Security Experts:

Router Botnets Are More of a Reality Than You Think

Router Botnets

On Sunday, security researcher Michael Coppola gave a presentation at DEF CON that explored the process of compromising routers used in SOHO (Small Office / Home Office) environments, and turning them into botnet clients.

Coppola experimented with three different Netgear devices (WNDR3700, WNR1000 and WGR614), a Linksys WRT120N, a D-Link DIR-601, Belkin F5D7230-4, and two TRENDnet devices (TEW-652BRP and TEW-651BR).

Interestingly, his research with the Netgear products is a saga unto itself, as it involved a long back and forth with the company in order to obtain source code needed to unpack the file system on the WNR1000.

In the end however, his research was a success, as Coppola was able to manually backdoor legit firmware on the products tested. Still, the process is time consuming and complicated. So for those who wanted to further explore the topic, he created a tool called rpef, which automates the process.

DEF CON 2012 Wrap Up

The tool itself will support each of the tested products, and can be used to deploy payloads within the firmware that include traffic sniffing, a bind shell, or the creation of a bot client that can be controlled via IRC.  

Slides from his talk from DEF CON can be seen here. The rpef project page is here.

As for the risk of having a SOHO router hijacked, it’s actually rather strong. Coppola said that he discovered thousands of IP addresses owned by open routers that use default credentials. That alone would give an attacker the chance needed to upload modified firmware.

Otherwise, some of the administration panels are Web-based, and could be vulnerable to a number of attacks including XSS or CSRF. Unfortunately, those are just some of the ways to maliciously flash a router without anyone being the wiser.

Updated firmware (as in ensuring the device is current on the latest version) can help in some cases but not all, as attacks that target retained settings within the device’s memory can still lead to compromise. In the end, using an open router within an active SOHO environment will come down to risk tolerance.

If the business is ok with the risk, no need to worry. Otherwise, don’t use open hardware, and avoid products from the big box retail outlets.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.