Threat Bulletin Home Router Vulnerability - allot.com · Threat Bulletin See. Control. Secure. Home...
Transcript of Threat Bulletin Home Router Vulnerability - allot.com · Threat Bulletin See. Control. Secure. Home...
Home Router Vulnerability
Threat Bulletin
January 2019
Threat Bulletin
www.allot.com See. Control. Secure.
Home Router Vulnerability
The humble home router…who would think that it could possibly be the Achilles’ heel of millions
of home network installations? Here are three examples of well-known router cyberattacks that
have highlighted serious network intrusion vulnerabilities in the past 12 months:
o Vulnerabilities in Xiaomi Mi Router 3
o Vulnerabilities in Linksys E Series routers
o Vulnerabilities in old D-Link DSL gateways was never fixed, now being abused
Of course, the stars of the year were undoubtedly the VPNFilter
router malware and the MicroTik cryptojacking affair, each which
reportedly affected around 500,000 routers, although the real
number was probably much higher. Then there are accidents
waiting to happen like the situation of GPON home routers, of
which there are around one million in service. Yes, the home
router may sit there, innocently flashing away in your living room,
but its susceptibility as an easy route into your private home net-
work should not be underestimated. For a comprehensive list of
router bugs and flaws from 2012 to 2018, click on this link. How-
ever, be warned, it doesn’t make for particularly pleasant reading.
The two major issues with routers are (a) they are normally left
switched on, and (b), their firmware is rarely updated. Add to this
the fact that home users hardly ever change the credentials on
this vital piece of networking infrastructure, with most leaving
their devices with factory setting credentials.
And it’s not just home users that should be angry about this
situation—governments are also pretty annoyed. In January
2017, the US Federal Trade Commission (FTC) accused network
equipment supplier D-Link of selling its webcam and network
router devices that were vulnerable to attack by hackers. In a
lawsuit filed against the company, the FTC stated that D-Link,
“…failed to take reasonable steps to protect their routers and IP
cameras from widely known and reasonably foreseeable risks of
unauthorized access…".
The issue of router vulnerability has become such a hot potato
that the US FBI even issued a public service announcement when
the VPNFilter attack occurred aimed at assuaging the situation.
They provided some pertinent advice to the owners of small
office and home office routers to reboot their devices and take
a number of other protective measures to secure their networks
(more on this below). The trouble with this advice is that the
VPNFilter malware can persist, even if the router is switched off.
Virtually no consumer router manufacturer was insulated from
these waves of attacks on this relatively simple attack surface. The
main companies involved were Asus, Huawei, MicroTik, Linksys,
NetGear Inc., TP-Link, D-Link, and QNAP. While periodically
switching off any of these routers is one, probably futile way
of combatting hacker intrusion, further, more comprehensive
measures are required.
Internet Protocols - the Achilles’ Heel
Basic, consumer-grade routers use a broad range of
communications protocols, many of which contain access
vulnerabilities that can easily be exploited by hackers. One
very common protocol used by lower-end router devices is
the Simple Network Management Protocol (SNMP), which
reads and writes router data. Almost all networking equipment
implements an SNMP agent. Its legitimate task involves
monitoring the health and welfare of network equipment.
However, it also supplies topology information about networks
and can enable management control of network devices and
servers. It is inherently insecure as SNMP messages are not
encrypted. Another commonly-used protocol is Universal
Plug and Play (UPnP). This protocol comes enabled by default
on many new routers and was another focus of an FBI warning
where the security advice was to disable this helpful, although
risky communications format.
Router security breaches can expose a range of risks to home
network owners, including:
o Intelligence gathering & subsequent potential identity theft
o Theft of personal data
o Damage to, or disruption of computer equipment
o Network traffic blocking and disruption
o Firmware deletion, providing free access to hackers
o Botnet creation as part of larger attacks such as DDoS
One of the most common router attacks is to use the device
as a Man in the Middle (MITM). This occurs when the router
is used as a portal between a hacker and the target’s network.
During an MITM attack, the router essentially impersonates
both sides of the attack event. Another term for this type of
attack is “session hijacking”. MITM attacks are particularly
insidious as they are sometimes capable of altering encrypted
data making them a significant challenge to cybersecurity
protection attempts. However, measures can be taken to
alleviate the risks of such attacks. On the Server side, strong
encryption protocols between the server and client can be
deployed, which will disrupt some, if not all MITM attacks.
Digital certificate verification is another measure that can be
deployed to harden router protection. On the client side, the
addition of user plugins such as HTTPS Everywhere and Force
TLS can force secured connection on the network.
