
by Lucian Constantin of IDG News Service August 18, 2015
"Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks. A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise." Akamai points out that very few organizations have the infrastructure necessary to deal with DDoS attacks, and, of course, they sell the cure. SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors. The use of SSDP for DDoS started in the last quarter of 2014. SSDP is part of UPnP which was intended to be used on Local Area Networks only. Despite this, many routers and other devices respond to SSDP queries over the Internet. How many? According to the Shadowserver Foundation, there are roughly 12 million IP addresses on the Internet that have an open SSDP service. You can't make this stuff up. You can test your router, from the inside, by visiting upnp-check.rapid7.com. A good result looks like this.
Trojan for Linux infects routers
New Trojan for Linux infects routers
by Doctor Web security researchers August 4, 2015
"The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures. Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can ... brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol." The attack starts by brute forcing router passwords. the malware attacks Linksys routers trying to exploit a vulnerability in HNAP (Home Network Administration Protocol) and the CVE-2013-2678 vulnerability. It also exploits ShellShock and a vulnerability in Fritz!Box routers. An infected router can launch various DDoS attacks (including ACK Flood, SYN Flood , and UDP Flood) and execute intruder-issued commands.
Bug fix issued for Cisco ASR 1000 routers
Cisco Fixes DoS Vulnerability in ASR 1000 Routers
by Dennis Fisher of Kaspersky July 30, 2015
A bug in the way Cisco ASR 1000 routers handle fagmented packets can cause a Denial Of Service. The ASR 1000 line of routers are designed for enterprise and service provider environments. The bug affects IOS XE versions 2.1, 2.2, 2.3, 2.4, and 2.5. It is fixed in version 2.5.1. Versions 2.6 and 3.x are not vulnerable.
Huge number of TotoLink router bugs
TotoLink Routers Plagued By XSS, CSRF,
by Chris Brook of Kaspersky ThreatPost July 16, 2015
There are a large number of bugs in a large number of TotoLink routers. It's a lot to keep track of.
"Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials". The remote code execution flaws affect 15 different TotoLink products and let an attacker bypass authentication using either HTTP or DHCP. This can be used to install hacked firmware on the routers. A different problem, a backdoor, affects nearly 50,000 routers and makes them vulnerable on the WAN side. Four other routers suffer from a different backdoor, one that gives a LAN side attacker root privileges. The CSRF and XSS attacks affect the iPuppy, iPuppy3, N100RE, and N200RE models. TotoLink released new firmware on July 13th to fix some of these problems, but not nearly all. The bugs were discovered by Pierre Kim and Alexandre Torres. According to Kim, TOTOLINK is a brother brand of ipTIME which wins over 80% of SOHO markets in South Korea.
Multiple ipTIME router flaws
By Pierre Kim July 1, 3, 5 and April 20, 2015
Mr. Kim has written four blog postings (below) with details on assorted flaws in ipTIME routers. According to Kim, there are about 10 million ipTIME devices in South Korea. The July 6th writeup details a vulnerability in 127 routers that allows a LAN side user to send a single HTTP request that will bypass the admin authentication and allow complete root access. The July 3rd writeup is about the ipTIME n104r3 but Kim says it is likely to affect other models too. CSRF and XSS flaws allow a LAN side attacker to take over most of the configuration and settings. For example, the attacker can turn on remote management, change DNS servers, update the firmware and more. The July 1st writeup offers sample exploit code for the 127 devices running ipTIME firmware prior to v9.58. They are vulnerable to a remote code execution flaw which gives the attacker root access. The April 20th writeup seems to be the first report of the LAN side remote control vulnerability with a single HTTP request.
DDoS attacks abuse ancient RIP v1 protocol
abuse legacy routing protocol to amplify DDoS attacks
by Lucian Constantin of IDG News July 2, 2015
"DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes. RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996..." Attackers used about 500 SOHO routers to reflect and amplify their malicious traffic.
