dslreports logo
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


The following is extracted from the following paper:
Security Vulnerabilities in SOHO Routers by Craig Heffner and Derek Yap of »www.sourcesec.com
It's an interesting read, especially for users for the Actiontec MI424-WR router.

To summarize, of 9 types of attacks discussed, it reports the Actiontec as vulnerable to the following attacks:

•DNS Hijacking
Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.

This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www.google.com"? Logic would suggest that a router would know better than to resolve requests for www.google.com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.

•Default WEP
Default configurations are normally not considered "vulnerabilities" in and of themselves, however, any type of default setting becomes an issue when applied to cryptography. WEP and WPA keys are of particular interest with home routers, since few routers come without wireless capabilities these days. You will notice that all of the described attacks have so far required access
to the LAN; wireless provides an attacker with access to the LAN, but still affords him the ability to remain reasonably removed from the LAN's physical location. In an effort to help protect users from wireless attacks, some vendors have begun shipping their products with wireless encryption enabled by default; unfortunately, the encryption method normally chosen is WEP (well known to
be broken [15]), and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks [8].

Many newer home routers still come with no encryption enabled, however, one notable exception is the ActionTec MI424-WR. This particular router is commonly distributed by Verizon, and invariably a plethora of them can be found in areas where Verizon FiOS is available. Unlike the BT Home Hub, the ActionTec routers do not attempt to obscure the method used to generate their default 40 bit WEP key: [att=1]
Because WEP does not encrypt source/destination MAC addresses, any data packets to or from the ActionTec router will instantly reveal the WEP key. Also note that no active clients need be on the network in order for data packets to be generated, as the ActionTec routers are prone to periodically broadcasting un-solicited Spanning-Tree packets.

It should be noted regarding "and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks", the ActionTec MI424-WR also has this same vulnerability. ActionTec's algorithm has been reverse engineered. See »[ fiber tech] Verizon FiOS default WEP key HIGHLY insecure!. No packet sniffers or crack tools are needed... just a calculator.

•Local UPNP
UPNP attacks are nothing new [10], but started receiving more attention after GNUCitizen demonstrated that UPNP attacks could be carried out remotely when coupled with flash-based CSRF attacks [11]. Because UPNP is an unauthenticated protocol that, by definition, provides control over a router's configuration, insecure UPNP stacks can result in a plethora of exploitation possibilities, including command execution and re-configuration of DNS settings. While most new routers protect against these attacks, there is another UPNP action that we can use to our advantage.

The previously mentioned session hijacking attacks (and some of the CSRF attacks) require an administrator to already be authenticated with the target router. But waiting around for the average user to log into their router makes these attacks unlikely to succeed. Instead, an attacker can use UPNP to terminate a router's WAN connection, interrupting the user's Internet connection.
Eventually, they are likely to:
1. Reset their router
2. Log into the router to diagnose the problem
3. Call their ISP, who will ask them to log into their router to diagnose the problem.
The WAN connection can be terminated using the UPNP ForceTermination action, which was available in all of the routers that we examined. Using Miranda [14], a UPNP administration utility, we can easily send UPNP commands to a router, forcing it to terminate it's WAN connection.

One of the most common uses for UPNP is port forwarding. UPNP allows client applications, such as P2P programs and games, to open ports on the router in order to facilitate necessary communications with other peers or services. While these port forwarding rules are meant to forward traffic from external clients to internal clients, an attacker can make use of these rules to expose the router's administrative interface to the WAN by forwarding traffic to port 80 of the router's IP address. Configuring the router as the attacker's personal proxy is also possible, by telling the router to forward traffic not to an internal IP, but an external IP [12]. While most new routers prevent these types of attacks by checking the specified IP addresses, some, like the ActionTec MI424-WR, still allow users to forward incoming connections on external ports to port 80 of the router itself, effectively enabling remote administration on the device.

It should be noted that the Actiontec was not the only router subject to these vulnerabilities. The paper also looked at the Linksys WRT160N, D-Link DIR-615 and Belkin F5D8233-4v3 routers, which had some of the same vulnerabilities along with other vulnerabilities of which the Actiontec was not susceptible.

Expand got feedback?

by More Fiber See Profile edited by birdfeedr See Profile
last modified: 2009-03-07 06:24:04