Security firm Rapid7 has called on makers of DSL routers to eliminate the common and long-standing vulnerability of hard-coded credentials.
The call comes after the issue was highlighted in a recent advisory by the Computer Emergency Response Team (Cert) sponsored by the US Department of Homeland Security.
According to the advisory, routers from a number of manufacturers still contain hard-coded credentials that could allow a hacker to access the devices via telnet services and remotely control them.
“Manufacturers must make every effort to at least allow end-users to change these passwords, and ideally, passwords would be generated, randomly, on first boot or firmware restore,” said Tod Beardsley, security engineering manager at Rapid7.
“Until manufacturers stop using default passwords on the devices users rely on for internet connectivity, we will continue to see opportunistic attacks on home and small business routers.”
Beardsley said it is important to highlight the issue because although hard-coded credentials are not like traditional software bugs, they are trivial to exploit across millions of routers.
The problem is illustrated by the fact that an internet search for the Observa Telecom hidden administrator account password, 7449airocon, turns up nearly 400 hits on sites ranging from legitimate router security research blogs to sites dedicated to criminal activity.
Observa Telecom is a common router used in Spain by its major ISP Telefonica and has a number of serious vulnerabilities, including persistent and unauthenticated cross-site scripting and cross-site request forgery on a number of its devices, the advisory said.
Other suppliers with affected router models named in the advisory were: AsusTek, Digicom, Philippine Long Distance Telephone and ZTE.
While these backdoors are usually not reachable directly from the internet because an attacker must be on the local network in order to use them to reconfigure devices, Beardsley said this should not necessarily be comforting.
“While attackers must be ‘local’, most of these credentials are usable on the configuration web interface, and a common technique is to use a cross-site scripting [XSS] attack on a given website to silently force the user on the inside network to log in to the device and commit changes on the attacker’s behalf,” he said.
Attackers on free, public Wi-Fi are also on the local network, Beardsley warned, and can make configuration changes to a router that can affect anyone else connected to that access point.
Once an attacker has administrative control over the router, the opportunities for mischief and fraud are “nearly limitless”, he said.
“An attacker can do anything from setting up custom DNS configurations, which will poison the local network’s name resolution, to completely replacing the firmware with his own, enabling him to snoop and redirect any and all traffic at will.”
As a temporary mitigation, the Cert advisory said organisations could write firewall rules that block telnet or SNMP on the device. Telnet network services are used by some manufacturers for remote support.
In March, Cisco consultants Kyle Lovett and Dor Tumarkin told the CrestCon & IISP Congress 2015 in London that unscrupulous internet service providers (ISPs) distribute routers that often have several security vulnerabilities.
“Wide swathes of IP space are being made vulnerable through ISPs in developing countries distributing routers with default passwords that can be easily found on the internet,” said Lovett.
He estimated at that time that between 25 million and 80 million devices used in small office and home office environments could be accessed remotely because default passwords are rarely changed by users.
One of the biggest router security vulnerabilities to date was discovered in December 2014 by security firm Check Point.
The flaw, dubbed Misfortune Cookie, affected more than 12 million devices running an embedded webserver called RomPager.
By exploiting the vulnerability, attackers could carry out man-in-the-middle attacks to enable access to traffic entering and leaving routers built by most manufacturers.
An attacker needed only to send a single packet containing a malicious HTTP cookie to exploit the vulnerability, corrupting memory on the device and allowing remote administrative access to it.