Forgot your password?
typodupeerror
Wireless Networking Networking Security

Extraneous Network Services Leave Home Routers Unsecure 63

Posted by Soulskill
from the doing-it-wrong dept.
An anonymous reader writes "Today's home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password. Some of the worst vulnerabilities were in undocumented, proprietary services that users cannot disable and allowed an attacker to achieve a root shell. The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."
This discussion has been archived. No new comments can be posted.

Extraneous Network Services Leave Home Routers Unsecure

Comments Filter:
  • The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."

    Didn't DEFCON end yesterday?

  • slownewsday (Score:5, Interesting)

    by djupedal (584558) on Saturday August 03, 2013 @06:15PM (#44467291)
    Is anyone as tired as I am over these security risks, especially from CNET? I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication. Another day, another risk that only happens in either a lab, workshop or a marketer's imagination. 99% are just to attract eyeballs for ad revenue...especially from CNET.
    • Re:slownewsday (Score:5, Insightful)

      by bill_mcgonigle (4333) * on Saturday August 03, 2013 @06:20PM (#44467321) Homepage Journal

      I suppose there must've been some new attacks demonstrated. If it was against OpenWRT and its siblings, then probably I'd like to hear about it. All the other proprietary firmwares are assumed to be vulnerable by everybody who cares. Heck, there are still millions of devices running UPnP on the WAN port out there and "nobody" cares.

    • Is anyone as tired as I am over these security risks, especially from CNET? I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication.

      Videotape?!? That would not even work for 100 baud modems. An NTSC videotape will give you 60 fields per second; a PAL videotape will give you 50 fps.

      • Also it would require that the lights actually represent the data going through the pipes. I think that's quite rarely the case.
  • Simpler than that... (Score:5, Interesting)

    by Anonymous Coward on Saturday August 03, 2013 @06:25PM (#44467335)

    LOADS of routers are pwned far more easily than that, from simple SQL injection (either via query string or crafting get/post requests), or there's sometimes bootloaders that give *full* access to the filesystem via TFTP (you can download all init scripts for example), you can sometimes find undocumented manufacturer backdoor passwords which are hard coded, and there's lots of misconfigured routers and you can often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese...

    It's rather easy to poke at the firmware and finding holes using binwalk and IDA Pro if you have basic RE knowledge.

    • How many home-routers use SQL for their configuration?

    • by formfeed (703859)

      ...often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese.....

      Yeah, but what are the chances that someone named their kid "admin" and that kid would then go and accidentally try to login on your router using its name also as password ?!

  • by DeathGrippe (2906227) on Saturday August 03, 2013 @06:30PM (#44467357)

    Attacker has to have access from the LAN side, and must install USB memory first.

    • The LAN side access isn't difficult with WIFI, and the ATTACKER doesn't need to plug-in his own USB, having any USB plugged in will activate the unauthenticated SMB.

      The take-home message, then, is don't plug USB storage into your router, and do use WPA2, not earlier WiFi security protocols.
      • by Bert64 (520050)

        And some people plug their phones into the router because its a convenient always-on usb port for charging...

  • by Anonymous Coward

    The jokes on them because I use my neighbor's unsecured WiFi. I even use his pool when their not home. I'm a great neighbor.

  • To be clear (Score:5, Interesting)

    by Anonymous Coward on Saturday August 03, 2013 @06:37PM (#44467381)

    I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), and if you have the services turned off, then you might be less vulnerable, and if you use hard, non-trivial, non-default passwords, that makes it harder too. I suppose it also helps if you have a router acting as a DNS server, after your WAN facing gateway, and the local DNS box not acting as the main switch (so to sum up, Gateway-DNS-Switch), with everything after the gateway as a Class C lan.

    • I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), ...

      The javascript running in your browser has access from the LAN side. I have personally compromised my own home router by running Javascript on my public website as a proof of concept.

  • and that's why (Score:5, Insightful)

    by bobstreo (1320787) on Saturday August 03, 2013 @06:54PM (#44467431)

    routers should route and probably run access control lists and other firewall stuff like expose some ports in your dmz.

    servers should serve.

    Servers route poorly, routers serve poorly.

  • by Anonymous Coward

    I just recently installed a wlan router at a friends place. The goal was to make it rock solid and secure.

    Here is what I did:
    - Changed default username and set very strong password
    - Changed web admin interface to non default high port, allow only https
    - Only allow access to the admin interface from a specific ip/mac address
    - Disable telnet and ssh acces
    - Disable print server and usb samba share
    - Disable upnp and all vpn/ipsec passthrough
    - Enable statefull firewall, connections must originate from inside lan

    • by ls671 (1122017)

      Problem is that some cheap routers keep the functionality alive even when you disable it!

      Some are notorious for being hackable with WPS even when the functionality is disabled:

      https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c [google.com]

    • by Zebai (979227)

      I don't really think there's a need to disable all that either. Personally for my home connection the only real security I need is to block all remote connections and prevent any administrative access from wifi. If i could set my router to not even require a password for LAN connections I would I need no such security to my computer hardwired to my network inside my locked home.

      I'm sure If I ran it on some larger network security is important, but the article does say HOME routers.

  • As long as it's only "vulnerable" to "attacks" from the local network, who really cares about vulnerabilities? It's a home router; I'm surprised home routers even have the ability to enforce things like directory permissions at all. I hardly need to "protect" my files from my wife; if she wants to read my stuff, she has much easier ways than launching a buffer overflow attack on my router.

    If you want real security, buy something designed to care.

    • by Bert64 (520050)

      XSRF attacks - i.e. redirecting your browser to issue requests to your internal router...
      Insecure wifi.
      Guests.
      Already infected mobile devices.
      Small hotels/cafes which provide wifi access using a small router like those described.

      Plenty of scope for malicious devices to get into your home network and be used to attack the router.

  • One of the recommendations is that manufacturers use signed updates... This won't help with issues like those disclosed, and may even make it worse...

    The primary reason for including signed updates is to prevent third party firmware from being used, it does nothing to stop the official firmware from having security holes, and it's very unlikely that a hacker is going to completely reflash the device to run a custom firmware rather than backdooring the existing firmware. On the other hand, manufacturers gene

  • Look if you don't have to have WIFI at home then don't.

    You can buy a USB to rj45 adapter for any device. Buy an 8 or 12 port switch, locate it centrally, run short cords from there to multiple jacks in rooms and from there have short cords available for plugin. Done. Use different color cords for devices in close proximity just to make it easy to trouble shoot.

    Its clean, it's convenient you can scale it up as you need and you don't have to worry about all the bad programming bugs that WIFI routers are sp

    • by Chrontius (654879)
      And my Chromecast has a USB port? Actually, it does. But it's a power sink, not a power source, so you'd need some kind of weird PoE injector/receiver/USB-to-Ethernet device, and pray that the Chromecast can talk to an ethernet adapter over that USB port. I don't even know if USB OTG lets a device be a power source and a data sink.

      What about my iPad? Am I to buy $60 in hardware and hope the camera kit will talk to an Apple ethernet-to-USB adapter (if you can still find that discontinued adapter)? Wh
  • Pfsense [pfsense.org] and a computer with two network cards is all you need. Pick up a used cisco access point and add a 3rd nic for wireless.

    Rock soild, Guaranteed no back doors. Installs in less than 15 minutes from cd. Dependability based BSD and the parts you put in it. Get a cheap core2duo era xeon 1u server for 100 bucks, and make it look even slicker

"If that makes any sense to you, you have a big problem." -- C. Durance, Computer Science 234

Working...