Akamai found 53,693 devices online that support RIPv1. Some had their web UI exposed to the Internet, allowing Akamai to identify the make/model. Around 19,000 were Netopia 3000 and 2000 series DSL routers distributed by ISPs. More than 4,000 were ZTE ZXV10 ADSL modems.
Hacked routers serving up Windows malware
Crooks Use Hacked Routers to Aid
by Brian Krebs June 29, 2015
Quoting: "New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware ... Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim's credentials and send them to the attackers ... researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers - particularly routers powered by MikroTik and Ubiquiti's AirOS." It is not known if vulnerabilities in the firmware are being exploited or whether defaults passwords are at fault. This sounds much like the botnet discovered by Incapsula in May 2015 (see below), in part, because a "disturbing number" of the hacked routers had the telnet port open.
Linksys router turns off WiFi when plug something into USB port
WRT1200AC dual-band gigabit Wi-Fi router
by Jon Andrews of WeGotServed June 18, 2015
Quoting: "I had a number of issues sharing data ... whenever I plugged in an external drive, the WRT1200AC's wireless signal completely cut out. I tried a reboot of both the router and the PCs I was trying to work from but it didn't make any difference. As soon as I disconnected the external hard drive (in this instance it was a 2 TB external USB 3.0 powered drive formatted in NTFS) the Wi-Fi came back to life. Even with the latest firmware onboard, the WRT1200AC suffered from what looks like a pretty nasty bug." No mention in the article about the other issues sharing data.
22 routers examined -> 60 bugs found
More than 60 undisclosed vulnerabilities affect 22 SOHO routers
by security researchers doing an IT Security Masters Thesis at Universidad Europea de Madrid May 28, 2015
The routers were from Observa Telecom, Comtrend, Belkin, D-Link, Sagem, Linksys, Amper, Huawei, Zyxel, Astoria and Netgear.
14 of the bugs are Universal Plug and Play (UPnP). Not bugs in UPnP, just its existence. While I agree, in concept, the UPnP is bad for security, and I recommend turning it off in a router, counting it as a vulnerability, is a matter of opinion. To me, this is really 46 bugs.
An information disclosure bug was found in the D-Link DSL-2750B, a wireless ADSL2 gateway. The device coughs up critical information to anyone who knows to try http://188.8.131.52/hidden_info.html, where 184.108.40.206 is the LAN side IP address of the device. All D-Link owners should test this. The report does not say if this works on the WAN side too.
Four routers from three different companies have a USB Device Bypass Authentication flaw which has nothing to do with the NetUSB flaw. Quoting "An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router ... In order to do so, the attacker only needs to access the router IP followed by the 9000 port". You can test if a router has port 9000 open on the WAN side here grc.com/x/portprobe=9000.
Two Huawei routers have a Bypass Authentication flaw. Quoting "An external attacker, without requiring any login process, is able to reset the router settings to default ones ... an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials". Ouch.
The Observa Telecom RTA01N has a hidden admin user. Quoting "In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet". The report does not say if disabling remote administration defends against this.
Still another attack on routers with default IPs and passwords
Changer Malware Sets Sights on Home Routers
by Fernando Merces of Trend Micro May 28, 2015
Nothing very new here. Trend Micro found malicious websites, mostly in Brazil, that run a brute-force attack script against a router to change the DNS servers. Quoting: "While this type of malware is not new, we've been seeing a growing number of links in phishing attacks in Brazil."
Moose worm attacks miserably defended devices
Moose - the router worm with an appetite for social networks
by Graham Cluley writing for ESET May 26, 2015
ESET researchers discovered a new worm, they call Linux/Moose, that infects routers in order to commit social networking fraud. The worm also infects other Linux-based devices and eradicates existing malware infections on the devices. It could potentially be used for DDoS attacks, network exploration, eavesdropping and DNS hijacking. It was first detected in July 2014. ESET researchers were unable to make a reliable estimate of the number of affected routers. They did confirmed that these companies products were affected: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone. The worm spreads by compromising systems with weak or default credentials. No vulnerabilities are exploited, so it should be easy to defend against simply by changing default passwords. It gets in via Telnet on port 23, so insure that port 23 is closed or stealth using the common ports scan of Shields UP! It also uses port 10073 which you can test here: https://www.grc.com/x/portprobe=10073.
