Most of us have broadband at home. It’s always there. It works and, for the most part, we don’t think about it until it goes down. Our amnesia extends to the humble home gateway or broadband router that is our connection to the global Internet. That piece of CPE (or customer-premises equipment) probably sits on our desk, or down in our basement gathering dust. Strong password? Meh. Firmware update? Hey, ‘if it ain’t broke…don’t fix it!”
But all those small, insecure devices could add up to a major security crisis for users and their Internet Service Provider (ISP), according to researchers at the firm IOActive. Writing on the IOActive blog, researchers Ehab Hussein (@_obzy_) and Sofiane Taimat (@_sud0) say that millions of vulnerable home routers and gateways are vulnerable to trivial attacks. Those devices could be harnessed by cyber criminal groups, state-backed actors or hacktivists for malware distribution, spam or crippling denial of service attacks on the ISPs that manage the devices.
The problem is this: ISPs commonly identify blocks of network addresses (or “netblocks”) assigned to home-based customer-premises equipment. That information makes it far easier for those interested in wide-spread attacks on home gateways to gather information about which netblocks to scan and attack for a given ISP, or even across all ISPs in a given geography. Free tools like WhoIs or IPInfoDB can provide crucial information about the addresses that make up the netblock, including the type of connection (ADSL, DSL, Wi-Fi) and so on, then generate a list of target IP addresses. The practice of identifying netblocks for home based CPEs isn’t necessary to scan for vulnerable home gateways, but it greatly reduces the time and overhead attackers need to develop a target list, Hussein and Taimat write.
To prove their point, the two generated a list of IP addresses and then scanned that population of systems for home gateways that were vulnerable to what they described as “”the simplest of attacks,” namely: logging in to the device via telnet or http using the default administrator account and password. The result: more than 400,000 systems were potentially vulnerable to that attack. (Note: the researchers did not attempt to log in to the target systems, so it is not known how many were actually exploitable using the default login credentials.)
Knowledge of vulnerable home gateways would then be followed by attacks aimed at establishing persistent control over the devices. The researchers said there are many options for achieving that goal. At a minimum, attackers could change the administrative user and password name, locking out the rightful owner. More sophisticated attacks could involve hackers loading a malicious firmware update for the home gateway device that would prevent further updates, require the use of hard-coded (and malicious DNS servers) and so on.
With thousands or even tens of thousands of home gateways in their control, attackers could launch a number of damaging and disruptive attacks. For ISPs, the compromise of so many of their customers’ home gateways could be used in a kind of denial of service attack – flooding support lines with calls from irate customers, leading to expensive and time-consuming remediation. Or, attackers could force massive, simultaneous reboots of CPE, overloading the ISPs service management engines and Radius and LDAP servers. Run of the mill affiliate scams or denial of service attacks are also a likely attack option for those who controlled an army of home gateway devices.
This isn’t the first warning about the dangers of vulnerable and mismanaged home gateways. In January, the security firm Rapid7 warned ISPs that a vulnerability in the Universal Plug ‘n Play (UPNP) protocol affected around 40-50 million network-enabled devices, including many home networking devices like Internet gateways, wi-fi access points and cable modems. Those flaws expose millions of users to remote attacks that could result in the theft of sensitive information or other criminal activity such as spying.
A presentation at the 2010 Black Hat Briefings in Las Vegas also demonstrated a method of compromising home routers using so-called “DNS Binding” attacks.
IOActive recommended that OEMs should stop shipping hardware, like home broadband routers, with uniform and trivial default administrator passwords. ISPs, for their part, should refuse to assign IP addresses to users with home routers that are using the default login credentials or are otherwise vulnerable.