Home and small business routers under attack – how to see if you’re in danger
Through Paul Ducklin, Senior Researcher at Sophos
Evan Grant, a researcher at network security analysis firm Tenable, recently decided to to try to hack into a home router.
The idea, it seems, was more to learn about general techniques, tools, and procedures available to router hackers than to conduct a security assessment of a particular product.
Naturally, Grant therefore chose a router model using two non-technical criteria: was it popular and was it available in Canada (Grant’s home country)?
After opening the router case to access the circuit board, Grant made good progress, quickly:
- Find probable pins on the circuit board where a debugging device could be connected.
- Identifying the correct wiring for the debug circuit to allow a serial connection.
- Get a root shell via a serial line and access the files on the device.
Grant’s first stop was to download a binary file (executable program) called httpd, which is the name you usually find the web server of a home or small business router by, used to manage the device from there. ‘Browser.
The web server binary teardown revealed critical bugs, caused by programming errors, which Grant was able to chain to support the router through his web interface without needing a password.
First, the router had a list of built-in web server subdirectories where authentication was not required, so “harmless” files such as http: //[router]/images/logo.png would work for everyone.
(A company logo isn’t a secret, so why not let anyone access it, whether they’re already logged in or still stuck on the login page?)
But once the router matched the name of the “harmless” subdirectory, it didn’t bother to apply other security checks such as checking the filename for risky characters.
This means that Grant could use a filename like /images/../login.htm in the URL as an unauthenticated equivalent to web pages that would otherwise ask for a password or block access altogether, like http: / /[router]/login.htm.
This type of bug dates back decades and is known as a directory traversal vulnerability because the special directory name .. (colon) is a shorthand for “mount directory”.
Thanks to the “go up one” component, the file named /images/../login.htm actually refers to a file that is located above the / images subdirectory, not in the directory tree below.
Second, the router sets an authentication cookie, valid for any other password-protected page, upon accessing a page for which authentication was supposed to have taken place.
In other words, the authentication token was not generated as a side effect of a correct password entered, but simply as a side effect of accessing a protected page, even though that page itself was reached via an authentication bypass.
Simply put, a workaround in one place, using the directory traversal bug mentioned above, reliably led to workarounds elsewhere.
Report the bug
This directory move bug was duly reported to the affected router vendor, Buffalo, and received the vulnerability identifier CVE-2021–20090.
However, the story didn’t end there, as Grant (who did his initial research with a Buffalo WSR-2533DHPL2 router) eventually realized that it wasn’t so much a vendor bug. router as a firmware bug.
In other words, the Buffalo routers weren’t the only ones at risk.
Tenable finally identified and listed 37 widely used products than all shared code from the router and firmware provider Arcadyan, including several products from Arcadyan itself.
The bug itself, it seems, has been present in Arcadyan code, so far unnoticed, since 2008.
Affected products include routers shipped by well-known ISPs around the world including BT, Deutsche Telecom, KPN, O2, Orange, Telecom Argentina, TelMex, Telstra, Telus, Verizon and Vodafone.
All of these products should have updates available by now, but we don’t yet know how many products currently in use have actually downloaded and installed these updates.
Unfortunately, according to tracking reports from a Juniper researcher, cybercriminals are already probe the internet for vulnerable devices.
So, if you are affected by this bug, or think you may be, we urge you to check for updates as soon as possible.
What to do?
- Check Tenable’s list to see if your router is affected. Some routers reveal details like model and serial numbers in their management console, so try to log in and view the relevant router information pages. Unfortunately, many ISP-supplied routers do not display the original manufacturer’s name or model number on the outside of the router itself. If in doubt, consult your ISP. (Our home Internet service provider is on the list, but were able to deduce, just from the format of our router’s firmware version number in the console, that it was almost certainly not one of the affected models.)
- Make sure you have the latest firmware for your router. Even if you’re not on the danger list this time around, use it as a good reason to check that you’re still up to date. Some ISPs, like ours, configure their routers to update automatically, but it’s always worth checking regularly that these updates are installed and applied as expected.
- Avoid enabling remote access to your router’s management console. Most modern routers limit Web console access to the internal network only by default, but include an option to enable remote access if desired. Make sure this option is turned off unless you are absolutely sure you need it. There is no point in exposing your router’s web server directly to the Internet unnecessarily.
- Never enable remote access to your router at the request of someone you don’t know. Scammers often contact you via email or phone claiming they are “here to help” and then request remote access to your router or computer to “fix” an imaginary “problem”. These tech support scammers often claim to be from Microsoft, Google, your ISP, or even the police. They can become threatening and aggressive when challenged. Don’t be intimidated. You haven’t asked for help, so you don’t need to accept it.
- If you are a programmer, check all your entries. Any software that accepts data provided over the network should assume that any input it receives can be tricked into looking for vulnerabilities. System commands, directories, and file names require special attention because many characters and character sequences have special meaning when used in these contexts, such as the infamous “dot-to-dot” sequence mentioned above. .