Security issues of routers

SOHO routers are widespread network devices that are commonly used in small offices and households. A typical SOHO network consists of a SOHO router and up to 10 hosts. Hosts can be personal computers, laptops, printers, or even tablets and smartphones. Many SOHO routers support wireless connection so besides using a cable the devices can connect to the router via Wi-Fi. The point of ingress to a SOHO network is commonly a SOHO router. SOHO routers support a wide range of services and features.

They serve as Dynamic Host Configuration Protocol (DHCP) servers, Network Address Translators (NAT), firewalls, and more. They support various protocols including Hypertext Transfer Protocol (HTTP) that is used for router administration via web interface, Telnet for administration via command line, File Transfer Protocol (FTP) and Samba (SMB) for file and print services, Universal Plug and Play (UPnP) for automatic device discovery, and many others. Design, implementation and configuration of the protocols supported by SOHO routers bring up several security issues that can cause the devices to be vulnerable and to become targets of attackers. If an attacker manages to misuse vulnerabilities of a router he can modify its configuration, change DNS settings, enable remote management, or modify firewall rules. This would give him full control over the device. He could intercept and modify the traffic sent over the local network, perform man-in-the-middle attacks and other malicious activities.

According to the technical report published by Independent Security Evaluators (ISE) the security issues that cause SOHO routers to be vulnerable can be divided into four basic categories: the misconfiguration of network services, the assumption of security on the LAN, insecure default configurations, and poor security design and implementation. This chapter discusses these four categories.

Misconfiguration of services

This category is characterized by network services that lack configuration options or utilize unnecessarily lenient permissions. The services are often running with root privileges or with read/write access to unrelated system directories. If an attacker gains write access he could overwrite system files and get control over the router. Altering executable files can leverage in arbitrary command execution with root permissions. Read access can be used to disclose sensitive data that are often stored in clear text. An attacker could read a password or crack a password hash and perform authentication bypass to gain administrative access to the router. This could be avoided using salted password hashes or encryption. The problem about the misconfiguration of a network service, e.g. improperly handled permissions, is that if it lacks configuration options there is nothing the administrator can do to change the service configuration, modify the permissions or disable the feature.

Assumption of security on the LAN

Many SOHO routers have poor security on the LAN. Protocols that are used lack secure channels. Web interfaces of most of the routers use Hypertext Transfer Protocol (HTTP) for authentication and therefore the user credentials are sent in plaintext and can be easily intercepted by an attacker in the local network. Many routers have Telnet enabled by default and as this protocol does not support encryption using it can leverage to sensitive data disclosure. Moreover, Telnet has little practical purpose and users commonly do not use it. To adjust security on the LAN the HTTP protocol should be replaced with HTTPS (Hypertext Transfer Protocol Secure) for the process of authentication and if text-based shell connection is needed SSH (Secure Shell) should be used instead of Telnet. Both HTTPS and SSH use encryption and therefore they represent a better alternative to HTTP and Telnet. Another problem regarding security on the LAN is the assumption that attackers will not be able to gain access to the local network and could attack the routers only from an external network. Routers use Wi-Fi encryption standards that are known to be vulnerable. Of the routers tested, most use WPA2-PSK that is considered effective although it has security flaws. However, there are some that use WEP which is very easy to hack. In addition to the vulnerable Wi-Fi encryption standards it is necessary to consider the fact that some local networks are intended for guest access, e.g. coffee shops or shopping centres.

Insecure by default

SOHO routers are commonly used by users that have minimal knowledge within information technology and do not realize security concerns. Therefore, vendors try to make the router set up and administration as easy as possible. This brings up several security issues as there are more potentially vulnerable services. Although some of the services are not enabled by default, for all the services that are available on the router there is a risk that they would be enabled by an adversary in case of attack. A good example of a service that is present in a large number of home routers and is publicly known to be vulnerable is UPnP (Universal Plug-and-Play). In 2013 Rapid published a research on security flaws in UPnP. It showed up that 81 million unique IP addresses responded to UPnP discovery requests.

Although for many services that are commonly used there exist enhanced implementations that are more secure, manufacturers tend to use outdated versions. Another problem regarding default set up of the routers is that some of the security protections, although when they are available on routers, are sometimes disabled by default. For example firewall. And as common users are typically not aware of security risks they would not use the protections unless they were enabled by default. Another security issue is that service credentials are weak or publicly known. If the users changed the default credentials when setting up their home router this would not be a problem. But the truth is that many users do not change them.

There are a few researches showing that default credentials are quite common. Ang Cui, et al., from Columbia University of New York did a research on embedded network devices. They tried to exploit routers by accessing their administrative interfaces from WAN and found a number of devices that still had the factory default password set. Tripwire2 Vulnerability and Exposure Research Team (VERT) did another research that focused on security of SOHO routers. They asked 653 IT and security professionals and 1,009 employees working remotely about settings of their home wireless routers. Besides default service credentials the respondents were also asked about default IP addresses of the web interfaces of the routersand firmware updates. The following graph shows how they responded.

Poor security design and implementation

Home routers face design and implementation issues. Very serious and common problem is lack of input validation. Although input validation in general can be a problem in any system that receives data from an external source, within home routers it is mostly associated with their web interfaces. Insufficient input validation within a web application can leverage in web based attacks, such as Cross-Site Request Forgery, Cross-Site Scripting, Directory Traversal, and Command Injection. The first three will be discussed more deeply in the next chapter. Besides the web based attacks, buffer overflow vulnerabilities can be also caused by improper input validation. These vulnerabilities can be present within multiple network services supported by home routers. The more services a device supports, the higher probability of being vulnerable it has. Exploiting a buffer overflow within a service with root level privileges can provide an attacker with full administrative control over the router. Although if the vulnerable service does not run as root, the attacker can misuse other vulnerabilities to escalate the privileges.



4 thoughts on “Security issues of routers

  • 01/07/2017 at 9:20 am

    Hi, i read your blog occasionally and i own a
    similar one and i was just wondering if you get a lot of spam responses?
    If so how do you protect against it, any plugin or anything you can advise?
    I get so much lately it’s driving me insane so
    any assistance is very much appreciated.

  • 01/07/2017 at 11:04 am

    I believe what you typed made a lot of sense. But, what about
    this? suppose you added a little content? I ain’t suggesting your
    information is not good, but suppose you added a post title to possibly grab people’s attention? I mean Security issues of routers is a
    little plain. You ought to glance at Yahoo’s home page and
    note how they write news titles to get people to click.
    You might try adding a video or a related pic or two to get readers
    interested about everything’ve written. In my opinion, it could bring your posts a little bit more interesting.

  • 06/08/2017 at 12:53 am

    Today, digital security cameras are increasingly used in our society, homes and offices. Small in size and easier to install, they give sharper images.

  • 08/08/2017 at 2:01 am

    Hey would you mind letting me know which web host you re utilizing? I ve loaded your blog in 3 different browsers and I must say this blog loads a lot faster then most. Can you recommend a good internet hosting provider at a reasonable price? Thank you, I appreciate it!

Comments are closed.

TOPlist TOPlist VIPLOG database valid