SOHO routers are widespread network devices that are commonly used in small offices and households. A typical SOHO network consists of a SOHO router and up to 10 hosts. Hosts can be personal computers, laptops, printers, or even tablets and smartphones.
Many SOHO routers support wireless connection so besides using a cable the devices can connect to the router via Wi-Fi. The point of ingress to a SOHO network is commonly a SOHO router. SOHO routers support a wide range of services and features.
They serve as Dynamic Host Configuration Protocol (DHCP) servers, Network Address Translators (NAT), firewalls, and more. They support various protocols including Hypertext Transfer Protocol (HTTP) that is used for router administration via web interface, Telnet for administration via command line, File Transfer Protocol (FTP) and Samba (SMB) for file and print services, Universal Plug and Play (UPnP) for automatic device discovery, and many others.
Design, implementation and configuration of the protocols supported by SOHO routers bring up several security issues that can cause the devices to be vulnerable and to become targets of attackers.
If an attacker manages to misuse vulnerabilities of a router he can modify its configuration, change DNS settings, enable remote management, or modify firewall rules.
This would give him full control over the device. He could intercept and modify the traffic sent over the local network, perform man-in-the-middle attacks and other malicious activities.
According to the technical report published by Independent Security Evaluators (ISE) the security issues that cause SOHO routers to be vulnerable can be divided into four basic categories: the misconfiguration of network services, the assumption of security on the LAN, insecure default configurations, and poor security design and implementation. This chapter discusses these four categories.
Misconfiguration of services
This category is characterized by network services that lack configuration options or utilize unnecessarily lenient permissions. The services are often running with root privileges or with read/write access to unrelated system directories.
If an attacker gains write access he could overwrite system files and get control over the router. Altering executable files can leverage in arbitrary command execution with root permissions.
Read access can be used to disclose sensitive data that are often stored in clear text. An attacker could read a password or crack a password hash and perform authentication bypass to gain administrative access to the router. This could be avoided using salted password hashes or encryption.
The problem about the misconfiguration of a network service, e.g. improperly handled permissions, is that if it lacks configuration options there is nothing the administrator can do to change the service configuration, modify the permissions or disable the feature.
Assumption of security on the LAN
Many SOHO routers have poor security on the LAN. Protocols that are used lack secure channels. Web interfaces of most of the routers use Hypertext Transfer Protocol (HTTP) for authentication and therefore the user credentials are sent in plaintext and can be easily intercepted by an attacker in the local network.
Many routers have Telnet enabled by default and as this protocol does not support encryption using it can leverage to sensitive data disclosure. Moreover, Telnet has little practical purpose and users commonly do not use it.
To adjust security on the LAN the HTTP protocol should be replaced with HTTPS (Hypertext Transfer Protocol Secure) for the process of authentication and if text-based shell connection is needed SSH (Secure Shell) should be used instead of Telnet. Both HTTPS and SSH use encryption and therefore they represent a better alternative to HTTP and Telnet.
Another problem regarding security on the LAN is the assumption that attackers will not be able to gain access to the local network and could attack the routers only from an external network. Routers use Wi-Fi encryption standards that are known to be vulnerable.
Of the routers tested, most use WPA2-PSK that is considered effective although it has security flaws. However, there are some that use WEP which is very easy to hack. In addition to the vulnerable Wi-Fi encryption standards it is necessary to consider the fact that some local networks are intended for guest access, e.g. coffee shops or shopping centres.
Insecure by default
SOHO routers are commonly used by users that have minimal knowledge within information technology and do not realize security concerns.
Therefore, vendors try to make the router set up and administration as easy as possible. This brings up several security issues as there are more potentially vulnerable services.
Although some of the services are not enabled by default, for all the services that are available on the router there is a risk that they would be enabled by an adversary in case of attack.
A good example of a service that is present in a large number of home routers and is publicly known to be vulnerable is UPnP (Universal Plug-and-Play). In 2013 Rapid published a research on security flaws in UPnP. It showed up that 81 million unique IP addresses responded to UPnP discovery requests.
Although for many services that are commonly used there exist enhanced implementations that are more secure, manufacturers tend to use outdated versions.
Another problem regarding default set up of the routers is that some of the security protections, although when they are available on routers, are sometimes disabled by default. For example firewall. And as common users are typically not aware of security risks they would not use the protections unless they were enabled by default.
Another security issue is that service credentials are weak or publicly known. If the users changed the default credentials when setting up their home router this would not be a problem. But the truth is that many users do not change them.
There are a few researches showing that default credentials are quite common. Ang Cui, et al., from Columbia University of New York did a research on embedded network devices. They tried to exploit routers by accessing their administrative interfaces from WAN and found a number of devices that still had the factory default password set.
Tripwire2 Vulnerability and Exposure Research Team (VERT) did another research that focused on security of SOHO routers. They asked 653 IT and security professionals and 1,009 employees working remotely about settings of their home wireless routers.
Besides default service credentials the respondents were also asked about default IP addresses of the web interfaces of the routersand firmware updates. The following graph shows how they responded.
Poor security design and implementation
Home routers face design and implementation issues. Very serious and common problem is lack of input validation. Although input validation in general can be a problem in any system that receives data from an external source, within home routers it is mostly associated with their web interfaces.
Insufficient input validation within a web application can leverage in web based attacks, such as Cross-Site Request Forgery, Cross-Site Scripting, Directory Traversal, and Command Injection.
The first three will be discussed more deeply in the next chapter. Besides the web based attacks, buffer overflow vulnerabilities can be also caused by improper input validation.
These vulnerabilities can be present within multiple network services supported by home routers. The more services a device supports, the higher probability of being vulnerable it has. Exploiting a buffer overflow within a service with root level privileges can provide an attacker with full administrative control over the router.
Although if the vulnerable service does not run as root, the attacker can misuse other vulnerabilities to escalate the privileges.