You’re Doing NAT Wrong! One Million SOHO Routers Vulnerable

A vulnerability in more than 1 million small office and home office (or SOHO) routers makes them potentially vulnerable to remote attacks that could expose private internal network traffic to prying eyes, according to a warning posted by the firm Rapid7.

On Tuesday, the company warned of implementation and configuration vulnerabilities in NAT-PMP features affected more than a million consumer-grade routers that connect residential and small business networks to the Internet.

Insecure broadband modems, home routers and other embedded devices may pose a serious security risk.
Insecure broadband modems, home routers and other embedded devices may pose a serious security risk.

According to the blog post by Jonathan Hart of Rapid7 labs, a scan conducted as part of Project Sonar identified approximately 1.2 million devices on the public Internet that responded to our NAT-PMP probes that Rapid7 sent out. The devices responding were found to be vulnerable to potential attacks including malicious port mapping and information disclosure about the NAT-PMP device itself.

NAT-PMP stands for Network Address Translation Port Mapping Protocol. It is an protocol, promoted by Apple, that provides a way to automate NAT port mappings , giving users who are located behind a NAT gateway (like a SOHO router) a way to let external users access internal TCP and UDP services. NAT-PMP was implemented in Apple products like Mac OS X, Bonjour for Windows, and AirPort wireless base stations, starting in 2005. In 2013 it was
superseded by the IETF Standards Track RFC “Port Control Protocol

In an e-mail to The Security Ledger, Hart said that it isn’t clear exactly how  the million- plus SOHO devices ended up vulnerable, but the most simple explanation is that the companies who manufactured the devices simply implemented the protocol incorrectly.

Hart notes that the RFC for NAT-PMP makes it clear that the NAT gateway should not allow mapping requests to the NAT gateway’s external (public facing) IP address, nor should it accept mapping requests that are received on its external network interface. “Only packets received on the internal interfaces with a destination address matching the internal address(es) of the NAT gateway should be allowed,” it reads.

But that’s exactly what the vulnerable routers do. Why?

The first and most likely is that vendors shipped mis-configured NAT-PMP to listen for NAT-PMP messages on untrusted interfaces. Alternatively, the router makers may have simply misread and misinterpreted the RFC that explains how to implement NAT-PMP, Hart said.

“The RFC does touch on security briefly, but it focuses primarily on the issues encountered when NAT-PMP is correctly deployed but the NAT clients themselves are malicious,” he wrote. The documentation doesn’t do a good job of explaining how to properly configure NAT-PMP and the associated restrictions and why they are important, he said. “I only discovered these flaws because I took the time to read and explore beyond what is documented.”

Hart said the possible attacks against vulnerable SOHO routers include interception of TCP and UDP traffic from internal, private NAT clients and intended only for use on the internal, private address of the NAT-PMP device itself. These might include services like DNS and HTTP/HTTPS administration. Redirection of internal DNS requests to a malicious, external DNS server to conduct attacks against NAT clients is also a possible attack and  could be used to steal session cookies and data or passwords. Also, attackers might compromise of the NAT gateway itself by intercepting internal or external administration traffic, obtaining login credentials and then using those credentials to reconfigure the NAT gateway remotely to achieve further compromise.

About 86% of the 1.2 million SOHO routers detected by Rapid7 were found to be vulnerable to having external traffic intercepted. Around 88% exposed internal NAT client services and were vulnerable to DoS attacks against host services.A smaller number – about 30,000 devices – were found to allow internal NAT traffic to be intercepted.

SOHO routers have long been the foot soldiers of the broadband revolution: intermediating between our homes and offices and the big, scary world of the Internet. And if the term “SOHO router” isn’t familiar, you might also call them “that dusty box with the blinking lights” that all your stuff connects to.

The devices – many running embedded versions of Linux – have mostly been an afterthought for cyber criminals and malicious actors. Until now. In recent years, there has been an spike in malicious activity directed at these devices.

In September researchers at the firm Sucuri warned of a web-based attack launched from the site of a popular Brazilian newspaper that was targeting home broadband routers. And, in July, the Electronic Frontier Foundation launched the Open Wireless Router Project to develop a secure alternative to commercial SOHO routers that are more secure and can operate in a peer-to-peer mode.

Researchers Ehab Hussein (@_obzy_) and Sofiane Taimat (@_sud0) of IOActive reported that millions of vulnerable home routers and gateways are vulnerable to trivial attacks. Those devices could be harnessed by cyber criminal groups, state-backed actors or hacktivists for malware distribution, spam or crippling denial of service attacks on the ISPs that manage the devices.

Comments are closed.