I'm quite sure that you have one of the small office/home office (SOHO) devices at home to share the Internet access for your computers, smartphones and IoT gadgets. These devices are really great, as they are capable of routing and address translation, they often have a built-in switch, an access point and a user-friendly web-based management interface.
In summary, they meet the requirements of home networking for an affordable price.
Unfortunately, researchers and hackers often find serious vulnerabilities in these consumer-grade devices. Recently we have contacted several Internet users via our incident reporting system – we have observed a very specific behavior and it turned out that the attacks were caused by a botnet of Engenius SOHO routers. Some of the devices made by other manufacturers (even the larger ones, for example, Cisco) also have vulnerabilities, yours may have some as well. It would worth to read some entries at Router Security, a site dedicated to this topic. The site also has some nice ideas on how to configure your device to be as safe as possible. I'd highly recommend reading through that part as well.
Why would anyone hack my router?
You may ask this question, as home networks don't sound to be as valuable as, for example, a server or a popular website, where the attacker can access the passwords of hundreds of users.
In fact, control over vulnerable SOHO routers and IoT devices can be very useful for hackers. Thousands of these devices are connected to the Internet, therefore it can be relatively easy for an attacker to create a large botnet. This botnet can be used to infect further devices (therefore making the botnet larger) or to attack an important server or site. For example, imagine that a botnet containing only a few hundred devices starts a DDoS attack against your site. This would surely influence the response time and a simple firewall rule most probably couldn’t stop the attack.
A real-world example is the case of the Engenius routers. We have received the incidents shown below from an infected Engenius router.
2017-08-02 20:06:48 BL_PORT_HONEYPOT_BADPORT
"PORT HIT": "104.#.#.57:47068->149.#.#.252:23"
2017-08-02 20:06:13 BL_PORT_HONEYPOT_BADPORT
"PORT HIT": "104.#.#.57:47064->149.#.#.252:23"
2017-08-02 20:06:12 BL_PORT_HONEYPOT_BADPORT
"PORT HIT": "104.#.#.57:47063->149.#.#.252:23"
These are port sweeps searching for other infected devices which could be used to further expand the botnet. You can find further details about how these routers were compromised in the next section.
How could they hack my router?
There are several different ways to attack a SOHO device. The most simple but often used method is the dictionary attack against the device’s administrative user interface, where the attacker tries to log in with commonly used usernames and passwords. This will allow the hacker to access the settings of the device and carry out further attacks.
In the worst case, the attacker can have full control over the device, which means that he/she can carry out attacks from your device or even sniff your network connections to gain sensitive information about you.
In the case of the Engenius router, it was possible to create a backdoor on the device. Engenius ESR985 has Linux as its operating system which runs BusyBox. BusyBox is a multi-purpose executable providing the functionality of several Unix/Linux tools and was originally intended to be used in embedded systems. The functionality of the ping command is also included, which can be used to diagnose networking problems by sending packets to a specific IP address and waiting for the response. The web-based administrative interface runs this command to help the users identify network issues. Unfortunately, the parameter passed to the command was not validated properly so it was possible to execute arbitrary BusyBox commands using the appropriate parameter. The ping launched from the user interface gets executed similarly to this.
Here, [IP] gets replaced by the parameter specified by the user. Normally, something like the following would be executed.
Here, the parameter was 184.108.40.206. However, if the parameter is “220.127.116.11; echo Should this be executed”, BusyBox will execute the following.
ping 18.104.22.168; echo XXXXXXXXX
This will execute ping 22.214.171.124 but it also executes the command followed by the semicolon.
Using this method, the hacker is able to run any BusyBox command as long as he/she is logged into the device. Logging in can be achieved using a brute-force attack.
Additionally, once the attacker can inject commands, it is possible to start BusyBox’s built-in telnet server on the device.
In the past, telnet was used to log in and remotely manage different networking devices and servers. It doesn’t have any encryption, so it’s highly not recommended to use it – nowadays, we usually use SSH instead, as it’s much more secure. By the way, the telnet client is still installed on most of the Linux distributions by default, as it can be used to debug text-based protocols like HTTP.
Starting the telnet server opens the TCP port 23 and allows the attacker to log into the device without authentication and run any command whenever he/she likes.
You can see how important it is to keep your routers safe. To do this, update the firmware regularly, turn off the services you don’t use, and most importantly, use a strong password for the administrative interface and don’t allow access on the WAN port.
Do you know any tricks to make home networks safer? Share your ideas below.