A web based (CSRF) router attack that changes DNS servers
An Exploit Kit dedicated to CSRF
by Kafeine an independent security researcher May 22, 2015
Yet another web based attack, delivered by either a compromised website or a malicious ad, designed to replace the DNS servers used in a router. The malware looks for any of 55 routers from a dozen vendors including: Asus, Belkin, D-Link, Edimax Technology, Linksys, Medialink, Microsoft, Netgear, Shenzhen Tenda Technology, TP-Link, Netis Systems, Trendnet, ZyXEL and HooToo. It uses both known flaws (command injection vulnerabilities) and a dictionary attack with common administrative credentials. This seems to be widely used, on May 9, 2015 the command and control center was visited almost a million times. Slow days in the first week of may saw roughly 250,000 unique visitors a day. It has been found in the U.S., Russia, Australia, Brazil, India and other countries. As with other DNS changing malware, the bad DNS server is placed first, backed up by a Google public DNS server. This lets infected routers continue to function normally even if the malicious DNS server is taken off-line.
NetUSB flaw is industry wide (possibly millions of routers are vulnerable)
KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide
by the SEC Consult Vulnerability Lab May 19, 2015
There is a bug/vulnerability in a software component called NetUSB. Quoting: "NetUSB is a proprietary technology developed by the Taiwanese company KCodes, intended to provide 'USB over IP' functionality. USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated 'USB over IP' box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X ... The user experience is like that of a USB device physically plugged into a client system." If the NetUSB server is given data longer than it expects, it suffers a stack buffer overflow. 26 companies are thought to use the NetUSB software. SEC Consult tested routers from five of these companies: D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL. They found 92 products contained the NetUSB software. They did not test products from the other 21 companies. It seems to be mostly, but not exclusvely a LAN side issue. Quoting again: "While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. " Sometimes NetUSB can be disabled via the web interface, sometimes not. On NETGEAR routers the only defense is to buy a new router. KCodes was not helpful when contacted by SEC Consult. TP-LINK was the best at fixing the problem. By far.
An example of what malicious DNS servers can do
Router Attack Displays Fake Warning Messages
by Jaydeep Dave of Trend Micro May 20, 2015
This blog offers an example of what malicious DNS servers might do - get the victim to call an 800 number for tech support that is not needed. The author works for Trend Micro and found his home router was using malicious DNS servers. How it happened, he doesn't know. The advice offered is lame, basically just plugs for their products.
Routers with default passwords hacked up the wazoo
Malware infected home routers used to launch DDoS attacks
by Lucian Constantin of IDG News Service May 12, 2015
ISPs in Thailand and Brazil seem to be distributing insecure routers to their customers. Not only are they configured with default passwords, they are also accessible from the Internet using both HTTP and SSH. In a new report, Incapsula found thousands of these routers infected with multiple copies of malware. The headline in the media was that Anonymous was using the router botnet for DDoS attacks. The report says that it is likely more than one group had infected the routers with malware.
Not all router bugs are security related
turning it off and on really is the best fix
by Dwight Silverman of the Houston Chronicle May 6, 2015
Tech blogger has a MacBook Pro and a Mac mini. The mini has problems. Two different instant messaging services are failing with a network error. And, Microsoft's OneDrive doesn't think it has an Internet connection. Other cloud storage apps such as Google Drive and Dropbox work fine. The same apps on the MacBook Pro work fine. The apps are configured the same on each machine. The light at the end of the tunnel comes when he connects the problematic Mac mini to a different WiFi network and everything works fine. The problem was his network. Re-booting the router, a Linksys WRT1900AC, fixes everything. What happened? A techie suggests a "bad NAT implementation in consumer router product". I can believe this based on my own experience, years back, with a consumer router. Every now and then all websites would fail to load. Email, and any other Internet traffic, worked fine. In my case too, rebooting the router fixed it.
