Feature

It is far more common to find routers with critical flaws than without – Craig Young

It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins

Introduction

Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities.

Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate.

Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers.

A year earlier, security boffins at Team Cymru warned that an unknown gang had popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities.

Arguably the most infamous hack in recent months was Check Point's so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei.

Affected routers could be hijacked with a crafted cookie that allows attackers to meddle with just about everything on the units, from password theft to alterations to DNS and infection of connected devices.

In October Rapid7 had chipped in with its own research, warning that NAT Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic.

Security is 'abysmal'

"Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine, which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.”

Matherly last month dug up an estimated 250,000 routers used in Spain that were using the same SSH keys, placing those configured for remote access at heightened risk.

He also points to research published two days later by Entrust Solutions hacker Nabin Kc, who found 200,000 home routers contained a firmware backdoor, a flaw replicated across 10 different vendors who seemed to be re-branding a vanilla router.

Matherly says badge-engineering seems a common practise for vendors that compete on price over form or function. “It seems that the rate of security problems discovered with routers is only limited by the number of security experts that take the time to analyse the devices,” he says.