Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Owning Your Home Network: Router Security Revisited
Marcus Niemietz, Jörg Schwenk {marcus.niemietz, joerg.schwenk} @rub.de
Ruhr University Bochum
Table of Contents
1. IntroducKon 2. Web AOacker 3. GeneralizaKon 4. Default ConfiguraKon 5. Web AOacks 6. FingerprinKng 7. Countermeasures 8. Conclusions
IntroducKon
• Routers: center of private home networks • Web stores like Amazon offer them for <$20 – No keys and no displays – Web interface
• Our paper: Web-‐based aOacks against these interfaces – Change criKcal se`ngs
IntroducKon
• Methodology – 10 most popular routers from Amazon
• TP-‐Link, Netgear, Buffalo, ... – Default configuraKon evaluated – UI redressing, Cross-‐Site ScripKng, SSL/TLS – FingerprinKng possibiliKes analyzed – Countermeasures analyzed
Web AOacker
• Sets up a website à lures the vicKm to this site • Arbitrary JavaScript code may be executed • May send requests and may use scripts
GeneralizaKon
• CondiKons – Web interface – Connected poinKng device (e.g., mouse)
• Routers, network switches, smart TV systems, and network aOached storage devices
• Router: Widely used, complex, important funcKonaliKes
Default ConfiguraKon
XSS, CSRF, UIR, and SSL/TLS
• XSS: Focus on reflected and stored XSS – Control the vicKm‘s browser
• CSRF – Manipulate DNS se`ngs – Change default passwords (D-‐Link DIR-‐615)
• UIR: Classic Clickjacking & Tabjacking • SSL/TLS
UI Redressing
UI Redressing
UI Redressing
UI Redressing
UI Redressing
<h1>Funny pictures</h1><img src="lol.gif"><button>Click me</button><img src="lol.gif"><iframe style="position:absolute; z-index:1;
opacity:0.0; filter:alpha(opacity=0);left:-120px; top:95px;"width="300" height="200"src="http://www.bing.com">
</iframe>
UI Redressing
Web AOacks
UIR – Fritz!Box 2170
UIR – Fritz!Box 2170 <style>div, button { position:absolute; z-index:1; border:1px solid; pointer-events:none }</style>...<img src="kitten-1.png" draggable="true" ondragstart="event.dataTransfer.setData('text/plain','foobar')">...<div style="top:35px; left:300px">Tired</div>...<button style="top:195px; left:425px">More kittens</button><iframe src="http://192.168.178.1/cgi-bin/webcm?getpage=...
FingerprinKng
• Get unique idenKfiers – HTTP Basic AuthenKcaKon
• WWW-‐AuthenKcate: Basic realm="VALUE"
– Web Interface AuthenKcaKon • HTTP ressources
FingerprinKng
FingerprinKng
• Huawei E5331 – SIM, hOp://192.168.1.1/res/no card.png
• D-‐Link DIR-‐615 – Logo, hOp://192.168.0.1/pictures/wlan/masthead.gif
• Fritz!Box 2170 – Logo, hOp://192.168.178.1/html/de/images/fw header.gif
• Belkin F7D4301 – Logo, hOp://192.168.2.1/images/head logo.gif
Countermeasures
• RandomizaKon of the default login data
Countermeasures
• Minimize InformaKon Leakage – "TP-‐Link WR841N" è "Router Login XXX"
• SSL/TLS • Input ValidaKon • X-‐Frame-‐OpKons • Window name – window.name="TOKEN"
• Cookie flags: h"pOnly and secure
Conclusions
• RepresentaKve overview of the security of current home router Web interfaces
• All 10 Web interfaces are vulnerable • Well-‐known countermeasures like X-Frame-Options are not implemented
Thank you for your aOenKon. QuesKons?