Skip to main content

WiFi ROUTER HACKING


Thirteen popular routers including the Netgear Centria WNDR4700 pictured here were tested and found vulnerable to hacks in a new study by research firm Independent Security Evaluators.
(Credit: Dong Ngo/CNET)
The Wi-Fi router you use to broadcast a private wireless Internet signal in your home or office is not only easy to hack, says a report released today, but the best way to protect yourself is out of your hands.
The report, written by research firm Independent Security Evaluators of Baltimore, found that 13 of the most popular off-the-shelf wireless routers could be exploited by a "moderately skilled adversary with LAN or WLAN access." It also concludes that your best bet for safer Wi-Fi depends on router vendors upping their game. All 13 routers evaluated can be taken over from the local network, with four of those requiring no active management session. Eleven of the 13 can be taken over from a Wide-Area Network (WAN) such as a wireless network, with two of those requiring no active management session.
My router's not safe? Really?
"It is not a safe assumption to make that you're safe," Steve Bono, the company's CEO and principal security analyst, told CNET in a phone interview.
The report notes that all 14 of the devices had critical security vulnerabilities that could be exploited by a "remote adversary" and could lead to unauthorized remote control of the router.
Before you dismiss router hacks as exceptionally rare, it's important to note that they've been a small but growing segment of computer security threats. In 2011, one firmware vulnerability affecting six hardware manufacturers combined with two malicious scripts and 40 malicious DNS servers to attack 4.5 million Brazilian DSL modems, with the goal of stealing bank and credit card information.
Craig Heffner, a vulnerability analyst at Maryland-based Tactical Network Solutions, said that he isn't familiar with the Brazil story but isn't surprised by it. "In a lot of countries, there's only one or two ISPs, and you get whatever router they give you," he said. "They often enable remote administration by default, so any vulnerability would be amplified."

Related stories:

And just yesterday, ReadWrite reported onwireless router hacking, based in part on research conducted by security firm Rapid7. ISE's study, while similar, reports "all-new findings," said ISE's marketing head, Ted Harrington.
Harrington further explained why router hacking could turn into a big problem. "What's notable about this is that if you compromise the router, then you're inside the firewall. You can pick credit card numbers out of e-mails, confidential documents, passwords, photos, just about anything," he said.
He added that ISE plans to release additional information from the study in the coming weeks, following the routine security community best practice of giving vendors a chance to respond to vulnerabilities that have been uncovered before publishing them.
"We notified all vendors about all vulnerabilities that we found," said ISE security analyst Jake Holcomb. "We're in the process of receiving Common Vulnerability and Exposure (CVE) numbers" for tracking information security vulnerabilities.
Some vendors, Holcomb said, got back to ISE quickly and had beta firmware with fixes ready to test within 72 hours. "Other vendors escalated their Tier 1 support up the chain but we never heard back from them," he said.
Belkin's latest Advance N900 DB Wireless Dual-Band N+ Router.
Belkin's latest Advance N900 DB Wireless Dual-Band N+ Router.
(Credit: Belkin)
Darren Kitchen, founder of the Hak5 security and tinkering show and a maker of Wi-Fi penetration-testing devices, said he isn't surprised by the results of the study. Routers are "low-powered devices, most made in China and Taiwan, and they're rushed out the door. There's not a consumer demand for security; it's not a feature that will sell it."
Wireless under attack
ISE found the routers were vulnerable to three kinds of attacks:

