Home Router Vulnerability

Threat Bulletin

January 2019

Threat Bulletin

www.allot.com See. Control. Secure.

Home Router Vulnerability

The humble home router…who would think that it could possibly be the Achilles’ heel of millions

of home network installations? Here are three examples of well-known router cyberattacks that

have highlighted serious network intrusion vulnerabilities in the past 12 months:

o Vulnerabilities in Xiaomi Mi Router 3

o Vulnerabilities in Linksys E Series routers

o Vulnerabilities in old D-Link DSL gateways was never fixed, now being abused

Of course, the stars of the year were undoubtedly the VPNFilter

router malware and the MicroTik cryptojacking affair, each which

reportedly affected around 500,000 routers, although the real

number was probably much higher. Then there are accidents

waiting to happen like the situation of GPON home routers, of

which there are around one million in service. Yes, the home

router may sit there, innocently flashing away in your living room,

but its susceptibility as an easy route into your private home net-

work should not be underestimated. For a comprehensive list of

router bugs and flaws from 2012 to 2018, click on this link. How-

ever, be warned, it doesn’t make for particularly pleasant reading.

The two major issues with routers are (a) they are normally left

switched on, and (b), their firmware is rarely updated. Add to this

the fact that home users hardly ever change the credentials on

this vital piece of networking infrastructure, with most leaving

their devices with factory setting credentials.

And it’s not just home users that should be angry about this

situation—governments are also pretty annoyed. In January

2017, the US Federal Trade Commission (FTC) accused network

equipment supplier D-Link of selling its webcam and network

router devices that were vulnerable to attack by hackers. In a

lawsuit filed against the company, the FTC stated that D-Link,

“…failed to take reasonable steps to protect their routers and IP

cameras from widely known and reasonably foreseeable risks of

unauthorized access…".

The issue of router vulnerability has become such a hot potato

that the US FBI even issued a public service announcement when

the VPNFilter attack occurred aimed at assuaging the situation.

They provided some pertinent advice to the owners of small

office and home office routers to reboot their devices and take

a number of other protective measures to secure their networks

(more on this below). The trouble with this advice is that the

VPNFilter malware can persist, even if the router is switched off.

Virtually no consumer router manufacturer was insulated from

these waves of attacks on this relatively simple attack surface. The

main companies involved were Asus, Huawei, MicroTik, Linksys,

NetGear Inc., TP-Link, D-Link, and QNAP. While periodically

switching off any of these routers is one, probably futile way

of combatting hacker intrusion, further, more comprehensive

measures are required.

Internet Protocols - the Achilles’ Heel

Basic, consumer-grade routers use a broad range of

communications protocols, many of which contain access

vulnerabilities that can easily be exploited by hackers. One

very common protocol used by lower-end router devices is

the Simple Network Management Protocol (SNMP), which

reads and writes router data. Almost all networking equipment

implements an SNMP agent. Its legitimate task involves

monitoring the health and welfare of network equipment.

However, it also supplies topology information about networks

and can enable management control of network devices and

servers. It is inherently insecure as SNMP messages are not

encrypted. Another commonly-used protocol is Universal

Plug and Play (UPnP). This protocol comes enabled by default

on many new routers and was another focus of an FBI warning

where the security advice was to disable this helpful, although

risky communications format.

Router security breaches can expose a range of risks to home

network owners, including:

o Intelligence gathering & subsequent potential identity theft

o Theft of personal data

o Damage to, or disruption of computer equipment

o Network traffic blocking and disruption

o Firmware deletion, providing free access to hackers

o Botnet creation as part of larger attacks such as DDoS

One of the most common router attacks is to use the device

as a Man in the Middle (MITM). This occurs when the router

is used as a portal between a hacker and the target’s network.

During an MITM attack, the router essentially impersonates

both sides of the attack event. Another term for this type of

attack is “session hijacking”. MITM attacks are particularly

insidious as they are sometimes capable of altering encrypted

data making them a significant challenge to cybersecurity

protection attempts. However, measures can be taken to

alleviate the risks of such attacks. On the Server side, strong

encryption protocols between the server and client can be

deployed, which will disrupt some, if not all MITM attacks.

Digital certificate verification is another measure that can be

deployed to harden router protection. On the client side, the

addition of user plugins such as HTTPS Everywhere and Force

TLS can force secured connection on the network.

Another frequent form of router attack is to send targets to

“evil twin” websites that impersonate familiar sites such as mail

Threat Bulletin

www.allot.com See. Control. Secure.

servers or banking portals. The aim is to trick users to enter

their credentials to access these sites, which the hackers then

steal and use to acquire personal data or funds from the target.