Pixie Dust expands attacks on WPS
Security Now! Episode 506
by Steve Gibson of GRC May 5, 2015
Software has been released, dubbed Pixie Dust, that exploits a flaw in three implementations of WPS. The protocol is bad enough by itself, even if programmed perfectly. In three cases, the programming is not done well and thus WPS can be broken in seconds. Passwords? We don't need no stinking passwords. This research was first report in Aug. 2014 by Dominique Bongard (see below). Flaws have been found in hardware from Ralink, Broadcom, and Realtek. Similar coding flaws in WPS implementations were found by Craig Heffner in Oct. 2014 (see below). As I say elsewhere on this site, do not use any router that supports WPS.
Hacking Netgear routers to upload malicious firmware
Broken, Abandoned, and Forgotten Code, Part 1
by Zachary Cutlip April 23, 2015
Quoting: "This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers ... I'll describe the process of specially crafting a malicious firmware image and a SOAP request in order to route around the many artifacts of incomplete implementation in order to gain persistent control of the router ... An unauthenticated firmware upload is an opportunity to persist undetected on the gateway device for months or even years ... Universal Plug and Play services on SOHO routers make for a nice attack surface ... " The primary router tested was the Netgear R6200. Preliminary analysis of other devices, including the R6300 v1, indicates presence of the same vulnerabilities. The only tested firmware was v220.127.116.11.
Realtek SDK: Yet another industry-wide flaw leaves routers vulnerable to remote hacks
No patch for remote code-execution bug in D-Link and Trendnet routers
by Dan Goodin of Ars Technica Apr 28, 2015
Routers from D-Link, Trendnet and untold other vendors can be remotely hacked. Without needing a password, bad guys can execute arbitrary code on the routers. Vulnerable routers use the Realtek software development kit. The bug is a failure to sanitize user data by the miniigd SOAP service. Not bad enough? The bug was found by security researcher Ricky "HeadlessZeke" Lawshae and reported to HP's Zero Day Initiative (ZDI) in August 2013. HP then tried, many times, to report the bug to RealTek. Twenty months later, there is still no fix.
Three bugs in the Netgear WNR2000v4 router
by email@example.com April 21, 2015
NCC Service Command Injection flaw in several routers
D-Link/TRENDnet NCC Service Command Injection
by Michael Messner, Peter Adkins and Tiago Caetano Henriques of Packet Storm April 16, 2015
There is a remote command injection vulnerability in several routers. The vulnerability exists in the ncc service, while handling ping commands. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03, and TRENDnet TEW-731BR (Rev 2) v2.01b01.
D-Link screws up fixing their bugs
D-Link: sorry we're SOHOpeless
by Richard Chirgwin of The Register April 21, 2015
Quoting: " D-Link's SOHOpeless HNAP vulnerability has not been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists. The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that "fix" blew a hole in the device's authentication routines. Tactical Network Solutions' Craig Heffner called out the error, saying that 'this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions ...' " In all, 17 D-Link routers are buggy.
Multiple D-Link devices can be exploited via HNAP
Hacking the D-Link DIR-890L
by Craig Heffner at devttys0.com April 10, 2015
The D-Link DIR-890L is a new top-of-the-line $300 router with every feature a router could possibly have, including a software bug. The flaw is in the validation of HNAP requests. A malicious SOAPAction header can be used to pass arbitrary commands to the router. A telnetd command, for example, can spawn a telnet server that provides an unauthenticated root shell. If remote administration is enabled, the flaw can be exploited remotely. The bug has been confirmed in both the v1.00 and v1.03 firmware. Other D-Link devices are also vulnerable including: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L, DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR and TEW-733GR.
Multiple TP-LINK routers leak sensitive files to unauthenticated users
Unauthenticated Local File Disclosure
by Stefan Viehbock of SEC Consult Vulnerability Lab April 10, 2015
The good news here is that TP-LINK responded, when notified of the flaw, and issued updated firmware in a timely manner. Quoting: "Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed." The fix for the flaw was available when the problem was made public. Vulnerable routers were TP-LINK Archer C5, Archer C7, Archer C8, Archer C9, TL-WDR3500, TL-WDR3600, TL-WDR4300, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND.
Another case of breaking WPS in seconds
Reversing Belkins WPS Pin Algorithm
by Craig Heffner at devttys0.com April 10, 2015
WPS is a security disaster. Given a few hours, any router with WPS enabled can be hacked into. There are so few pin codes that it's just a matter of time (typically 10 hours) to guess them all, assuming the bad guy knows nothing about the WPS pin code. Looking at the firmware, Craig Heffner found that on many Belkin routers, the WPS pin code is derived from the LAN MAC address and the serial number of the router. That could make it reasonably random, but there is a fatal flaw: 802.11 probe response packets include the serial number in the WPS information element. Since WiFi probe request/response packets are not encrypted, a single probe provides all the inputs to the formula that creates the WPS pin code. 24 Belkin routers were tested and 80% of them were using the the algorithm Heffner found in the firmware for their WPS pin code. These routers can now be hacked, via WPS, in seconds: F9K1001v4, F9K1001v5, F9K1002v1, F9K1002v2, F9K1002v5, F9K1103v1, F9K1112v1, F9K1113v1, F9K1105v1, F6D4230-4v2, F6D4230-4v3, F7D2301v1, F7D1301v1, F5D7234-4v3, F5D7234-4v4, F5D7234-4v5, F5D8233-4v1, F5D8233-4v3 and F5D9231-4v1. And, this is not limited to Belkin, it appears to be specific to Arcadyan, an ODM for many companies.
Arris/Motorola SURFboard SBG6580 Series gateways have 3 flaws
CSRF, Backdoor, and Persistent XSS
on ARRIS / Motorola Cable Modems
by Tod Beardsley of Rapid7 April 8, 2015
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. These bugs were discovered by independent security researcher Joe Vennix. Although the article refers to the SURFboard SBG6580 as a "modem" it is, in fact, a gateway device. That is, it combines the functions of both a router and a modem. It also refers only to the "web interface" of the device without differentiating between LAN and WAN side access, so its not clear if the device can be remotely exploited. It seems that all exploits are LAN side. Reading between the lines, it also seems that Arris never responded to the bug reports. The timeline says that they were contacted roughly 2.5 months prior to public disclosure of the flaws and then nothing about their response. The workarounds do not say to upgrade the firmware, so I have to guess that Arris blew the guy off. Keep this in mind the next time you shop for a Arris/Motorola device. The backdoor flaw is a hard coded userid/password for logging in to the device. Userid: technician Password: yZgO8Bvj. Anyone taking my recommendations would have been immune to this attack as it requires knowing the LAN side IP address of the router.
Bell routers in Canada have guessable WiFi passwords
Bell's Default Password
Policy Leaves Tens of Thousand of Users Exposed
by Viktor Stanchev April 6, 2015
The default WiFi passwords, set by Canadian ISP Bell on their gateway devices, are short enough that they can be brute forced in a few days. Reminds me of WPS. The passwords are 8 hex characters. With hashcat and good hardware the password could be brute forced in less than 12 hours. Stanchev used lower end hardware which took him 3 days. This is not the first issue with default WiFi passwords set by an ISP. You should change all default passwords set by your ISP. Better yet, don't use any hardware from an ISP.
