Many home routers supplied by ISPs can be compromised en masse, researchers say

Some ISP servers used to manage routers provisioned to customers can be hacked from the Internet, researchers from Check Point said

Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.

By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.

According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.

If an attacker compromises an ACS he could obtain information from the managed routers like wireless network names, hardware MAC addresses, voice-over-IP credentials, administration usernames and passwords. He could also configure the router to use a rogue DNS server, to pass the entire traffic Internet through a rogue tunnel, set up a hidden wireless network or remove the security password from the existing network. Even worse, he could upgrade the firmware on the devices with a rogue version that contains malware or a backdoor.

The TR-069 specification recommends the use of HTTPS (HTTP with SSL encryption) for connections between managed devices and the ACS, but tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don't use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS. This allows a man-in-the-middle attacker to impersonate the ACS server.

The protocol also requires authentication from the device to the ACS, but the username and password is typically shared across devices and can easily be extracted from a compromised device; for example by changing the URL of the ACS in the TR-069 client settings to one controlled by the attacker, Tal said.

The researcher and his colleagues tested several ACS software implementations used by ISPs and found critical remote code execution vulnerabilities in them that would allow attackers to take over management servers that are accessible over the Internet.

One ACS software package called GenieACS had two remote code execution vulnerabilities. The researchers found an ISP in a Middle Eastern country that was using the software to manage several thousand devices.

Another ACS software package whose name was not disclosed because it is used by major ISPs around the world had multiple vulnerabilities that could allow attackers to compromise servers running it. Tal said they tested a deployment of this ACS software at one ISP with the company's permission and found that they could take over more than 500,000 devices.

Unfortunately, there's no easy fix for end-users since in most cases they cannot disable TR-069 on their devices without getting root access in some other way, Tal said. Customers could install a second router behind the one supplied by the ISP, but that wouldn't mitigate all of the risks, he said.

TR-069 was designed to function over the wide area network connection, but ISPs should restrict access to their auto-configuration servers by running them on separate, restricted, network segments or through other means, Tal said. Also, ACS software vendors should adopt secure coding practices and subject their products to vulnerability assessments, he said.

So far Tal and his colleagues at Check Point have investigated vulnerabilities on the server side, but they also plan to investigate possible attack vectors against the TR-069 client implementations on devices.

The number of large-scale attacks against home routers has increased significantly over the past twelve months, with attackers using different ways to monetize access to such devices, from intercepting online banking traffic to installing cryptocurrency mining malware and hijacking DNS settings for click fraud.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Networkingroutersonline safetyintrusionnetworking hardwareExploits / vulnerabilitiesCheck Point Software Technologies

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?