Vulnerabilities of Small Office/Home Office routers
Ferenc Barta

Vulnerabilities of Small Office/Home Office routers

I'm quite sure that you have one of the small office/home office (SOHO) devices at home to share the Internet access for your computers, smartphones and IoT gadgets. These devices are really great, as they are capable of routing and address translation, they often have a built-in switch, an access point and a user-friendly web-based management interface. 

In summary, they meet the requirements of home networking for an affordable price.

Unfortunately, researchers and hackers often find serious vulnerabilities in these consumer-grade devices. Recently we have contacted several Internet users via our incident reporting system – we have observed a very specific behavior and it turned out that the attacks were caused by a botnet of Engenius SOHO routers. Some of the devices made by other manufacturers (even the larger ones, for example, Cisco) also have vulnerabilities, yours may have some as well. It would worth to read some entries at Router Security, a site dedicated to this topic. The site also has some nice ideas on how to configure your device to be as safe as possible. I'd highly recommend reading through that part as well.


vulnerable router, telnet port


Why would anyone hack my router?

You may ask this question, as home networks don't sound to be as valuable as, for example, a server or a popular website, where the attacker can access the passwords of hundreds of users.

In fact, control over vulnerable SOHO routers and IoT devices can be very useful for hackers. Thousands of these devices are connected to the Internet, therefore it can be relatively easy for an attacker to create a large botnet. This botnet can be used to infect further devices (therefore making the botnet larger) or to attack an important server or site. For example, imagine that a botnet containing only a few hundred devices starts a DDoS attack against your site. This would surely influence the response time and a simple firewall rule most probably couldn’t stop the attack.

A real-world example is the case of the Engenius routers. We have received the incidents shown below from an infected Engenius router.


2017-08-02 20:06:48 BL_PORT_HONEYPOT_BADPORT
{
"PORT HIT": "104.#.#.57:47068->149.#.#.252:23"
}
2017-08-02 20:06:13 BL_PORT_HONEYPOT_BADPORT
{
"PORT HIT": "104.#.#.57:47064->149.#.#.252:23"
}
2017-08-02 20:06:12 BL_PORT_HONEYPOT_BADPORT
{
"PORT HIT": "104.#.#.57:47063->149.#.#.252:23"
}


These are port sweeps searching for other infected devices which could be used to further expand the botnet. You can find further details about how these routers were compromised in the next section.


How could they hack my router?

There are several different ways to attack a SOHO device. The most simple but often used method is the dictionary attack against the device’s administrative user interface, where the attacker tries to log in with commonly used usernames and passwords. This will allow the hacker to access the settings of the device and carry out further attacks.

In the worst case, the attacker can have full control over the device, which means that he/she can carry out attacks from your device or even sniff your network connections to gain sensitive information about you.

In the case of the Engenius router, it was possible to create a backdoor on the device. Engenius ESR985 has Linux as its operating system which runs BusyBox. BusyBox is a multi-purpose executable providing the functionality of several Unix/Linux tools and was originally intended to be used in embedded systems. The functionality of the ping command is also included, which can be used to diagnose networking problems by sending packets to a specific IP address and waiting for the response. The web-based administrative interface runs this command to help the users identify network issues. Unfortunately, the parameter passed to the command was not validated properly so it was possible to execute arbitrary BusyBox commands using the appropriate parameter. The ping launched from the user interface gets executed similarly to this.

ping [IP]

Here, [IP] gets replaced by the parameter specified by the user. Normally, something like the following would be executed.

ping 1.2.3.4

Here, the parameter was 1.2.3.4. However, if the parameter is “1.2.3.4; echo Should this be executed”, BusyBox will execute the following.

ping 1.2.3.4; echo XXXXXXXXX

This will execute ping 1.2.3.4 but it also executes the command followed by the semicolon.

Using this method, the hacker is able to run any BusyBox command as long as he/she is logged into the device. Logging in can be achieved using a brute-force attack.

Additionally, once the attacker can inject commands, it is possible to start BusyBox’s built-in telnet server on the device

hacker_used_telnet_port


In the past, telnet was used to log in and remotely manage different networking devices and servers. It doesn’t have any encryption, so it’s highly not recommended to use it – nowadays, we usually use SSH instead, as it’s much more secure. By the way, the telnet client is still installed on most of the Linux distributions by default, as it can be used to debug text-based protocols like HTTP.

Starting the telnet server opens the TCP port 23 and allows the attacker to log into the device without authentication and run any command whenever he/she likes.

You can see how important it is to keep your routers safe. To do this, update the firmware regularly, turn off the services you don’t use, and most importantly, use a strong password for the administrative interface and don’t allow access on the WAN port.


Do you know any tricks to make home networks safer? Share your ideas below.

Share your ideas with us about this article

Previous posts

An Inside Look at Website Builders: Meet Site.pro CEO - Filip Borcov
This summer, we were excited to team up with Site.pro. BitNinja is server security that’s ideal for web hosting companies and Site.pro offers the best website builder for webhosts, so it was a natural partnership. We sat down with CEO Filip Borcov to discuss the story behind Site.pro, the latest trends in website builders and web hosting security, as well as the day-to-day work for the team at Site.pro. BitNinja: Hi Filip. Can you tell me a little bit about yourself, your career path, and what led you to become the CEO at Site.pro? Filip Borcov: I’ve always been interested...
A more manageable Dashboard
Imagine Andrew, who has many servers. He doesn’t want sleepless nights worrying about hacker and bot attacks, that’s why he uses BitNinja. His servers are very important to him, so he likes checking up on how BitNinja working on them. Andrew logs into the Dashboard every day, and a few weeks ago, realised that there were some changes. Now, Andrew can track real-time events on the server much easier. Together, let's take a look at how you can find your fave spots, and all the new features with our new layout: „I’d like to get a thorough overview of my servers.” The Card view is a mi...