Hotel router rsync flaw - Things do not get much worse than this
Wi-Fi router security hole: will this be the Ultimate Pwnie Award Winning Bug for 2015?
By Paul Ducklin of Sophos March 30, 2015
This is as bad as a bug can get - simple to exploit and unlimited in what it lets a bad guy do. ANTlabs InnGate devices are routers used by hotels and convention centers to run guest/visitor networks. They have a misconfigured rsync service that lets a bad guy connect to TCP port 873 using rsync and then read and write any file on the device. No password needed. There is no end to the number of bad things an attacker might do. The flaw was discovered by Justin W. Clarke of Cylance Inc. Scanning the Internet, Cylance found 277 InnGate devices in 29 countries. They found vulnerable devices belonging to 8 of the worlds top 10 hotel chains. This is, however, the tip of the iceberg as vulnerable devices behind a firewall can likely be exploited from the hotels local network. A fix was issued by ANTlabs at the time the flaw was made public. The defense here is nothing new: when traveling always use a VPN. Period.
Google Analytics abused to inject ads and porn
Ad-Fraud Malware Hijacks Router DNS - Injects Ads Via Google Analytics
by Sergei Frankoff of Sentrant (previously Ara Labs) March 25, 2015
Vulnerable D-Link DSL routers in the UK
Some UK TalkTalk
D-Link DSL-3680 Routers Vulnerable to DNS Hijack
By Mark Jackson of ISPreview March 27, 2015
A couple Talk Talk customers noticed that the DNS servers in their D-Link routers had been changed. The problem affects model DSL-3680 with remote administration enabled. Exploiting the routers is trivially easy, all you need to know is a secret URL and the public IP address of the router. Quoting: "The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it is hard to know which one is the actual culprit. On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year."
Multiple bugs in multiple ADSL routers
At least 700K routers given to customers by ISPs can be hacked
By Lucian Constantin IDG News Service March 19, 2015
Quoting: "More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a "directory traversal" flaw...that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models. Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers ... On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough ... around 60 percent have another flaw, a hidden support account with an easy-to-guess hard-coded password."
These routers were only discovered because they can be attacked remotely. Others may be vulnerable from the LAN side. Among the vulnerable devices are routers from ZTE, D-Link, Sitecom, FiberHome, Planet, Digisol and Observa Telecom. The vast majority of buggy routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics. Attempts to notify the company went unanswered.
D-Link and TRENDnet bugs getting fixed
Security Advisory SAP10052
by D-Link initial: March 2, 2015 updated: March 16, 2015
There are three separate bugs, see the Feb. 2015 section below, the item attributed to Peter Adkins. One flaw allows unauthenticated access from the local network, if remote administration is enabled, then it also allows unauthenticated access remotely. The third bug is a drive-by CSRF. The affected routers are: D-Link DIR-636L, D-Link DIR-808L, D-Link DIR-810L, D-Link DIR-820L, D-Link DIR-826L, D-Link DIR-830L, D-Link DIR-836L and the TRENDnet TEW-731BR. Other models thought to be affected: D-Link DIR-651, TRENDnet TEW-651BR, TRENDnet TEW-652BRP, TRENDnet TEW-711BR, TRENDnet TEW-810DR and the TRENDnet TEW-813DRU.
Yet another attack on router passwords
Snoops Through Your Home Network
by Kenney Lu of Trend Micro March 9, 2015
New malware, detected as TROJ_VICEPASS.A, pretends to be an Adobe Flash update. When run, it attempts to connect to the router using a pre-defined list of user names and passwords. It does not limit itself to just the default userids and passwords of common routers. The full list is in the article. If the malware can get into the router, it scans the network looking for connected devices, sends this data back to the mother ship and then deletes itself. It does not detect the IP range of the router, instead it scans only 192.168.[0-6]. For each of these 7 networks it only looks for a final digit between 0 and 11. So, as advised elsewhere on this website, using a non-standard range of IP addresses would have foiled this. Also note that better routers let you change both the userid and the password. Less secure routers only let you change the password.
