Many home routers supplied by ISPs can be compromised en masse, researchers say

Some ISP servers used to manage routers provisioned to customers can be hacked from the Internet, researchers from Check Point said

Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.

By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.

According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.

If an attacker compromises an ACS he could obtain information from the managed routers like wireless network names, hardware MAC addresses, voice-over-IP credentials, administration usernames and passwords. He could also configure the router to use a rogue DNS server, to pass the entire traffic Internet through a rogue tunnel, set up a hidden wireless network or remove the security password from the existing network. Even worse, he could upgrade the firmware on the devices with a rogue version that contains malware or a backdoor.

The TR-069 specification recommends the use of HTTPS (HTTP with SSL encryption) for connections between managed devices and the ACS, but tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don't use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS. This allows a man-in-the-middle attacker to impersonate the ACS server.

The protocol also requires authentication from the device to the ACS, but the username and password is typically shared across devices and can easily be extracted from a compromised device; for example by changing the URL of the ACS in the TR-069 client settings to one controlled by the attacker, Tal said.

The researcher and his colleagues tested several ACS software implementations used by ISPs and found critical remote code execution vulnerabilities in them that would allow attackers to take over management servers that are accessible over the Internet.

One ACS software package called GenieACS had two remote code execution vulnerabilities. The researchers found an ISP in a Middle Eastern country that was using the software to manage several thousand devices.

Another ACS software package whose name was not disclosed because it is used by major ISPs around the world had multiple vulnerabilities that could allow attackers to compromise servers running it. Tal said they tested a deployment of this ACS software at one ISP with the company's permission and found that they could take over more than 500,000 devices.

Unfortunately, there's no easy fix for end-users since in most cases they cannot disable TR-069 on their devices without getting root access in some other way, Tal said. Customers could install a second router behind the one supplied by the ISP, but that wouldn't mitigate all of the risks, he said.

TR-069 was designed to function over the wide area network connection, but ISPs should restrict access to their auto-configuration servers by running them on separate, restricted, network segments or through other means, Tal said. Also, ACS software vendors should adopt secure coding practices and subject their products to vulnerability assessments, he said.

So far Tal and his colleagues at Check Point have investigated vulnerabilities on the server side, but they also plan to investigate possible attack vectors against the TR-069 client implementations on devices.

The number of large-scale attacks against home routers has increased significantly over the past twelve months, with attackers using different ways to monetize access to such devices, from intercepting online banking traffic to installing cryptocurrency mining malware and hijacking DNS settings for click fraud.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Check Point Software Technologiesnetworking hardwareintrusiononline safetyNetworkingsecurityroutersExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?