Exclusive: Flaws in common Wi-Fi Router set up Hotspot Hacks

In-brief: Two, serious flaws in a common wireless router made by the firm TP-Link open the door to a hacker gaining control over the device, just the latest flaw revealed in broadband and wifi routers, the firm Senrio said Monday.

Two, serious flaws in a common wireless router made by the firm TP-Link open the door to hacker gaining control over the device, the firm Senrio said Monday.

Researchers at Senrio discovered two vulnerabilities in a TP-LinkWR841N Version 8 wireless router that allow an attacker to sidestep access control features, gain administrative access to the device and then run malicious code on the router. The report is just the latest to highlight glaring security holes on broadband routers and wi-fi hotspots, which are deployed in offices, businesses and public buildings globally. It follows the release of a toolkit, dubbed “CherryBlossom,” that was allegedly used by the CIA, for targeting home routers.

TP-Link issued updated firmware in February that contains patch for the flaw. Newer models of TP-Link routers by the same manufacturer are not believed to be vulnerable to the same attack. However, Senrio notes that the affected device is still widely deployed and used. A search of the Internet showed more than 93,000 WR841N routers deployed worldwide, though not all are the Version 8. TP-Link did not reply to an email request for comment on the security holes by The Security Ledger.

In an interview, researcher M. Carlton of Senrio said that the company had been researching the TP-Link router as part of a larger survey of embedded devices. The WR841N is typical of consumer grade wi-fi routers as are its security problems, said Carlton. Among them: vulnerable configuration services that leave the devices susceptible to having hostile code delivered and installed.

In the case of the WR841N V8 device, Carlton said she found two flaws that, when combined, give an attacker who had physical proximity to the router control over it. The first was a vulnerable configuration service that allowed Senrio researchers to send commands to the TP-Link device without first logging in to the device. Combining a series of these commands, the researchers forced the wifi router to connect to a cellphone hotspot that they controlled. They were then able to force the router to reset, restoring default administrator credentials that are commonly known and giving the researchers administrative access to the device.

[Read more Security Ledger coverage of security troubles with broadband routers.]

With access to the device, the researchers could use a second, stack overflow vulnerability to install and run malicious code on the device, Carlton said. The company programmed the device to blink a message in Morse code using LED lights as a proof of their work, a tip of the hat to work by Israeli researchers at Ben Gurion University who demonstrated a method of leaking sensitive data via blinking lights on the very same model of TP Link router.

Someone sitting in a coffee shop could reset the router to its defaults, change its network or DNS (Domain Name System) settings or log in to the device’s user interface, Carlton told Security Ledger. Senrio is not revealing details of that flaw, because TP Link has declined to exploit it, citing the patch of the configuration service vulnerability as a mitigating factor.

The analysis revealed a number of problems with security on the TP-Link routers, Carlton said. First, many administrative commands could be executed without first requiring the requestor to provide authentication credentials like a user name and password. That enabled the researchers to siphon valuable data from the router.

Also, the TP-Link routers secured communications using a unique key that was based on the user login ID and password. However, the method used to encrypt that text and form the key was DES (Data Encryption Standard), an older encryption technology that is now considered insecure. DES, which encrypted the text in 8 character blocks made it easy to hack the router’s security using what’s sometimes called a “replay” attack.

“Since we knew the plaintext version from the firmware and we could retrieve the encrypted version of that same text from the router’s (configuration) service, we could then copy the encrypted text and send it back to the router as a valid argument,” Carlton wrote in a blog post.

Stephen Ridley, the Chief  Technology Officer at Senrio, said that TP-Link should be commended for patching the configuration service vulnerability after being informed of it, but he said the company was initially reluctant to address a security hole in an older product they said was no longer supported. The delay in getting a fix – almost five months between Senrio’s initial report in September and the patch in February – underscores the challenges facing both businesses and consumers on the fast-growing Internet of Things.

“This epitomizes the IoT problem. Nobody is actively supporting consumers in this model,” Ridley said.

Among the questions that remain unanswered is whether other TP-Link routers are vulnerable. Senrio did not extend their tests to other models by the same maker. TP-Link informed the researchers that they had tested their other SOHO (small office, home office) routers and concluded that they were not affected, but they did not elaborate nor did they provide a list of what other models they tested for the flaws.

Ridley said problems in firmware are often widespread throughout product lines and even across products, as different manufacturers rely on similar hardware and software components, including open source elements. “Code reuse is vulnerability reuse,” he said. Often, developers assume that widely used code – either proprietary or open source– has been vetted by previous developers and, thus, does not deserve scrutiny.

Recent history suggests that’s an incorrect assumption. The Heartbleed vulnerability lurked in OpenSSL, one of the most oft-used open source packages, for years. “Those are exactly the components that need to be scrutinized,” Ridley said.

Security Ledger wants to hear your thoughts! Leave a reply.