Slashdot Mirror
Extraneous Network Services Leave Home Routers Unsecure
An anonymous reader writes "Today's home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password. Some of the worst vulnerabilities were in undocumented, proprietary services that users cannot disable and allowed an attacker to achieve a root shell. The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."
Is anyone as tired as I am over these security risks, especially from CNET? I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication. Another day, another risk that only happens in either a lab, workshop or a marketer's imagination. 99% are just to attract eyeballs for ad revenue...especially from CNET.
LOADS of routers are pwned far more easily than that, from simple SQL injection (either via query string or crafting get/post requests), or there's sometimes bootloaders that give *full* access to the filesystem via TFTP (you can download all init scripts for example), you can sometimes find undocumented manufacturer backdoor passwords which are hard coded, and there's lots of misconfigured routers and you can often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese...
It's rather easy to poke at the firmware and finding holes using binwalk and IDA Pro if you have basic RE knowledge.
Attacker has to have access from the LAN side, and must install USB memory first.
The jokes on them because I use my neighbor's unsecured WiFi. I even use his pool when their not home. I'm a great neighbor.
I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), and if you have the services turned off, then you might be less vulnerable, and if you use hard, non-trivial, non-default passwords, that makes it harder too. I suppose it also helps if you have a router acting as a DNS server, after your WAN facing gateway, and the local DNS box not acting as the main switch (so to sum up, Gateway-DNS-Switch), with everything after the gateway as a Class C lan.
routers should route and probably run access control lists and other firewall stuff like expose some ports in your dmz.
servers should serve.
Servers route poorly, routers serve poorly.
I just recently installed a wlan router at a friends place. The goal was to make it rock solid and secure.
Here is what I did:
- Changed default username and set very strong password
- Changed web admin interface to non default high port, allow only https
- Only allow access to the admin interface from a specific ip/mac address
- Disable telnet and ssh acces
- Disable print server and usb samba share
- Disable upnp and all vpn/ipsec passthrough
- Enable statefull firewall, connections must originate from inside lan, everything else does not pass the wan interface
- Disable dns cache and use the dns servers from the isp (served via dhcp)
- Enable wpa2 for wlan with max password length.
So far it sails smooth and no complains. No need to activate all these settings on the routers.
The LAN side access isn't difficult with WIFI, and the ATTACKER doesn't need to plug-in his own USB, having any USB plugged in will activate the unauthenticated SMB.
The take-home message, then, is don't plug USB storage into your router, and do use WPA2, not earlier WiFi security protocols.
It's worrisome because although NAT is not designed to take the place of a firewall, in fact it often does. For home or SOHO users, it's actually reasonably good as a firewall. They "should" have better, you might argue, but in fact they don't, most often. IPv6 removes the need for NAT, possibly leaving many SOHO users with no firewall-like protection.
You can have NAT with IPv6 - I believe there's even an RFC for it, and an implementation on FreeBSD. Linux did get patches that were rejected. Hell, there's even NAT-PT, which lets IPv4-only hosts access IPv6 only hosts (and vice-versa). Imagine that - we could switch and continue life as we know it, and don't care if we're talking to an IPv4 or IPv6 host.
NAT has an awesome advantage - it isolates your internal network numbering from the external network numbering. Many early RFCs on the early Internet were fixated around people having to renumber their networks because of conflicts in their network addressing, and enough people had trouble that they created the private address space so future networks will not have to undergo such renumberings and disruption.
It certainly would be nice to be isolated from my ISP's whims and wishes for most of my stuff on the network. Sure I'll have to deal with it for a few servers I have, but I'd rather do it for a few than for every.
Of course, the problem is the IPv6 fanboys who believe IPv6 means complete end-to-end connectivity again and that NAT has absolutely no use in an IPv6 world and even suggesting NAT impacts IPv6 "purity" that keeps IPv6 adoption from happening widely. Of course, end-to-end connectivity is broken anyways with proper firewalls (at least a program can detect private network access and assume firewall usage, but with IPv6, it's impossible).
And I'm sure people would prefer to have IPv6 to operate like IPv4 did with NAT as it's a lot less to learn and things work on IPv6 as they did with IPv4.