Many home routers supplied by ISPs can be compromised en masse, researchers say

Some ISP servers used to manage routers provisioned to customers can be hacked from the Internet, researchers from Check Point said

Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.

By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.

According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.

If an attacker compromises an ACS he could obtain information from the managed routers like wireless network names, hardware MAC addresses, voice-over-IP credentials, administration usernames and passwords. He could also configure the router to use a rogue DNS server, to pass the entire traffic Internet through a rogue tunnel, set up a hidden wireless network or remove the security password from the existing network. Even worse, he could upgrade the firmware on the devices with a rogue version that contains malware or a backdoor.

The TR-069 specification recommends the use of HTTPS (HTTP with SSL encryption) for connections between managed devices and the ACS, but tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don't use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS. This allows a man-in-the-middle attacker to impersonate the ACS server.

The protocol also requires authentication from the device to the ACS, but the username and password is typically shared across devices and can easily be extracted from a compromised device; for example by changing the URL of the ACS in the TR-069 client settings to one controlled by the attacker, Tal said.

The researcher and his colleagues tested several ACS software implementations used by ISPs and found critical remote code execution vulnerabilities in them that would allow attackers to take over management servers that are accessible over the Internet.

One ACS software package called GenieACS had two remote code execution vulnerabilities. The researchers found an ISP in a Middle Eastern country that was using the software to manage several thousand devices.

Another ACS software package whose name was not disclosed because it is used by major ISPs around the world had multiple vulnerabilities that could allow attackers to compromise servers running it. Tal said they tested a deployment of this ACS software at one ISP with the company's permission and found that they could take over more than 500,000 devices.

Unfortunately, there's no easy fix for end-users since in most cases they cannot disable TR-069 on their devices without getting root access in some other way, Tal said. Customers could install a second router behind the one supplied by the ISP, but that wouldn't mitigate all of the risks, he said.

TR-069 was designed to function over the wide area network connection, but ISPs should restrict access to their auto-configuration servers by running them on separate, restricted, network segments or through other means, Tal said. Also, ACS software vendors should adopt secure coding practices and subject their products to vulnerability assessments, he said.

So far Tal and his colleagues at Check Point have investigated vulnerabilities on the server side, but they also plan to investigate possible attack vectors against the TR-069 client implementations on devices.

The number of large-scale attacks against home routers has increased significantly over the past twelve months, with attackers using different ways to monetize access to such devices, from intercepting online banking traffic to installing cryptocurrency mining malware and hijacking DNS settings for click fraud.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Check Point Software Technologiesnetworking hardwareintrusiononline safetyNetworkingsecurityroutersExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?