Wi-Fi routers: More security risks than ever
The research team that discovered significant security holes in more than a dozen home Wi-Fi routers adds more devices to that list at Defcon 21.
LAS VEGAS -- More major brand-name Wi-Fi router vulnerabilities continue to be discovered, and continue to go unpatched, a security researcher has revealed at Defcon 21.
Jake Holcomb, a security researcher at the Baltimore, Md.-based firm Independent Security Evaluators and the lead researcher into Wi-Fi router vulnerabilities, said that problem is worse than whenin April.
The latest study continues to show that the small office and home office Wi-Fi routers are "very vulnerable to attack," Holcomb said.
"They're not a means to protect your network and your digital assets," he cautioned.
Holcomb is a relatively young researcher, in his mid-20s, who turned his lifelong interest in computer security into a professional career only in the past year. Previously, he was doing network security for a school district in Ohio.
The new report details 56 new Common Vulnerabilities and Exposures, or CVEs, that Holcomb and the other ISE researchers have found in popular routers. These include the Asus RT-AC66U, D-Link DIR-865L, and TrendNet TEW-812DRU, for which Holcomb plans on demonstrating vulnerabilities at Defcon on Saturday and Sunday.
Requests for comment from the affected vendors were not immediately returned. CNET will update this story when we hear from them.
You might not think that the router security holes could affect you, or would be easy to exploit, but Holcomb explained that because the vulnerabilities appear to affect most routers, and are hard to fix, these could put nearly every person who connects to a vulnerable router at risk.
The scenario he explained from the noisy hallways of the Rio Convention Center here was a common one. Small-business and home Wi-Fi router administration often employs weak passwords, or static passwords that are the same across multiple stores, like a Starbucks.
All an attacker has to do is go to his favorite Seattle-based coffee joint, buy a venti latte and a low-fat pumpkin ginger muffin, and get the establishment's Wi-Fi password. Then, equipped with access to the Wi-Fi network, all that attacker would have to do is use one of the exploits that ISE has uncovered. The router would be compromised, including all the Web traffic flowing through it.
Holcomb compared the problem of fixing routers to traditional PCs. "In most cases, automatic updates are enabled for Windows and Mac," he said. But, he added, "even if a router manufacturer were to implement a similar feature, most people don't log into their routers."
Basically, because people have been trained to think of the router as a set-it-and-forget-it device, and one without security flaws, it's nearly impossible to get them to update router firmware.
The fix won't be an easy one, at least not logistically. "I think the solution is for routers to automatically update, and give users the ability to opt out of it," Holcomb said. But given the reluctance of some major router manufacturers to address the problems, these exploits could exist unpatched in the wild for years to come.
Holcomb said that while TP-Link fixed all the vulnerabilities that ISE reported to it, D-Link has never responded. And Linksys, he said, chose not to repair many of the vulnerabilities reported to it.
In the case of the Linksys EA-6500, someone can place their own code in the router's configuration file and overwrite it. "It's an attack that relies heavily on social engineering," said Holcomb, "but it's an example of the vendors not resolving a vulnerability. Why [not], I don't know."
Under the guidelines of responsible disclosure, Holcomb says that ISE notified all router manufacturers of the vulnerabilities discovered before going public with them, giving them a chance to fix them.
Holcomb will be demonstrating how to take control of three different routers using a different vulnerability in each.
For the aforementioned Asus router, he plans to demonstrate a buffer overflow exploit; for the D-Link he plans to use Web-based and symlink directory traversal exploits; and he will attack the TrendNet router using a cross-site scripting forgery and command injection exploit.
"All three give us a root shell," he said, meaning access to the router's lowest levels of code.