On Sunday, security researcher Michael Coppola gave a presentation at DEF CON that explored the process of compromising routers used in SOHO (Small Office / Home Office) environments, and turning them into botnet clients.
Coppola experimented with three different Netgear devices (WNDR3700, WNR1000 and WGR614), a Linksys WRT120N, a D-Link DIR-601, Belkin F5D7230-4, and two TRENDnet devices (TEW-652BRP and TEW-651BR).
Interestingly, his research with the Netgear products is a saga unto itself, as it involved a long back and forth with the company in order to obtain source code needed to unpack the file system on the WNR1000.
In the end however, his research was a success, as Coppola was able to manually backdoor legit firmware on the products tested. Still, the process is time consuming and complicated. So for those who wanted to further explore the topic, he created a tool called rpef, which automates the process.
The tool itself will support each of the tested products, and can be used to deploy payloads within the firmware that include traffic sniffing, a bind shell, or the creation of a bot client that can be controlled via IRC.
Slides from his talk from DEF CON can be seen here. The rpef project page is here.
As for the risk of having a SOHO router hijacked, it’s actually rather strong. Coppola said that he discovered thousands of IP addresses owned by open routers that use default credentials. That alone would give an attacker the chance needed to upload modified firmware.
Otherwise, some of the administration panels are Web-based, and could be vulnerable to a number of attacks including XSS or CSRF. Unfortunately, those are just some of the ways to maliciously flash a router without anyone being the wiser.
Updated firmware (as in ensuring the device is current on the latest version) can help in some cases but not all, as attacks that target retained settings within the device’s memory can still lead to compromise. In the end, using an open router within an active SOHO environment will come down to risk tolerance.
If the business is ok with the risk, no need to worry. Otherwise, don’t use open hardware, and avoid products from the big box retail outlets.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