Another frequent form of router attack is to send targets to
“evil twin” websites that impersonate familiar sites such as mail
Threat Bulletin
www.allot.com See. Control. Secure.
servers or banking portals. The aim is to trick users to enter
their credentials to access these sites, which the hackers then
steal and use to acquire personal data or funds from the target.
Yet another router protocol vulnerability is the Home
Network Administration Protocol (HNAP). The HNAP enables
the transmission of sensitive information across the Internet.
If that was secure then that would be fine, but HNAP is far
from that. It provides complete access to users who hold a
router’s user name and password credentials. Unfortunately,
most home users will have minimal technical knowledge and
will not change those credentials from the factory defaults.
Hackers have a list of those default credentials and using the
HNAP they can access a target’s home network in seconds.
For example, in 2014, a router worm called The Moon used
the HNAP to identify vulnerable Linksys routers through which
it spread its malware.
Test if a router supports HNAP on: http://1.2.3.4/HNAP1/
where 1.2.3.4 is the IP address of your router. If you receive
a response, suggesting that your HNAP port is enabled, then
your router is probably compromised and should be changed.
Finally, (although, as the link above shows, there really is an
apparently endless number of ways that routers have been
compromised), there is the Wi-Fi Setup (WPS) protocol. This
little fellow enables hackers to bypass network passwords
altogether. All a hacker must do is to enter the eight-digit PIN
that is printed on the underside of the router itself. Even if the
user has conscientiously changed their passwords, hackers
can bypass this event by entering the PIN then accessing the
target’s network.
As mentioned above, there is sadly no end to the number of
router breaches, so let’s look at some ways of protecting the
home user from cyberattack. Fortunately, there are many steps
that the home user can take, many of which do not require an
advanced computing degree.
Fixes that home users can take range from easy, to moderate,
and advanced.
Easy Router Fixes:
o Change the router admin credentials and network name
(this normally defaults to the name of the router manu-
facturer).
o Enable WPA2 wireless encryption and define specific
groups of authorized users.
o Set up a temporary Guest Wi-Fi for temporary users of
home networks and use this Wi-Fi access for any inse-
cure home IoT devices.
Moderate Router Fixes:
o Install updated firmware patches.
o Use the 5 GHz Wi-Fi band instead of the more crowded
2.5 GHz wavelength. 5 GHz has a shorter range, so the
hacker has a distance disadvantage.
o Disable remote admin and remote-admin access over
Wi-Fi. Admins should only connect to the home network
through a wired Ethernet connection.
Advanced Router Fixes:
o Change settings for the admin Web interface. The
interface will then force an HTTPS standard over any
non-standard ports.
o Disable PING, Telnet, SSH, UPnP, and HNAP remote
access protocols. They should be set to “stealth” as op-
posed to “closed” so that no response at all is sent to an
external message query.
o Change the router’s DNS from the ISP’s own server to
one maintained by OpenDNS, Google Public DNS, or
Cloudflare.
But Here’s the Good News
Much of the concern around router security could be assuaged
by purchasing better quality routers. Most home users will accept
routers supplied to them by their ISP, while others will likely opt
for the cheapest consumer-grade home router that they can find
in their local computer store. Both of these routes are probably
bad news as the routers then deployed in your home are unlikely
to contain anything but minimal security protection. The first
step the home user should take is to purchase a commercial-
grade router. This will cost in the region of 200 USD, but it will be
supplied with most of the risky protocols disabled by default. It
is also recommended to deploy routers and modems separately.
Home users can contact their ISPs and request that they “dumb
down” their routers effectively turning them into modem-only
devices, which the user would then link to a commercial-
grade router purchased separately. One of the big issues with
consumer grade/ISP routers is that even if the manufacturers of
these devices produce firmware updates to plug security gaps,
they often won’t push these to the attention of the customer.
The only way the user will know about updates is if they visit
the manufacturers’ websites. Commercial-grader router
manufacturers will not only keep current with cyberthreats, they
will also send that information to their customers, or even
update their routers on line.
Threat Bulletin
www.allot.com See. Control. Secure.
Conclusion
While it may look like the home network user is fighting a losing battle, there are many steps they can take to increase their level of
cybersecurity. The fixes listed above will mitigate many of the attack vulnerabilities faced by home network owners. However, to be
realistic, most home network owners are unlikely to take these security measures. This leaves one critical resolution pathway that
can be protected, that is through the ISP itself. Allot’s HomeSecure product takes full responsibility for any router vulnerabilities by
identifying all devices on a home network and protecting them against online attack. The system also provides full parental control of
network devices used by younger family members.
Threat Bulletin
www.allot.com See. Control. Secure.
Are you concerned about Home Router Vulnerability?
Allot’s HomeSecure can assist.
Contact Allot »