New SOHO router security audit uncovers over 60 flaws in 22 models

02.06.2015
In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.

The researchers performed the manual security review in preparation for their master's thesis in IT security at Universidad Europea de Madrid in Spain. They published details about the vulnerabilities they found Sunday on the Full Disclosure security mailing list.

The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.

The vulnerable models listed by the researchers were: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.

Some of the vulnerable Observa Telecom, Comtrend, ZyXEL and Amper models were distributed to customers by the Spanish ISP Telefonica. Vodafone also distributed one of the vulnerable Observa Telecom models, as well as the Huawei and Astoria ones.

The Sagem models were distributed by Orange, the Spanish ISP Jazztel distributed one of the Comtrend models and Ono, a Vodafone subsidiary in Spain, distributed the Netgear model.

Even though the group's research focused on routers that were given by ISPs to customers in Spain, some of the same models were likely distributed by ISPs in other countries as well.

Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers' management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.

Even though ISPs have the ability to remotely update the firmware on the routers they distribute to customers, they often don't and in some cases the users can't do it either because they only have restricted access on the devices.

On the Observa Telecom RTA01N router, the Spanish research group found a hidden administrative account called admin with a hard-coded password that can be accessed via the Web-based management interface or via Telnet. Similar undocumented "backdoor" accounts have been found in other ISP-supplied routers in the past and were likely intended for remote support.

Twelve of the tested routers were vulnerable to cross-site request forgery (CSRF) attacks and in some cases it was possible to change their Domain Name System (DNS) configuration using the technique.

CSRF attacks use specifically crafted code inserted into malicious or compromised websites to force visitors' browsers to execute unauthorized actions on a different website. If the visitors are already authenticated on the targeted website, the action will be executed with their privileges.

The target website can also be a router's Web-based management interface that's only accessible over the local area network, in which case the user's browser allows the attacker to bridge the Internet and the LAN.

Security researchers recently uncovered a large-scale CSRF attack that targets over 40 router models and is designed to replace their primary DNS servers with a server controlled by hackers. Once that's done, the attackers can spoof any websites that users behind those routers try to access and can snoop on their Internet traffic.

Another serious flaw discovered by the Spanish researchers allows unauthenticated, external attackers to view, modify or delete files on USB storage devices connected to the Observa Telecom VH4032N, Huawei HG553, Huawei HG556a and Astoria ARV7510 routers. A similar vulnerability was identified in the past on popular Asus routers.

While some people could have claimed in the past that routers are not a target for attackers, that's no longer the case. There have been numerous large-scale attacks over the past several years that specifically targeted routers and other embedded devices: It's time for users to view their routers as more than magical boxes that give them Internet access.

Lucian Constantin