Many home routers supplied by ISPs can be compromised en masse, researchers say

Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.

By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.

According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don’t know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.

If an attacker compromises an ACS he could obtain information from the managed routers like wireless network names, hardware MAC addresses, voice-over-IP credentials, administration usernames and passwords. He could also configure the router to use a rogue DNS server, to pass the entire traffic Internet through a rogue tunnel, set up a hidden wireless network or remove the security password from the existing network. Even worse, he could upgrade the firmware on the devices with a rogue version that contains malware or a backdoor.

The TR-069 specification recommends the use of HTTPS (HTTP with SSL encryption) for connections between managed devices and the ACS, but tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don’t use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS. This allows a man-in-the-middle attacker to impersonate the ACS server.

The protocol also requires authentication from the device to the ACS, but the username and password is typically shared across devices and can easily be extracted from a compromised device; for example by changing the URL of the ACS in the TR-069 client settings to one controlled by the attacker, Tal said.

The researcher and his colleagues tested several ACS software implementations used by ISPs and found critical remote code execution vulnerabilities in them that would allow attackers to take over management servers that are accessible over the Internet.

One ACS software package called GenieACS had two remote code execution vulnerabilities. The researchers found an ISP in a Middle Eastern country that was using the software to manage several thousand devices.

Another ACS software package whose name was not disclosed because it is used by major ISPs around the world had multiple vulnerabilities that could allow attackers to compromise servers running it. Tal said they tested a deployment of this ACS software at one ISP with the company’s permission and found that they could take over more than 500,000 devices.

Unfortunately, there’s no easy fix for end-users since in most cases they cannot disable TR-069 on their devices without getting root access in some other way, Tal said. Customers could install a second router behind the one supplied by the ISP, but that wouldn’t mitigate all of the risks, he said.

TR-069 was designed to function over the wide area network connection, but ISPs should restrict access to their auto-configuration servers by running them on separate, restricted, network segments or through other means, Tal said. Also, ACS software vendors should adopt secure coding practices and subject their products to vulnerability assessments, he said.

So far Tal and his colleagues at Check Point have investigated vulnerabilities on the server side, but they also plan to investigate possible attack vectors against the TR-069 client implementations on devices.

The number of large-scale attacks against home routers has increased significantly over the past twelve months, with attackers using different ways to monetize access to such devices, from intercepting online banking traffic to installing cryptocurrency mining malware and hijacking DNS settings for click fraud.