Security in routers stinks - and some reasons why
Broadband routers: SOHOpeless and vendors don't care
by Darren Pauli March 5, 2015
"Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing.". First rule of doing a bad job: say nothing -- The Register received no response from major routers vendors when we asked about the lack of security in their products. One good point made here is that features are a common enemy of security.
Routers from multiple companies have a back door
Rogue Router Firmware Chaos Backdoor
by Bijay Limbu Senihang February 22, 2015
Even after changing the router password, you can still login with userid "super" and password "super" to routers from these companies: TrendNet, Digicom, Alpha Network, Pro-Link, Planet Networks, Bless, Realtek, Blue Link and SmartGate. This is exploitable over the Internet as shown in this video.
CSRF flaw in multiple D-Link and TRENDnet routers
D-Link / TRENDnet ncc2 CSRF
/ Unauthenticated Access
by Peter Adkins February 27, 2015
"D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially."
In other words: go away kid, don't bother me.
Brazilian attack on default passwords
Spam Uses Default Passwords
to Hack Routers
by Brian Krebs February 26, 2015
Security firm Proofpoint has detected malicious emails targeting Brazilian Internet users. The emails appear to come from a Brazilian ISP and the scam has to do with an unpaid bill. The emails exploit known vulnerabilities in routers from UT Starcom and TP-Link to change the DNS servers, a very common thing for bad guys to do. Interesting wrinkle is that instead of providing two malicious DNS servers they only provide one and set Googles public DNS (18.104.22.168) as the secondary.
Three Singapore routers vulnerable to multiple flaws
Up to 32,000 could
be affected by wireless router vulnerabilities: Security firm
By Kevin Kwang Feb 26, 2015
Security company Vantage Point reports that three routers have "critical vulnerabilities". Zhone routers have three types of flaws: Remote Code Execution, Privilege Escalation and Admin Password Disclosure. An Aztech router is vulnerable to Remote Command Injection. An Asus router is vulnerable to Authentication Bypass and Cross-Site Scripting. There are no known attacks so far. Up to 32,000 subscribers in Singapore may be vulnerable. The most interesting part of the article is a quote from the researcher that discovered the bugs: "There are many routers with many different kinds of firmware on the market. The problem is that when the firmware is developed in-house by the vendor, security is often an afterthought". This supports my recommendation to avoid all consumer class routers.
Netgear routers FTP flaw
of Netgear routers accessible via FTP by anyone - second issue in a week
by Jan Willem Aldershoff February 24, 2015
Quoting: "Thousands of Netgear routers with Network Attached Storage (NAS) can be freely accessed by anyone without permission of the owner. Netgears WNDR4700 routers run an outdated version of the ProFTPd FTP server which not only allows logging-in anonymously, but also contains a vulnerability that allows an attacker to remotely execute code on the router ... By simply logging in anonymously with a FTP client an attacker (and pretty much anyone who knows how to work with a FTP client) can get full write and read permission."
This is the only article on the topic I have seen. Its not clear whether other Netgear routers are also vulnerable.
Netgear routers SOAP flaw
Netgear routers leak passwords using nothing more than malicious HTTP requests
by Lucian Constantin IDG News Service February 16, 2015
Bad guys can learn the administrator password and wireless passwords along with details of the router such as the model, serial number and firmware version. The flaw can be exploited from the LAN side and, if remote administration is enabled, also from the outside/Internet/WAN. The bug is with validation (or the lack of such) of the SOAP protocol used to communicate with the router. A bad guy just has to send HTTP requests with a blank form and a "SOAPAction" header to exploit the flaw. The vulnerability is confirmed in four Netgear routers and may well exist in other models too. The worst part of this story is trying to contact Netgear:
"Peter Adkins, the researcher who found the flaw, claims that he contacted Netgear but that his attempts to explain the nature of the issue to the companys technical support department failed."