  • Trivial attacks can be launched directly against the router with no human interaction or access to credentials.
  • Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials.
  • Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used -- an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.
    • The attacks were performed under both local adversary and remote adversary situations. A remote adversary is a threat that is not connected to the router via Wi-Fi, while the local adversary is. The most common form of successful attack ISE used was the "one-click attack" known as a cross-site request forgery.
    Holcomb explained the testing methodology went beyond one-click attacks in an e-mail to CNET:
     Cross-site request forgery was the first component of all of our attacks. After that, our standard attack was to reset the administrative password to a known value, or add a new administrator, and then enable remote management. Only when this was not possible (e.g., some routers require the old password as part of the request to change it) did we try other attacks. Those included: shell command injection, directory traversal to share the root of the filesystem over an Internet-accessible ftp server, exploiting a race condition to upload shell scripts over ftp and then have them execute, enabling additional vulnerable services, and some more. There are more vulnerabilities in the routers, and we're disclosing those, too, but they're not necessarily part of this report we're publishing.
    While none of the trivial attacks -- the weakest ones -- worked from a remote adversary, they were successful about one-third of the time from a local attacker. Unauthenticated attacks were rarely successful from a remote attacker, but locally reached the same level of completion as local trivial attacks. Authenticated attacks were almost always successful from both adversaries. "When you're remote, there's very little attack surface," explained Tactical Network Solutions' Heffner.
    Routers tested included units such as the Linksys WRT310Nv2, Netgear WNDR4700, Belkin N300 and N900, TP-Link WR1043N, and Verizon Actiontec, but Heffner cautioned that this was no guarantee that your router wouldn't be affected. "In my experience... you should worry about your router. If my device is in this list, you should be concerned. If not, you still may want to be concerned, although it's more difficult to say."
    Most routers' Web-interfaces come with similar items and are self-explanatory.
    Most routers' Web-interfaces come with similar items and are self-explanatory.
    (Credit: Dong Ngo/CNET)
    The report noted several caveats. Client-side attacks were considered fair game, as long as they were running in a browser and based in HTML and JavaScript. The routers were not extensively tested for other vulnerabilities, and none of them had the remote administration features activated by default.
    This means that although many modern routers come with the ability to control them when not directly connected to the network, that feature is not active by default. Activating it decreases the router's security level. Also, before testing, the firmware for all the routers tested was upgraded to the most recent version.
    What you can do
    There's not much outside of common-sense behavior that you can do to make your router more secure.
    Dong Ngo, a CNET Reviews senior associate technology editor and a wireless networking expert, was skeptical that many people would be affected by router hacks -- provided they follow some basic steps for securing their router. Part 5 of his home networking guide has some advanced security tips from Step 4 onward.
    "Since there are certain requirements to be met for these hacking methods to be successful, if you set up your router properly, and practice prudence while being online, chances are you're safe." Ngo said.
    ISE analyst Jake Thompson also has some easy-to-implement tips, including some obvious ones like making sure that you change the router's default username and password credentials. However, he cautioned, not all router firmware lets you change the username. "We also recommend that people use WPA2" security protocol, over WEP, he said.
    ISE chief Bono advised that people change the router's IP address to be non-standard when possible, while Holcomb added that good precautions to take include updating your firmware after buying your router, and clearing your browser cache and cookies after changing any router settings.
    You can create up to 4 main Wi-Fi networks on each of the router's two frequency bands.
    You can create up to 4 main Wi-Fi networks on each of the router's two frequency bands.
    (Credit: Dong Ngo/CNET)
    Meanwhile, Kitchen of Hak5 recommends that people make their own routers entirely. "The best that a person can do is to roll their own using the Marin, Ca.-based Untangle, which takes any spare PC and turns it into a wireless router." He also recommends Monowall and Smoothwall. Heffner at Tactical Network Solutions agreed. "The best thing you can do is install a third-party firmware, such as OpenWRT or Tomato," he said.
    But the most important fixes must come from router vendors, according to ISE, because they can ensure that security fixes get installed more easily than end-users, who rarely consider the security implications of their router. Changes to vendor behavior that Bono said he'd like to see include not only making firmware updates available, but setting firmware to automatically update like any other modern operating system.
    Failing that, the report advocates notifying registered users on how to upgrade the firmware themselves, and for vendors to perform regular device security audits. Updates, according to ISE, currently lack digitally signed updates that can be verified by the router.
    Bono was bearish on router vendor responses. "We have to start looking at these routers as a critical security component. Some of the vendors told us that their routers are older and no longer supported," he said.
    The problem with routers is that they're actually fairly good at what they do, and can take years to fail and be replaced. "They're just going to sit on the network for five years," he complained. And Heffner was less polite. "[Vendors] need to hire people who know how to code and have higher quality products that ship. That's not very high on the their priority list, but maybe that'll change in the future."
    Harrington said that this ought to be a wake-up call for the average person with a home wireless network. "Our study says that here's a pervasive problem with this technology," he said. "We're trying to raise awareness to that issue."

    Comments

    Post a Comment

    Popular posts from this blog

    This strange mineral grows on dead bodies and turns them blue

    If you were to get up close and personal with Ötzi the Iceman – the 5,000-year-old mummy of a  tattooed ,  deep-voiced  man who died and was frozen in the Alps – you’d notice that his skin is flecked with tiny bits of blue. At first, it would appear that these oddly bluish crystal formations embedded in his skin are from freezing to death or some other sort of trauma, but it’s actually a mineral called  vivianite  (or blue ironstone) and it happens to form quite often on corpses left in iron-rich environments. For Ötzi, the patches of vivianite are  from him resting  near rocks with flecks of iron in them, but other cases are way more severe. According to Chris Drudge at Atlas Obscura , a man named John White was buried in a cast iron coffin back in 1861. During those days, coffins often had a window for grieving family members to peer inside even if the lid was closed during the funeral. Sometime after he was buried, that window broke, allow...
    Post a Comment
    Read more

    It's Official: Time Crystals Are a New State of Matter, and Now We Can Create Them

    Peer-review has spoken. Earlier this year , physicists had put together a blueprint for how to make and measure time crystals - a bizarre state of matter with an atomic structure that repeats not just in space, but in time, allowing them to maintain constant oscillation without energy. Two separate research teams managed to create what looked an awful lot like time crystals  back in January,  and now both experiments have successfully passed peer-review for the first time, putting the 'impossible' phenomenon squarely in the realm of reality. "We've taken these theoretical ideas that we've been poking around for the last couple of years and actually built it in the laboratory,"  says one of the researchers , Andrew Potter from Texas University at Austin. "Hopefully, this is just the first example of these, with many more to come." Time crystals  are one of the coolest things physics has dished up in recent months, because they point to a...
    Post a Comment
    Read more

    The Dark Side Of The Love Hormone Oxytocin

    New research shows oxytocin isn't the anti-anxiety drug we thought it was. Oxytocin, the feel-good bonding hormone released by physical contact with another person, orgasm and childbirth (potentially encouraging  monogamy ), might have a darker side. The  love drug  also plays an important role in intensifying  negative emotional memories  and increasing feelings of fear in future stressful situations, according to a new study. Two experiments performed with mice found that the hormone activates a signaling molecule called extracellular-signal-related kinases (ERK), which has been associated with the way the brain  forms memories   of fear . According to Jelena Radulovic, senior author on the study and a professor at Northwestern University's medical school, ERK stimulates fear pathways in the brain's lateral septum, the region with the highest levels of oxytocin. Mice without oxytocin receptors and mice with even more oxytocin receptors tha...
    Post a Comment
    Read more