This entry was posted in General Security on April 11, 2017 by Mark Maunder 103 Replies

At Wordfence, we make a firewall and malware scanner that protects over 2 million WordPress websites. We also monitor attacks on those sites to determine which IPs are attacking them and we block those IPs in real-time through a blacklist.

Tuesday morning we published a post showing how 6.7% of all attacks we see on WordPress sites come from hacked home routers. In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites. Those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.

Half of the internet service providers we analyzed have routers with a very specific vulnerability. This vulnerability is known as the “misfortune cookie”. We will call it the MC vulnerability for short. It has been known for a few years and was first disclosed by CheckPoint in 2014. It is now being used to hack home routers. Using the tool below you can tell if you have the MC vulnerability.

The MC vulnerability exists in a service that your ISP uses to remotely manage your home router. That service listens on a “port” number, which is 7547. Besides the MC vulnerability, this port can have other vulnerabilities, one of which was disclosed a few months ago. Researchers have been discussing the dangers of port 7547 in home routers for a few years now.

Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router. They have the ability to configure their network to prevent outsiders from accessing that port. Many ISPs do not block public access to port 7547.

You can use the tool below to determine if your port 7547 is open to the public internet. If it is, we suggest you contact your ISP and ask them to prevent outsiders from accessing that port on your home router. Even if you aren’t vulnerable to one of the two vulnerabilities we posted above, future vulnerabilities may emerge on port 7547. By blocking public access you will protect yourself and your home network.

Check if you are vulnerable

To use this tool, simply click the ‘Scan me’ button and we will check the IP you are visiting this site from to determine if port 7547 is open on your router and if it is vulnerable to the misfortune cookie vulnerability.

This test attempts to connect to your home router port 7547 to see if it is listening and it grabs the response from that port and analyzes it. It is quite safe and if your port 7547 is publicly available, it already receives many scans like this every day from hackers and security professionals.

[Editor’s note: The tool to check for this vulnerability was removed in April, 2018.]

What to do with the results

If you are vulnerable, we recommend that you:

Immediately reboot your home router. This may flush any malware from your home router.

Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)

If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.

Run a virus scan on all your home workstations.

Update all home workstations and devices to the newest versions of operating system and applications or apps.

Update any firmware on home devices where needed.

If you are not vulnerable, but port 7547 is open on your router, we recommend that you:

Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.

Upgrade your router firmware if you can.

Close port 7547 on your router if you can. (Many routers don’t allow this)

Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.

How you can help

According to Shodan, a popular network analysis tool, over 41 million home routers world-wide have port 7547 open to the public internet. We are trying to get the word out to home users and ISPs to block this port and patch any vulnerable routers. This will help reduce attacks on the websites we protect and, far more importantly, it will help secure over 41 million home networks.

We found over 10,000 infected home routers in Algeria who use Telecom Algeria for internet access. These are home networks that have already been hacked. We found over 11,000 hacked home routers in India with BSNL, another major ISP in that country, where the routers have already been hacked. Let’s help secure our fellow internet citizens and prevent others from having their home networks compromised.

You can help by sharing this post and empowering home users to check if they are vulnerable. They can then contact their ISPs with the information and this will gradually cause ISPs to close port 7547 to outside access and to disinfect and patch vulnerable routers.