The only defense, for now, is not to use a Netgear router. This confirms my recommendation to avoid consumer routers.
Duplicate SSH keys in Spain
of thousands of home routers at risk with duplicate SSH keys
by Jeremy Kirk IDG News Service February 19, 2015
Hundreds of thousands of home routers running SSH have identical private and public keys. This comes from John Matherly of the Shodan search engine. In Spain, over 250,000 devices, deployed by Telefonica de Espana, and running the Dropbear SSH software, have the same keys. Another Shodan search found 150,000 devices, mostly in China and Taiwan, with identical keys. It is questionable whether SSH should be running on home router in the first place. Some routers let you turn it off, if yours does, then do so. Disabling remote administration will probably not help here, but the subject did not come up in any of the articles I read.
Pirelli routers totally open to hacking
Is Your ISP Making Your Home
by Christian Cawley at MakeUseOf January 31, 2015
This is as bad as it gets. The administration web pages of Pirelli routers are visible from the Internet and no password is needed to make changes. The routers were supplied by a Spanish ISP which has not responded to the problem. Quoting: " ... security researcher Eduardo Novella discovered that Pirelli P.DGA4001N routers have a rather worrying bug. Its around two years since Novella made the discovery, and in the meantime he has been patiently waiting for something to be done about it. Sadly, its still there. The bug is so simple to exploit that you dont even need to be able to code in order to use it. All you need to do is enter the web-facing IP address of a router, suffix it with wifisetup.html (so something like 111.222.333.444/wifisetup.html) and you can start playing around with the router configuration. "
Bug in ZynOS used by D-Link, TP-Link and ZTE
DNS hijacking vulnerability affects D-Link DSL router, possibly other devices
by Lucian Constantin January 27, 2015
Todor Donev, member of a Bulgarian security firm called Ethical Hacker says that a flaw in ZynOS can lead to an ever-popular DNS hijack in a router. He confirmed the flaw in a DSL router from D-Link but vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that is used by multiple vendors, including D-Link, TP-Link Technologies and ZTE. Vulnerable devices can be hacked remotely if remote administration is enabled. They can also be hacked from the LAN side. There were no fixes offered when this became public. None of the articles mentioned a way to test if a router is vulnerable.
Hacked Routers used in Denial of Service Attacks
Lizard Stresser Runs on Hacked
Home Routers by Brian Krebs January 9, 2015
Quoting: "The online attack service launched late last year by the same criminals who knocked Sony and Microsofts gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers... " New terminology (at least to me): a website offering DDOS as a service is known as a "booter" or "stresser" site.
Asus infosvr vulnerability
Asus router? Someone on your network can probably hack it
by Dan Goodin of ArsTechnica January 8, 2015
Anyone connected to your LAN can gain control of an Asus router simply by sending a single packet to the router. Ouch. The bug is in virtually all versions of the firmware. The vulnerable software is the infosvr service which listens for connections on UDP port 9999 on the LAN side. The bug lets an unauthenticated LAN side user execute commands in the router as the root user. This is not exploitable from the WAN side of the router. Infosvr runs as root and is used for device discovery using the "ASUS Wireless Router Device Discovery Utility ". Many of us could live without this service. Joshua Drake, research director at Accuvant first publicized the flaw. He suggests updating to firmware version 22.214.171.124.376.3754 or later. It's not clear if firewalling the port is a valid work-around.
Two vulnerabilities in routers from an Algerian ISP
A vulnerability and
a hidden admin account all inside SITEL DS114-W routers !
by Nasro January 4, 2015
The routers have a session management vulnerability. When someone logs in to the router multiple sessions are initialized giving an attacker access to the router, without knowing the password, with a simple brute force attack. Also, the routers are shipped with a backdoor account. This was found in a configuration file. The routers are provided by Algerian ISP "Djaweb". The vendor was notified but did not respond.