At least 700,000 routers given to customers by ISPs are vulnerable to hacking

The devices have serious flaws that enable unauthorized remote access and DNS hijacking, a researcher found

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.

Most of the routers have a "directory traversal" flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models.

Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.

The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.

The file also contains the password hashes for the administrator and other accounts on the device; the username and password for the user's ISP connection (PPPoE); the client and server credentials for the TR-069 remote management protocol used by some ISPs; and the password for the configured wireless network, if the device has Wi-Fi capabilities.

According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router's DNS settings.

By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers, known as router pharming, have become common over the past two years.

On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough, Lovett said.

Many of the routers have additional flaws. For example, around 60 percent have a hidden support account with an easy-to-guess hard-coded password that's shared by all of them. Some devices don't have the directory traversal flaw but have this backdoor account, Lovett said.

For about a quarter of the routers, it's also possible to remotely get a snapshot of their active memory, known as a memory dump. This is bad because the memory of such devices can contain sensitive information about the Internet traffic that passes through them, including credentials for various websites in plain text.

By analyzing several memory dumps, Lovett found signs that the routers were already being probed by attackers, mostly from IP addresses in China.

Most of the vulnerable devices he identified are ADSL modems with router functionality that were supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. A few were also found in the U.S. and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.

Lovett found the vulnerable routers through Internet scans and by using SHODAN, a specialized search engine for Internet-connected devices. According to him, 700,000 is a conservative estimate and only covers devices that can be targeted remotely because they have their Web-based administration interfaces exposed to the Internet.

There are likely many more devices that have the same flaws, but are not configured for remote management. Those can be attacked from within local networks, from example by malware or through cross-site request forgery (CSRF), a technique for hijacking a user's browser to perform unauthorized actions.

The affected device models include ZTE H108N and H108NV2.1; D-Link 2750E, 2730U and 2730E; Sitecom WLM-3600, WLR-6100 and WLR-4100; FiberHome HG110; Planet ADN-4101; Digisol DG-BG4011N; and Observa Telecom BHS_RTA_R1A. Other vulnerable devices had been branded for specific ISPs and their real make or model number couldn't be determined.

However, Lovett found one commonality: the vast majority of affected routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics, that also does business under the T&W trademark.

Shenzhen Gongjin Electronics is an OEM (original equipment manufacturer) and ODM (original design manufacturer) for networking and telecommunications products. It manufactures devices based on its own specifications, as well on the specifications of other companies.

According to a search on WikiDevi, an online database of computer hardware, Shenzhen Gongjin Electronics is listed as manufacturer for networking devices from a large number of vendors, including D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear. It's not clear how many of the listed devices also run firmware developed by the company that might contain the vulnerabilities identified by Lovett.

It's also unclear if Shenzhen Gongjin Electronics is aware of the flaws or if it has already distributed patched versions of the firmware to its partners.

The company did not respond to a request for comment and according to Lovett, his attempts to notify the company went unanswered as well.

The researcher also notified the affected device vendors that he managed to identify, as well as the United States Computer Emergency Readiness Team (US-CERT).

He disclosed some of his findings Wednesday at a security conference in the U.K. as part of a larger presentation about vulnerable SOHO embedded devices -- routers, network attached storage appliances, IP cameras, etc. The talk was focused on research by Cisco Systems which found that over 25 million SOHO devices are exposed to attacks from the Internet because of default credentials and other well known vulnerabilities.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityShenzhen Gongjin ElectronicsAccess control and authenticationExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?