Menu
At least 700,000 routers given to customers by ISPs are vulnerable to hacking

At least 700,000 routers given to customers by ISPs are vulnerable to hacking

The devices have serious flaws that enable unauthorized remote access and DNS hijacking, a researcher found

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.

Most of the routers have a "directory traversal" flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models.

Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.

The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.

The file also contains the password hashes for the administrator and other accounts on the device; the username and password for the user's ISP connection (PPPoE); the client and server credentials for the TR-069 remote management protocol used by some ISPs; and the password for the configured wireless network, if the device has Wi-Fi capabilities.

According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router's DNS settings.

By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers, known as router pharming, have become common over the past two years.

On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough, Lovett said.

Many of the routers have additional flaws. For example, around 60 percent have a hidden support account with an easy-to-guess hard-coded password that's shared by all of them. Some devices don't have the directory traversal flaw but have this backdoor account, Lovett said.

For about a quarter of the routers, it's also possible to remotely get a snapshot of their active memory, known as a memory dump. This is bad because the memory of such devices can contain sensitive information about the Internet traffic that passes through them, including credentials for various websites in plain text.

By analyzing several memory dumps, Lovett found signs that the routers were already being probed by attackers, mostly from IP addresses in China.

Most of the vulnerable devices he identified are ADSL modems with router functionality that were supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. A few were also found in the U.S. and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.

Lovett found the vulnerable routers through Internet scans and by using SHODAN, a specialized search engine for Internet-connected devices. According to him, 700,000 is a conservative estimate and only covers devices that can be targeted remotely because they have their Web-based administration interfaces exposed to the Internet.

There are likely many more devices that have the same flaws, but are not configured for remote management. Those can be attacked from within local networks, from example by malware or through cross-site request forgery (CSRF), a technique for hijacking a user's browser to perform unauthorized actions.

The affected device models include ZTE H108N and H108NV2.1; D-Link 2750E, 2730U and 2730E; Sitecom WLM-3600, WLR-6100 and WLR-4100; FiberHome HG110; Planet ADN-4101; Digisol DG-BG4011N; and Observa Telecom BHS_RTA_R1A. Other vulnerable devices had been branded for specific ISPs and their real make or model number couldn't be determined.

However, Lovett found one commonality: the vast majority of affected routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics, that also does business under the T&W trademark.

Shenzhen Gongjin Electronics is an OEM (original equipment manufacturer) and ODM (original design manufacturer) for networking and telecommunications products. It manufactures devices based on its own specifications, as well on the specifications of other companies.

According to a search on WikiDevi, an online database of computer hardware, Shenzhen Gongjin Electronics is listed as manufacturer for networking devices from a large number of vendors, including D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear. It's not clear how many of the listed devices also run firmware developed by the company that might contain the vulnerabilities identified by Lovett.

It's also unclear if Shenzhen Gongjin Electronics is aware of the flaws or if it has already distributed patched versions of the firmware to its partners.

The company did not respond to a request for comment and according to Lovett, his attempts to notify the company went unanswered as well.

The researcher also notified the affected device vendors that he managed to identify, as well as the United States Computer Emergency Readiness Team (US-CERT).

He disclosed some of his findings Wednesday at a security conference in the U.K. as part of a larger presentation about vulnerable SOHO embedded devices -- routers, network attached storage appliances, IP cameras, etc. The talk was focused on research by Cisco Systems which found that over 25 million SOHO devices are exposed to attacks from the Internet because of default credentials and other well known vulnerabilities.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityShenzhen Gongjin ElectronicsAccess control and authenticationExploits / vulnerabilities

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments