The Wi-Fi router you use to broadcast a private wireless Internet signal in your home or office is not only easy to hack, says a report released today, but the best way to protect yourself is out of your hands.
The report, written by research firm Independent Security Evaluators of Baltimore, found that 13 of the most popular off-the-shelf wireless routers could be exploited by a "moderately skilled adversary with LAN or WLAN access." It also concludes that your best bet for safer Wi-Fi depends on router vendors upping their game. All 13 routers evaluated can be taken over from the local network, with four of those requiring no active management session. Eleven of the 13 can be taken over from a Wide-Area Network (WAN) such as a wireless network, with two of those requiring no active management session.
The report notes that all 14 of the devices had critical security vulnerabilities that could be exploited by a "remote adversary" and could lead to unauthorized remote control of the router.
Before you dismiss router hacks as exceptionally rare, it's important to note that they've been a small but growing segment of computer security threats. In 2011, one firmware vulnerability affecting six hardware manufacturers combined with two malicious scripts and 40 malicious DNS servers to attack 4.5 million Brazilian DSL modems, with the goal of stealing bank and credit card information.
Craig Heffner, a vulnerability analyst at Maryland-based Tactical Network Solutions, said that he isn't familiar with the Brazil story but isn't surprised by it. "In a lot of countries, there's only one or two ISPs, and you get whatever router they give you," he said. "They often enable remote administration by default, so any vulnerability would be amplified."
And just yesterday, ReadWrite reported on wireless router hacking, based in part on research conducted by security firm Rapid7. ISE's study, while similar, reports "all-new findings," said ISE's marketing head, Ted Harrington.
Harrington further explained why router hacking could turn into a big problem. "What's notable about this is that if you compromise the router, then you're inside the firewall. You can pick credit card numbers out of e-mails, confidential documents, passwords, photos, just about anything," he said.
He added that ISE plans to release additional information from the study in the coming weeks, following the routine security community best practice of giving vendors a chance to respond to vulnerabilities that have been uncovered before publishing them.
"We notified all vendors about all vulnerabilities that we found," said ISE security analyst Jake Holcomb. "We're in the process of receiving Common Vulnerability and Exposure (CVE) numbers" for tracking information security vulnerabilities.
Some vendors, Holcomb said, got back to ISE quickly and had beta firmware with fixes ready to test within 72 hours. "Other vendors escalated their Tier 1 support up the chain but we never heard back from them," he said.
Darren Kitchen, founder of the Hak5 security and tinkering show and a maker of Wi-Fi penetration-testing devices, said he isn't surprised by the results of the study. Routers are "low-powered devices, most made in China and Taiwan, and they're rushed out the door. There's not a consumer demand for security; it's not a feature that will sell it."
Wireless under attack
ISE found the routers were vulnerable to three kinds of attacks:
Trivial attacks can be launched directly against the router with no human interaction or access to credentials. Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials. Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used -- an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.
The attacks were performed under both local adversary and remote adversary situations. A remote adversary is a threat that is not connected to the router via Wi-Fi, while the local adversary is. The most common form of successful attack ISE used was the "one-click attack" known as a cross-site request forgery.
Holcomb explained the testing methodology went beyond one-click attacks in an e-mail to CNET:
Cross-site request forgery was the first component of all of our attacks. After that, our standard attack was to reset the administrative password to a known value, or add a new administrator, and then enable remote management. Only when this was not possible (e.g., some routers require the old password as part of the request to change it) did we try other attacks. Those included: shell command injection, directory traversal to share the root of the filesystem over an Internet-accessible ftp server, exploiting a race condition to upload shell scripts over ftp and then have them execute, enabling additional vulnerable services, and some more. There are more vulnerabilities in the routers, and we're disclosing those, too, but they're not necessarily part of this report we're publishing.
While none of the trivial attacks -- the weakest ones -- worked from a remote adversary, they were successful about one-third of the time from a local attacker. Unauthenticated attacks were rarely successful from a remote attacker, but locally reached the same level of completion as local trivial attacks. Authenticated attacks were almost always successful from both adversaries. "When you're remote, there's very little attack surface," explained Tactical Network Solutions' Heffner.
Routers tested included units such as the Linksys WRT310Nv2, Netgear WNDR4700, Belkin N300 and N900, TP-Link WR1043N, and Verizon Actiontec, but Heffner cautioned that this was no guarantee that your router wouldn't be affected. "In my experience... you should worry about your router. If my device is in this list, you should be concerned. If not, you still may want to be concerned, although it's more difficult to say."
This means that although many modern routers come with the ability to control them when not directly connected to the network, that feature is not active by default. Activating it decreases the router's security level. Also, before testing, the firmware for all the routers tested was upgraded to the most recent version.
What you can do
There's not much outside of common-sense behavior that you can do to make your router more secure.
Dong Ngo, a CNET Reviews senior associate technology editor and a wireless networking expert, was skeptical that many people would be affected by router hacks -- provided they follow some basic steps for securing their router. Part 5 of his has some advanced security tips from Step 4 onward.
"Since there are certain requirements to be met for these hacking methods to be successful, if you set up your router properly, and practice prudence while being online, chances are you're safe." Ngo said.
ISE analyst Jake Thompson also has some easy-to-implement tips, including some obvious ones like making sure that you change the router's default username and password credentials. However, he cautioned, not all router firmware lets you change the username. "We also recommend that people use WPA2" security protocol, over WEP, he said.
ISE chief Bono advised that people change the router's IP address to be non-standard when possible, while Holcomb added that good precautions to take include updating your firmware after buying your router, and clearing your browser cache and cookies after changing any router settings.
Meanwhile, Kitchen of Hak5 recommends that people make their own routers entirely. "The best that a person can do is to roll their own using the Marin, Ca.-based Untangle, which takes any spare PC and turns it into a wireless router." He also recommends Monowall and Smoothwall. Heffner at Tactical Network Solutions agreed. "The best thing you can do is install a third-party firmware, such as "https:="" openwrt.org="" "="">OpenWRT or Tomato," he said.
But the most important fixes must come from router vendors, according to ISE, because they can ensure that security fixes get installed more easily than end-users, who rarely consider the security implications of their router. Changes to vendor behavior that Bono said he'd like to see include not only making firmware updates available, but setting firmware to automatically update like any other modern operating system.
Failing that, the report advocates notifying registered users on how to upgrade the firmware themselves, and for vendors to perform regular device security audits. Updates, according to ISE, currently lack digitally signed updates that can be verified by the router.
Bono was bearish on router vendor responses. "We have to start looking at these routers as a critical security component. Some of the vendors told us that their routers are older and no longer supported," he said.
The problem with routers is that they're actually fairly good at what they do, and can take years to fail and be replaced. "They're just going to sit on the network for five years," he complained. And Heffner was less polite. "[Vendors] need to hire people who know how to code and have higher quality products that ship. That's not very high on the their priority list, but maybe that'll change in the future."
Harrington said that this ought to be a wake-up call for the average person with a home wireless network. "Our study says that here's a pervasive problem with this technology," he said. "We're trying to raise awareness to that issue."