Yet another router protocol vulnerability is the Home

Network Administration Protocol (HNAP). The HNAP enables

the transmission of sensitive information across the Internet.

If that was secure then that would be fine, but HNAP is far

from that. It provides complete access to users who hold a

router’s user name and password credentials. Unfortunately,

most home users will have minimal technical knowledge and

will not change those credentials from the factory defaults.

Hackers have a list of those default credentials and using the

HNAP they can access a target’s home network in seconds.

For example, in 2014, a router worm called The Moon used

the HNAP to identify vulnerable Linksys routers through which

it spread its malware.

Test if a router supports HNAP on: http://1.2.3.4/HNAP1/

where 1.2.3.4 is the IP address of your router. If you receive

a response, suggesting that your HNAP port is enabled, then

your router is probably compromised and should be changed.

Finally, (although, as the link above shows, there really is an

apparently endless number of ways that routers have been

compromised), there is the Wi-Fi Setup (WPS) protocol. This

little fellow enables hackers to bypass network passwords

altogether. All a hacker must do is to enter the eight-digit PIN

that is printed on the underside of the router itself. Even if the

user has conscientiously changed their passwords, hackers

can bypass this event by entering the PIN then accessing the

target’s network.

As mentioned above, there is sadly no end to the number of

router breaches, so let’s look at some ways of protecting the

home user from cyberattack. Fortunately, there are many steps

that the home user can take, many of which do not require an

advanced computing degree.

Fixes that home users can take range from easy, to moderate,

and advanced.

Easy Router Fixes:

o Change the router admin credentials and network name

(this normally defaults to the name of the router manu-

facturer).

o Enable WPA2 wireless encryption and define specific

groups of authorized users.

o Set up a temporary Guest Wi-Fi for temporary users of

home networks and use this Wi-Fi access for any inse-

cure home IoT devices.

Moderate Router Fixes:

o Install updated firmware patches.

o Use the 5 GHz Wi-Fi band instead of the more crowded

2.5 GHz wavelength. 5 GHz has a shorter range, so the

hacker has a distance disadvantage.

o Disable remote admin and remote-admin access over

Wi-Fi. Admins should only connect to the home network

through a wired Ethernet connection.

Advanced Router Fixes:

o Change settings for the admin Web interface. The

interface will then force an HTTPS standard over any

non-standard ports.

o Disable PING, Telnet, SSH, UPnP, and HNAP remote

access protocols. They should be set to “stealth” as op-

posed to “closed” so that no response at all is sent to an

external message query.

o Change the router’s DNS from the ISP’s own server to

one maintained by OpenDNS, Google Public DNS, or

Cloudflare.

But Here’s the Good News

Much of the concern around router security could be assuaged

by purchasing better quality routers. Most home users will accept

routers supplied to them by their ISP, while others will likely opt

for the cheapest consumer-grade home router that they can find

in their local computer store. Both of these routes are probably

bad news as the routers then deployed in your home are unlikely

to contain anything but minimal security protection. The first

step the home user should take is to purchase a commercial-

grade router. This will cost in the region of 200 USD, but it will be

supplied with most of the risky protocols disabled by default. It

is also recommended to deploy routers and modems separately.

Home users can contact their ISPs and request that they “dumb

down” their routers effectively turning them into modem-only

devices, which the user would then link to a commercial-

grade router purchased separately. One of the big issues with

consumer grade/ISP routers is that even if the manufacturers of

these devices produce firmware updates to plug security gaps,

they often won’t push these to the attention of the customer.

The only way the user will know about updates is if they visit

the manufacturers’ websites. Commercial-grader router

manufacturers will not only keep current with cyberthreats, they

will also send that information to their customers, or even

update their routers on line.

Threat Bulletin

www.allot.com See. Control. Secure.

Conclusion

While it may look like the home network user is fighting a losing battle, there are many steps they can take to increase their level of

cybersecurity. The fixes listed above will mitigate many of the attack vulnerabilities faced by home network owners. However, to be

realistic, most home network owners are unlikely to take these security measures. This leaves one critical resolution pathway that

can be protected, that is through the ISP itself. Allot’s HomeSecure product takes full responsibility for any router vulnerabilities by

identifying all devices on a home network and protecting them against online attack. The system also provides full parental control of

network devices used by younger family members.

Threat Bulletin

www.allot.com See. Control. Secure.

Are you concerned about Home Router Vulnerability?

Allot’s HomeSecure can assist.

Contact Allot »