Home networks as well as many small offices commonly rely on consumer wireless routers to act as Internet gateway, firewall, access point, and NAS all rolled into one. I’ve recently been doing research into the security of these devices and the findings are astonishing.
I have found numerous ways these devices can be exploited ranging from authentication bypass and password disclosure to code execution. My research identified zero day vulnerabilities in models from a half dozen different manufacturers.
The Linksys WRT110 vulnerability I discovered, which was recently incorporated into Metasploit, is just the tip of a very large iceberg.
In light of these findings, I have come up with a set of best practice recommendations to help keep networks secure.
- Don’t allow remote management over the Internet: Embedded web servers are the source of many flaws. If you really need to access the router’s web interface remotely, I would recommend instead configuring NAT rules to allow external SSH or VPN access and connecting that way.
- Don’t leave the default password: Default passwords are often the same for an entire product line or are generated from a common algorithm making a device easy prey for an attacker.
- Don’t use the default IP ranges: Predictable addresses make CSRF attacks easier. Rather than 192.168.1.1, consider 10.9.8.7 or something else which is not commonly used.
- Don’t forget to logout after configuring the router: Some CSRF attacks (such as the one I described for Linksys WRT110) will only work when the victim’s browser is authenticated to the router or when the attacker knows the password.
- Don’t run an open or WPS enabled wireless network: If someone can connect to the router it makes it much easier to attack it. Using AES backed WPA2 protected with a strong (26+ character) pre-shared key is ideal. Secure passphrase or not however, WPS is a service which makes it easier for authorized clients to connect but unfortunately known design flaws also makes it easier for attackers to determine your wireless passphrase regardless of its complexity.
These five steps along with periodically checking for router firmware updates will go a long way to help protect against both known and unknown vulnerabilities in SOHO routers.
- Exploiting SOHO Routers to Gain Root
- Distributed Nmap Port Scanning with a DNmap Megacluster
- Vulnerability: Who is Watching Your IP Camera?
- Vulnerabilities: It’s Time to Review Your ReviewBoard
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock