2015 top

DECEMBER 2015

pfSense is no magic bullet

New Features and Changes in v2.2.6
by pfSense December 21, 2015
Lots of bugs were fixed in this release, including: multiple vulnerabilities in OpenSSL, a Local File Inclusion vulnerability in the WebGUI, a SQL Injection vulnerability in the captive portal logout, multiple XSS and CSRF vulnerabilities in the WebGUI and two other captive portal bugs. Unlike consumer routers however, it seems that pfSense includes updated component software, a good thing. For example, it is noted that upgrading the included strongSwan to v5.3.5 fixes several bugs.

NSA and GCHQ target Juniper routers

NSA helped British spies find security holes in Juniper Firewalls
by Ryan Gallagher and Glenn Greenwald of The Intercept December 23, 2015
Quoting: A top-secret document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks ... [this] raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper last week ... the agencies found ways to penetrate the NetScreen line of security products, which help companies create online firewalls and virtual private networks, or VPNs ... GCHQ’s capabilities clustered around an operating system called ScreenOS, which powers only a subset of products sold by Juniper ... Juniper’s other products, run a different operating system called JUNOS.

High End Routers from Juniper hacked twice

Juniper warns about spy code in firewalls
by Jeremy Kirk of IDG News Service Dec. 17, 2015
Two hacks were discovered by Juniper themselves in an internal review. What prompted the review is unknown. The first hack was a hard-coded master password that could allow remote administrative access to a ScreenOS device over Telnet or SSH. The second hack had to do with random numbers generated by the Juniper VPN server. By making them not-so-random, a spy agency able to monitor Internet backbone traffic could decrypt everything inside the VPN without being detected. The hard-coded master password has been present since 2012 or 2013. Juniper is a very high end company. These attacks show how valuable it can be gain control over a router.

IMPORTANT JUNIPER SECURITY ANNOUNCEMENT from Juniper Dec. 17, 2015
2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756) from Juniper Dec. 17, 2015
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor by hdmoore Dec 20, 2015
A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open.
The Juniper VPN backdoor: Buggy code with a dose of shady NSA crypto by Lucian Constantin of IDG News Service Dec 22, 2015
On the Juniper backdoor by Matthew Green Dec 22, 2015
Some Analysis of the Backdoored Backdoor by Ralf-Philipp Weinmann Dec 21, 2015

Multiple bugs in multiple Cisco Routers

Cisco Warning of Vulnerabilities in Routers, Data Center Platforms
by Chris Brook of Kaspersky Threatpost December 9, 2015
Cisco published five advisories, each marked as "medium" severity. The EPC3928 is a wireless residential gateway that does a poor job validating input which opens it up to XSS attacks. It also has an authentication bug that lets an attacker send a malicious HTTP request to execute some admin functions without authentication. Another residential gateway, the DPQ3925, is vulnerable to a CSRF attack. If a victim clicks on a malicious link, they could submit arbitrary requests to the device via a web browser. Finally, the DPC3939 router has a bug in its web interface that could allow an attacker execute arbitrary commands on the system.

Cisco DPC3939 (XB3) Router Administrative Web Interface Command Injection Vulnerability from Cisco December 8, 2015
Cisco Residential Gateway Devices Cross-Site Request Forgery Vulnerability from Cisco December 8, 2015
Cisco Wireless Residential Unauthorized Command Vulnerability from Cisco December 8, 2015
Cisco Wireless Residential Gateway Stored Cross-Site Scripting Vulnerability from Cisco December 8, 2015

Linksys ignores router bug report

Linksys routers vulnerable through CGI scripts
by Richard Chirgwin of The Register December 8, 2015
A security company, KoreLogic, has disclosed bugs in the Linksys EA6100-6300 routers. Its not clear to me how many routers are vulnerable. Buggy scripts in the web-based administrative interface provide an attacker with unauthenticated access, which, in turn, lets the bad guy learn the routers administrative password. A very interesting aspect of this bug is the timeline that KoreLogic reported. They submitted the details of this multiple times to Linksys and never heard back. Thus we learn how much Linksys cares about the security of their routers.

Linksys EA6100 Wireless Router Authentication Bypass December 4, 2015

NOVEMBER 2015

Arris cable modems have backdoors, bugs and hard coded passwords

Backdoor In A Backdoor Identified in 600,000 Arris Modems
by Chris Brook of ThreatPost November 23, 2015
Thousands of Arris cable modems suffer from XSS and CSRF vulnerabilities, hard-coded passwords, and a backdoor in a backdoor. The problems were discovered by Brazilian researcher Bernardo Rodrigues (@bernardomr) who estimates that more than 600,000 externally accessible devices are vulnerable to the backdoor and that TG862A, TG860A, and DG860A modems are all affected. To me, the most important sentence in this article is "Rodrigues claims Arris was less than receptive when he first reported the flaws, but that CERT/CC proved helpful and aided in bringing them to the company's attention". I take this to mean they would have ignored this if they could. Next time I buy a modem, Arris is not on my shopping list. When it comes to the firmware in a modem, we are generally at the mercy of our ISP. The firmware is not something we can update ourselves.

ARRIS Cable Modem has a Backdoor in the Backdoor by Bernardo Rodrigues. Nov. 19, 2915. The original source. "CERT/CC set a disclosure policy of 45 days long ago. They waited for more than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. "
ARRIS Cable Modem - Serial Backdoor YouTube video by Bernardo Rodrigues Nov. 15, 2015
600,000 cable modems have an easy to pop backdoor in a backdoor by Darren Pauli of TheRegister Nov 20, 2015. "The initial backdoor - an admin password based on a known seed - was disclosed in 2009 ... The disclosure follows a vulnerability (CVE-2015-0964) revealed April affecting Arris Surfboard models that could allow web interfaces to be hijacked."
Vulnerability Note VU#419568 ARRIS cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities. Last updated Nov. 23, 2015. Four bugs in four different modems, but additional modem models may also be problematic. "It has been reported that these vulnerabilities, particularly the hard-coded passwords, are currently being exploited ... The CERT/CC is currently unaware of a practical solution to this problem."
ARRIS Cable Modem/Gateway Security Lapse Offers Hackers Two Backdoors Into Your Network by Phillip Dampier November 23, 2015. Quoting "Unfortunately for consumers, neither ARRIS or cable operators appear to be rushing to update the affected firmware to eliminate the backdoors, having waited more than two months just to acknowledge Rodrigues report."
UPDATE. May 27, 2016. I was contacted by someone with a working arris.com email address who said these bugs have been fixed and new firmware, called version TS9.1 is available. They said that Arris device owners should contact their ISP to see if and when the ISP will upgrade the firmware. Owners of Arris modems can not update the firmware themselves. Among the fixes in the new firmware is one for the Pixie dust WPS issue. However, there is nothing online anywhere that says this. Also, the person who contacted me did not or would not say which devices have updated firmware available.

CSRF Bugs in the D-Link DIR-816L Router

D-link wireless router DIR-816L Cross-Site Request Forgery (CSRF) vulnerability
by Bhadresh Patel of HelpAG Nov. 10, 2015
The good news is that cross-site request forgery (CSRF) bugs are hard for bad guys to exploit. A web browser needs to be logged in to the router in one tab and visiting a malicous web page in another tab. In that case, the flaws let bad guys submit commands to DIR-816L router and gain control of the router. A fix is available from D-Link.

Vulnerability Summary for CVE-2015-5999
D-Link DIR-816L Cross Site Request Forgery by Bhadresh Patel Nov. 16, 2015
D-Link notice of updated firmware PDF format

600,000 Ubiquiti routers easily hacked - come and get em

The Omnipresence of Ubiquiti Networks Devices on the Public Web
by SEC Consult November 5, 2015
Quoting: "There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices ... Most devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000)..." These flaws have been reported previously but the scope is new. Many ISPs ship Ubiquiti routers with Remote Administration enabled. This opens up them up to HTTP/HTTPS and SSH access. Ubiquiti blames the ISPs. If each ISP used a different TCP/IP port and gave customers unique passwords, no big woop. But, no. There are at least 600,000 vulnerable routers on the Internet. They also found 1.1 million Ubiquiti devices using a digital certificate whose private key is easily obtained from the firmware. This make it easy for bad guys to find vulnerable routers to attack.

The Lingering Mess from Default Insecurity by Brian Krebs Nov. 12, 2015
SEC Consult Vulnerability Lab Security Advisory Nov 5, 2015
Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web by Eduard Kovacs in SecurityWeek Nov 6, 2015

OCTOBER 2015

Multiple bugs in Cisco devices

Patch Cisco ASA ASAP: DNS, DHCPv6, UDP packets will crash them
by Shaun Nichols of The Register October 23, 2015
Four bugs have been discovered in assorted Cisco routers, firewalls and other hardware in their Adaptive Security Appliance (ASA) line. Exploiting the flaws can render the hardware useless by forcing it repeatedly reset. Both a specially crafted DHCPv6 packet and/or a DNS packet can cause the devices to reset. They can also be made to restart with a malicious UDP packet that exploits a flaw in the Internet Key Exchange protocol.

Cisco Security Advisories and Responses has the most recent advisories listed first
Cisco Security also lists security advisories

The German government agrees with me

German Govt mulls security standards for SOHOpeless routers
by Darren Pauli of The Register October 21, 2015
The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to mine, routers will be given points for features that increase security. Sadly, the article says that "Routers that advise users of an available firmware update on login to the web admin interface are winners". So, having a router company email their customers when there is new firmware is something we can't even hope for? What this article does not mention is the background. Germany now (Nov. 2015) requires ISP customers to use a router from their ISP. This law is expected to change in early 2016, thus the need to review the security of newly available routers.

Press release in German
Test concept for broadband router Draft October 2015
Test concept for broadband router PDF. Draft October 2015
Deutscher Bundestag PDF. This seems to be related, but I don't speak German.

Still more bugs in ZHONE routers

Boffin's easy remote hijack hack pops scores of router locks
by Darren Pauli of The Register October 11, 2015
For the second time this year, Vantage Point has warned of multiple security flaws in routers. The flaws are in Zhone routers provided to customers by an un-named major telco in Singapore. The buggs routers are also used by un-named companies around the world. Among the bugs is a remote zero day exploit that lets a bad guy totally hijack the router. Lyon Yang, who found the flaws, is quoted saying "When the ISP ships the router, it comes with a shitload of vulnerabilities". He also said that the remote hijacking is easily done. In all there are seven vulnerabilities. Interestingly, a remote hijack bug is in the router's ping functionality. Some of the bugs have been patched but will never get installed. The ISP in question does not give their customers the userid/password needed to logon to the router, so they can't update the firmware.

Advanced SOHO Router Exploitation a conference presentation by Lyon Yang that examines how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. October 14, 2015
Vantage Point Security Advisory 2015-003 Multiple Remote Code Execution found in ZHONE. By Lyon Yang. ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to string functions without sufficient input validation. The problem has been fixed in version S3.1.241. It was first reported to Zhone in April 2015.
Vantage Point Security Advisory 2015-002 Multiple Vulnerabilities found in Zhone by Lyon Yang. The bugs are: Insecure Direct Object Reference, Admin Password Disclosure, Remote Code Injection, Stored Cross-Site Scripting nand Privilege Escalation via Direct Object Reference to Upload Settings Functionality. All bugs are fixed in version S3.1.241. This was first reported to Zhone in October 2014 so it took a year, soup to nuts.

Multiple bugs in multiple ZyXEL routers

ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
by CERT October 13, 2015
Vulnerability Note VU#870744. Several ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. One issue shared by many models is a weak default password of "1234" for the admin account. In the worst case, these bugs can enable a remote unauthenticated attacker to modify the system configuration. The issues were reported to ZyXEL in Aug. 2015 and there are multiple responses. Some routers are too old and won't be fixed. Some bugs have already been addressed with new firmware and other bugs will be fixed later this month.

ZyXEL Support Center

Multiple Netgear routers vulnerable if WAN administration enabled

Hackers exploiting 'serious' flaw in Netgear routers
by Zack Whittaker of ZDNet October 13, 2015
A techie discovered that his own router had been hacked, that the DNS servers had been changed. The bug has been documented by both Compass Security and Shellshock Labs. It lets a bad guy get full remote unauthenticated root access, if WAN administration is enabled. Netgear released updated firmware for these routers: JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4 and WNR2020v2. Netgear customers will be informed of the update if they logon to their router, or, if they have the Netgear genie app installed.

Netgear router exploit detected by Chris Baraniuk of the BBC Oct. 9, 2015
Netgear prodded into patching SOHOpeless broadband router by Richard Chirgwin October 13, 2015. Disclosure prompts action on months-old authentication bypass
Hacking NETGEAR JWNR2010v5 Router - Authentication Bypass by Shellshock Labs Sept. 29, 2015
COMPASS SECURITY ADVISORY Netgear Router Firmware N300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img. by Daniel Haake Oct. 6, 2015. An attacker can access the administration interface of the router without submitting a valid userid/password by requesting a special URL several times. Compass first notified Netgear of the problem on July 21, 2015.

A good worm infects routers

Home routers "vaccinated" by benign virus
by the BBC October 2, 2015
According to Symantec the Wifatch worm has harden more than 10,000 home routers against cyber-attacks. Non-techies should say thank you. The worm targets routers that have miserable security to begin with. Wifatch was first discovered in late 2014 and Symantec estimates that it has infected tens of thousands of routers. This is a good thing as Wifatch tries to disinfect routers that have been infected with malware. The source for Wifatch is available and it has no malicious components. In addition, Symantec has been monitoring it for months and has not seen any malicious actions. Heck, Wifatch even leaves a message on the router telling the owner to change the default passwords and update the firmware.

Is there an Internet-of-Things vigilante out there? by Mario Ballano of Symantec Oct. 1 2015. This blog has been updated to include a Q and A with the author of Wifatch. He/they say: "Linux.Wifatch doesn't use elaborate backdoors or 0day exploits to hack devices. It basically just uses telnet and a few other protocols and tries a few really dumb or default passwords (our favourite is "password"). These passwords are well-known - anybody can do that, without having to steal any secret key." It only infects devices that are not protected in the first place.
Linux.Wifatch by Paul Mangan of Symantec Jan. 12, 2015

Huawei Bug fixes? Fuggedabowdit

Huawei routers riddled with security flaws won't be patched
by Zack Whittaker at ZDNet October 7, 2015
The Huawei B260a router is widely used by ISPs in Europe and Africa but its old, so Huawei will not issue bug fixes for it. As I say elsewhere on this site, avoid all hardware from your ISP. Multiple security flaws were discovered by Pierre Kim. The flaws are as bad as it gets, allowing for overwriting the router firmware without authentication. The flaws are not limited to a single model (they never are), other devices in the B-series and E-series product lines are also buggy.

A comprehensive study of Huawei 3G routers - XSS, CSRF, DoS, unauthenticated firmware update, RCE by Pierre Kim October 7, 2015

Bugs in the Huawei E3272 4G USB Modem

Remote code exec hijack hole found in Huawei 4G USB modems
by Darren Pauli of The Register October 7, 2015
OK, its a modem rather than a router, but I felt it was close enough to include here. Timur Yunusov and Kirill Nesterov of Positive Technologies found both a remote execution flaw and denial of service vulnerabilities in the Huawei E3272 4G USB modem. Exploiting the bugs gives bad guys pretty much everything. The researchers report that "By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal" In addition there are SMS attacks on the SIM card. The good news is the bugs have been fixed. The bad news is that I didn't see a link to updated firmware.

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems by Positive Technologies October 2, 2015
Security Advisory - DoS Vulnerability in Huawei MBB Product by Huawei August 17, 2015. This just defines the problem, it was not updated with a link to updated firmware
The Huawei e3272 on sale at Amazon

SEPTEMBER 2015

Cisco business routers hacked

Attackers slip rogue, backdoored firmware onto Cisco routers
by Lucian Constantin of IDG News Service September 15, 2015
Researchers from Mandiant have detected Cisco routers running malicious firmware. These are business routers, so this story does not really belong on this page, but it further illustrates the importance of router software. The attacked, known as SYNful Knock was found on 14 Cisco 1841, 8211 and 3825 routers in four countries. It is thought that rather than abusing a bug, the software was installed using stolen or default passwords. That Cisco has default passwords is disgraceful, even some consumer routers force you to chose a password at first boot.

Cisco routers in at least 4 countries infected by highly stealthy backdoor by Dan Goodin of Ars Technica Sept. 15, 2015. Quoting:
"Given that routers typically operate outside the perimeter of firewalls and many other security devices, router-based backdoors make the ideal hacking tool. Not only can they be used to monitor communications coming into and going out of the targeted organization, they can also be used to infect other sensitive hardware inside the same network. Such attacks have been theorized for years, but this is one of the first times researchers have found concrete evidence that such compromises are occurring in the wild."
SYNful Knock - A Cisco router implant - Part I by Bill Hau and Tony Lee of FireEye September 15, 2015 Original source.
SYNful Knock - A Cisco router implant - Part II by Bill Hau, Josh Homan, Tony Lee September 15, 2015
SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks by Omar Santos of Cisco Sept 15, 2015.
Cisco Event Response: SYNful Knock Malware Threat Summary by Cisco. Last Updated: October 9, 2015
Malicious Cisco router backdoor found on 79 more devices, 25 in the US by Dan Goodin of Ars Technica Sept. 16, 2015. All 25 infected routers in the US belong to a single ISP. The malicious software was professionally developed.
In Search of SYNful Routers by computer scientists from the University of Michigan, UC Berkeley, and the International Computer Science Institute Sept. 16, 2015. This is the original research that turned up 79 additional infected routers.

Five bugs in the Belkin N600 DB router

Popular Belkin Wi-Fi routers plagued by unpatched security flaws
by Lucian Constantin of IDG News Service September 1, 2015
The Belkin N600 DB router contains five bugs for which there are no practical work-arounds and, as yet (11 days after the first report) no fixes either. In fact, the Belkin website has nothing on the problem. I take that as all I need to know about using Belkin routers. In fairness, they did tell one reporter that they are working on fixes. As for the bugs themselves, one is a poor implementation of DNS which lets a man-in-the-middle (MITM) attacker respond to DNS queries and thus redirect victims to malicious websites. The router also checks for new firmware using HTTP which can be manipulated by a MITM attacker. On the LAN side, the N600 does not, by default, require a password for accessing the management interface. And, even if you set a password, an attacker on the LAN can login to the router without knowing the password. This is due to the router using client side authentication. In addition, it is vulnerable to CSRF attacks on the LAN side. In my opinion, anyone using this router should just throw it away.

Vulnerability Note VU#201168 Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities by Joel Land of the CERT/CC. August 31, 2015. Original report of the bugs

AUGUST 2015

More routers with hidden admin accounts

Some routers vulnerable to remote hacking
by Lucian Constantin of IDG News Service August 27, 2015
Quoting: "Several DSL routers from different manufacturers contain a guessable hard-coded password that allows the devices to be accessed with a hidden administrator account ... the affected device models are: Asus DSL-N12E, Digicom DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300 ... For most of the routers, the username corresponding to the hard-coded password is admin, while for the PLDT SpeedSurf 504AN it's adminpldt ... The vulnerability is not new and was independently reported by separate researchers in 2014 for the ZTE ZXV10 W300 and in May for the Observa Telecom RTA01N." The passwords are different for each device and include the last four characters of the MAC address but this can be obtained. Telnet provides access to the routers.

DSL routers contain hard-coded "XXXXairocon" credentials by CERT August 27, 2015

Insecure routers being used for DDoS attacks

Attackers are using insecure routers and other home devices for DDoS attacks
by Lucian Constantin of IDG News Service August 18, 2015
"Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks. A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise." Akamai points out that very few organizations have the infrastructure necessary to deal with DDoS attacks, and, of course, they sell the cure. SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors. The use of SSDP for DDoS started in the last quarter of 2014. SSDP is part of UPnP which was intended to be used on Local Area Networks only. Despite this, many routers and other devices respond to SSDP queries over the Internet. How many? According to the Shadowserver Foundation, there are roughly 12 million IP addresses on the Internet that have an open SSDP service. You can't make this stuff up. You can test your router, from the inside, by visiting upnp-check.rapid7.com. A good result looks like this.

Q2 2015 State of the Internet - Security Report by Akamai August 18, 2015

Trojan for Linux infects routers

New Trojan for Linux infects routers
by Doctor Web security researchers August 4, 2015
"The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures. Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can ... brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol." The attack starts by brute forcing router passwords. the malware attacks Linksys routers trying to exploit a vulnerability in HNAP (Home Network Administration Protocol) and the CVE-2013-2678 vulnerability. It also exploits ShellShock and a vulnerability in Fritz!Box routers. An infected router can launch various DDoS attacks (including ACK Flood, SYN Flood , and UDP Flood) and execute intruder-issued commands.

JULY 2015

Bug fix issued for Cisco ASR 1000 routers

Cisco Fixes DoS Vulnerability in ASR 1000 Routers
by Dennis Fisher of Kaspersky July 30, 2015
A bug in the way Cisco ASR 1000 routers handle fagmented packets can cause a Denial Of Service. The ASR 1000 line of routers are designed for enterprise and service provider environments. The bug affects IOS XE versions 2.1, 2.2, 2.3, 2.4, and 2.5. It is fixed in version 2.5.1. Versions 2.6 and 3.x are not vulnerable.

Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability from Cisco July 30, 2015

Huge number of TotoLink router bugs

TotoLink Routers Plagued By XSS, CSRF, RCE Bugs
by Chris Brook of Kaspersky ThreatPost July 16, 2015
There are a large number of bugs in a large number of TotoLink routers. It's a lot to keep track of.
"Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials". The remote code execution flaws affect 15 different TotoLink products and let an attacker bypass authentication using either HTTP or DHCP. This can be used to install hacked firmware on the routers. A different problem, a backdoor, affects nearly 50,000 routers and makes them vulnerable on the WAN side. Four other routers suffer from a different backdoor, one that gives a LAN side attacker root privileges. The CSRF and XSS attacks affect the iPuppy, iPuppy3, N100RE, and N200RE models. TotoLink released new firmware on July 13th to fix some of these problems, but not nearly all. The bugs were discovered by Pierre Kim and Alexandre Torres. According to Kim, TOTOLINK is a brother brand of ipTIME which wins over 80% of SOHO markets in South Korea.

Home of Pierre Kim There are 4 blogs dated July 16th with details on these assorted bugs
TOTOLINK firmware released July 13, 2015

Multiple ipTIME router flaws

By Pierre Kim July 1, 3, 5 and April 20, 2015
Mr. Kim has written four blog postings (below) with details on assorted flaws in ipTIME routers. According to Kim, there are about 10 million ipTIME devices in South Korea. The July 6th writeup details a vulnerability in 127 routers that allows a LAN side user to send a single HTTP request that will bypass the admin authentication and allow complete root access. The July 3rd writeup is about the ipTIME n104r3 but Kim says it is likely to affect other models too. CSRF and XSS flaws allow a LAN side attacker to take over most of the configuration and settings. For example, the attacker can turn on remote management, change DNS servers, update the firmware and more. The July 1st writeup offers sample exploit code for the 127 devices running ipTIME firmware prior to v9.58. They are vulnerable to a remote code execution flaw which gives the attacker root access. The April 20th writeup seems to be the first report of the LAN side remote control vulnerability with a single HTTP request.

127 ipTIME router models vulnerable to an unauthenticated RCE by sending a crafted DHCP request by Pierre Kim July 6, 2015
ipTIME n104r3 vulnerable to CSRF and XSS attacks by Pierre Kim July 3, 2015
Exploit Code for ipTIME firmwares < 9.58 RCE with root privileges against 127 router models by Pierre Kim July 1, 2015
112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable with RCE with root privileges by Pierre Kim April 20, 2015

DDoS attacks abuse ancient RIP v1 protocol

Attackers abuse legacy routing protocol to amplify DDoS attacks
by Lucian Constantin of IDG News July 2, 2015
"DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes. RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996..." Attackers used about 500 SOHO routers to reflect and amplify their malicious traffic.
Akamai found 53,693 devices online that support RIPv1. Some had their web UI exposed to the Internet, allowing Akamai to identify the make/model. Around 19,000 were Netopia 3000 and 2000 series DSL routers distributed by ISPs. More than 4,000 were ZTE ZXV10 ADSL modems.

RIPv1 Reflection DDoS by Akamai July 1, 2015 (PDF)
RIPv1 Reflection DDoS Making a Comeback by Bill Brenner of Akamai July 1, 2015
Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks by Michael Mimoso of Threatpost July 1, 2015

JUNE 2015

Hacked routers serving up Windows malware

Crooks Use Hacked Routers to Aid Cyberheists
by Brian Krebs June 29, 2015
Quoting: "New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware ... Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim's credentials and send them to the attackers ... researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers - particularly routers powered by MikroTik and Ubiquiti's AirOS." It is not known if vulnerabilities in the firmware are being exploited or whether defaults passwords are at fault. This sounds much like the botnet discovered by Incapsula in May 2015 (see below), in part, because a "disturbing number" of the hacked routers had the telnet port open.

Linksys router turns off WiFi when plug something into USB port

Review: Linksys WRT1200AC dual-band gigabit Wi-Fi router
by Jon Andrews of WeGotServed June 18, 2015
Quoting: "I had a number of issues sharing data ... whenever I plugged in an external drive, the WRT1200AC's wireless signal completely cut out. I tried a reboot of both the router and the PCs I was trying to work from but it didn't make any difference. As soon as I disconnected the external hard drive (in this instance it was a 2 TB external USB 3.0 powered drive formatted in NTFS) the Wi-Fi came back to life. Even with the latest firmware onboard, the WRT1200AC suffered from what looks like a pretty nasty bug." No mention in the article about the other issues sharing data.

MAY 2015

22 routers examined -> 60 bugs found

More than 60 undisclosed vulnerabilities affect 22 SOHO routers
by security researchers doing an IT Security Masters Thesis at Universidad Europea de Madrid May 28, 2015
The routers were from Observa Telecom, Comtrend, Belkin, D-Link, Sagem, Linksys, Amper, Huawei, Zyxel, Astoria and Netgear.
14 of the bugs are Universal Plug and Play (UPnP). Not bugs in UPnP, just its existence. While I agree, in concept, the UPnP is bad for security, and I recommend turning it off in a router, counting it as a vulnerability, is a matter of opinion. To me, this is really 46 bugs.
An information disclosure bug was found in the D-Link DSL-2750B, a wireless ADSL2 gateway. The device coughs up critical information to anyone who knows to try http://1.2.3.4/hidden_info.html, where 1.2.3.4 is the LAN side IP address of the device. All D-Link owners should test this. The report does not say if this works on the WAN side too.
Four routers from three different companies have a USB Device Bypass Authentication flaw which has nothing to do with the NetUSB flaw. Quoting "An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router ... In order to do so, the attacker only needs to access the router IP followed by the 9000 port". You can test if a router has port 9000 open on the WAN side here grc.com/x/portprobe=9000.
Two Huawei routers have a Bypass Authentication flaw. Quoting "An external attacker, without requiring any login process, is able to reset the router settings to default ones ... an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials". Ouch.
The Observa Telecom RTA01N has a hidden admin user. Quoting "In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet". The report does not say if disabling remote administration defends against this.

Mass vulnerabilities exposed in enterprise D-Link devices, home routers by Charlie Osborne of ZDNet June 1, 2015
Mass break-in: researchers catch 22 more routers for the SOHOpeless list by Richard Chirgwin of The Register June 3, 2015
New SOHO router security audit uncovers over 60 flaws in 22 models by Lucian Constantin IDG News Service June 2, 2015

Still another attack on routers with default IPs and passwords

DNS Changer Malware Sets Sights on Home Routers
by Fernando Merces of Trend Micro May 28, 2015
Nothing very new here. Trend Micro found malicious websites, mostly in Brazil, that run a brute-force attack script against a router to change the DNS servers. Quoting: "While this type of malware is not new, we've been seeing a growing number of links in phishing attacks in Brazil."

Moose worm attacks miserably defended devices

Moose - the router worm with an appetite for social networks
by Graham Cluley writing for ESET May 26, 2015
ESET researchers discovered a new worm, they call Linux/Moose, that infects routers in order to commit social networking fraud. The worm also infects other Linux-based devices and eradicates existing malware infections on the devices. It could potentially be used for DDoS attacks, network exploration, eavesdropping and DNS hijacking. It was first detected in July 2014. ESET researchers were unable to make a reliable estimate of the number of affected routers. They did confirmed that these companies products were affected: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone. The worm spreads by compromising systems with weak or default credentials. No vulnerabilities are exploited, so it should be easy to defend against simply by changing default passwords. It gets in via Telnet on port 23, so insure that port 23 is closed or stealth using the common ports scan of Shields UP! It also uses port 10073 which you can test here: https://www.grc.com/x/portprobe=10073.

Dissecting Linux/Moose The Analysis of a Linux Router-based Worm Hungry for Social Networks by Olivier Bilodeau and Thomas Dupuy May 2015. Techie details on the Moose worm including how to determine if your router is infected, and cleaning instructions. Also, prevention advice.
The Moose is loose: Linux-based worm turns routers into social network bots by Sean Gallagher at ArsTechnica May 26, 2015
There is a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging by Darren Pauli of TheRegister May 26, 2015. Olivier Bilodeau describes the malware: "... it steals consumer network traffic and leverages the good IP reputation and bandwidth of consumers to perform social network fraud. I am not aware of any other router threat being operated that way." Rapid 7 found about 50,000 routers are infected with this. Vulnerable devices use the popular uClibc C library.

A web based (CSRF) router attack that changes DNS servers

An Exploit Kit dedicated to CSRF Pharming
by Kafeine an independent security researcher May 22, 2015
Yet another web based attack, delivered by either a compromised website or a malicious ad, designed to replace the DNS servers used in a router. The malware looks for any of 55 routers from a dozen vendors including: Asus, Belkin, D-Link, Edimax Technology, Linksys, Medialink, Microsoft, Netgear, Shenzhen Tenda Technology, TP-Link, Netis Systems, Trendnet, ZyXEL and HooToo. It uses both known flaws (command injection vulnerabilities) and a dictionary attack with common administrative credentials. This seems to be widely used, on May 9, 2015 the command and control center was visited almost a million times. Slow days in the first week of may saw roughly 250,000 unique visitors a day. It has been found in the U.S., Russia, Australia, Brazil, India and other countries. As with other DNS changing malware, the bad DNS server is placed first, backed up by a Google public DNS server. This lets infected routers continue to function normally even if the malicious DNS server is taken off-line.

Large-scale attack hijacks your router through your browser by Lucian Constantin of IDG News Service May 25, 2015. Quoting "Many users assume that if their routers are not set up for remote management, hackers can't exploit vulnerabilities in their Web-based administration interfaces from the Internet, because such interfaces are only accessible from inside the local area networks. That's false." Constantin fails to point out that Apple routers are not vulnerable as they have no web interface. On the other hand, he suggests an excellent defense: "... restrict access to the administration interface to an IP address that no device normally uses, but which they can manually assign to their computer when they need to make changes to the router's settings."
Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings by Michael Mimoso of Kaspersky May 26, 2015. Quoting: "Attacks targeting small office and home router DNS settings ... have for the first time been included in an exploit kit - one that specializes in cross-site request forgery attacks ... The attackers' concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips".

NetUSB flaw is industry wide (possibly millions of routers are vulnerable)

KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide
by the SEC Consult Vulnerability Lab May 19, 2015
There is a bug/vulnerability in a software component called NetUSB. Quoting: "NetUSB is a proprietary technology developed by the Taiwanese company KCodes, intended to provide 'USB over IP' functionality. USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated 'USB over IP' box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X ... The user experience is like that of a USB device physically plugged into a client system." If the NetUSB server is given data longer than it expects, it suffers a stack buffer overflow. 26 companies are thought to use the NetUSB software. SEC Consult tested routers from five of these companies: D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL. They found 92 products contained the NetUSB software. They did not test products from the other 21 companies. It seems to be mostly, but not exclusvely a LAN side issue. Quoting again: "While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. " Sometimes NetUSB can be disabled via the web interface, sometimes not. On NETGEAR routers the only defense is to buy a new router. KCodes was not helpful when contacted by SEC Consult. TP-LINK was the best at fixing the problem. By far.

What most people don't know about the NetUSB router flaw - Part 1 by Michael Horowitz (me) in Computerworld June 16, 2015
The NetUSB router flaw Part 2 - Detection and Mitigation by Michael Horowitz (me) in Computerworld June 20, 2015
TEST: You can test if a router has port 20005 open on the WAN side at https://www.grc.com/x/portprobe=20005
TEST: Apple has instructions for testing if a port is open on the LAN side from OS X and Windows: Testing TCP port connectivity between computers and devices
TEST: Android users can use the free Net Scan app by Nick Cerelli to test for open ports on the LAN side of a router. It has no ads.
Kernel Stack Buffer Overflow an SEC Consult Vulnerability Lab Security Advisory - 20150519-0. This includes a list of the known buggy routers. The list is incomplete.
Critical vulnerability in NetUSB driver exposes millions of routers to hacking by Lucian Constantin of IDG News Service May 19, 2015
Netgear and ZyXEL confirm NetUSB flaw, are working on fixes by Lucian Constantin of IDG News Service May 21, 2015
Security Notice for KCodes NetUSB Vulnerability from Peplink May 22, 2015. Quoting: "Peplink has verified and confirmed that none of our devices make use of KCodes NetUSB, therefore we are unaffected by this vulnerability."

An example of what malicious DNS servers can do

New Router Attack Displays Fake Warning Messages
by Jaydeep Dave of Trend Micro May 20, 2015
This blog offers an example of what malicious DNS servers might do - get the victim to call an 800 number for tech support that is not needed. The author works for Trend Micro and found his home router was using malicious DNS servers. How it happened, he doesn't know. The advice offered is lame, basically just plugs for their products.

Routers with default passwords hacked up the wazoo

Malware infected home routers used to launch DDoS attacks
by Lucian Constantin of IDG News Service May 12, 2015
ISPs in Thailand and Brazil seem to be distributing insecure routers to their customers. Not only are they configured with default passwords, they are also accessible from the Internet using both HTTP and SSH. In a new report, Incapsula found thousands of these routers infected with multiple copies of malware. The headline in the media was that Anonymous was using the router botnet for DDoS attacks. The report says that it is likely more than one group had infected the routers with malware.

Lax Security Opens the Door for Mass-Scale Abuse of SOHO Routers by Ofer Gayer, Ronen Atias, Igal Zeifman of Incapsula May 12, 2015
Researchers uncover self-sustaining botnets of poorly secured routers by Dan Goodin Ars Technica May 12, 2015
Insecure routers hacked yet again by me May 13, 2015

Not all router bugs are security related

Yes, sometimes turning it off and on really is the best fix
by Dwight Silverman of the Houston Chronicle May 6, 2015
Tech blogger has a MacBook Pro and a Mac mini. The mini has problems. Two different instant messaging services are failing with a network error. And, Microsoft's OneDrive doesn't think it has an Internet connection. Other cloud storage apps such as Google Drive and Dropbox work fine. The same apps on the MacBook Pro work fine. The apps are configured the same on each machine. The light at the end of the tunnel comes when he connects the problematic Mac mini to a different WiFi network and everything works fine. The problem was his network. Re-booting the router, a Linksys WRT1900AC, fixes everything. What happened? A techie suggests a "bad NAT implementation in consumer router product". I can believe this based on my own experience, years back, with a consumer router. Every now and then all websites would fail to load. Email, and any other Internet traffic, worked fine. In my case too, rebooting the router fixed it.

Pixie Dust expands attacks on WPS

Security Now! Episode 506
by Steve Gibson of GRC May 5, 2015
Software has been released, dubbed Pixie Dust, that exploits a flaw in three implementations of WPS. The protocol is bad enough by itself, even if programmed perfectly. In three cases, the programming is not done well and thus WPS can be broken in seconds. Passwords? We don't need no stinking passwords. This research was first report in Aug. 2014 by Dominique Bongard (see below). Flaws have been found in hardware from Ralink, Broadcom, and Realtek. Similar coding flaws in WPS implementations were found by Craig Heffner in Oct. 2014 (see below). As I say elsewhere on this site, do not use any router that supports WPS.

WPS Pixie Dust Database shows that some routers from Arris, Asus, Belkin, Cisco, D-Link, Edimax, Huawei, Linksys, Netgear, ZyXEL and others are affected by this.
reaver-wps-fork-t6x is a modification done from a fork of reaver. This modified version uses the Pixie Dust Attack to find the correct WPS PIN. The attack used in this version was developed by Wiire.
Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack).... All credits for the research go to Dominique Bongard.

APRIL 2015

Hacking Netgear routers to upload malicious firmware

Broken, Abandoned, and Forgotten Code, Part 1
by Zachary Cutlip April 23, 2015
Quoting: "This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers ... I'll describe the process of specially crafting a malicious firmware image and a SOAP request in order to route around the many artifacts of incomplete implementation in order to gain persistent control of the router ... An unauthenticated firmware upload is an opportunity to persist undetected on the gateway device for months or even years ... Universal Plug and Play services on SOHO routers make for a nice attack surface ... " The primary router tested was the Netgear R6200. Preliminary analysis of other devices, including the R6300 v1, indicates presence of the same vulnerabilities. The only tested firmware was v1.0.0.28.

Broken, Abandoned, and Forgotten Code: Prologue by Zachary Cutlip April 22, 2015
Sub-heading: A Secret Passage to Persistant SOHO Router Pwnage. Quoting "My new approach was to see if I could specially craft an exploit that would route around all the broken networking code and broken parsing code in order to get the router to accept my firmware without crashing. Spoiler: In the end I was successful."
Broken, Abandoned, and Forgotten Code, Part 2 April 30, 2015

Realtek SDK: Yet another industry-wide flaw leaves routers vulnerable to remote hacks

No patch for remote code-execution bug in D-Link and Trendnet routers
by Dan Goodin of Ars Technica Apr 28, 2015
Routers from D-Link, Trendnet and untold other vendors can be remotely hacked. Without needing a password, bad guys can execute arbitrary code on the routers. Vulnerable routers use the Realtek software development kit. The bug is a failure to sanitize user data by the miniigd SOAP service. Not bad enough? The bug was found by security researcher Ricky "HeadlessZeke" Lawshae and reported to HP's Zero Day Initiative (ZDI) in August 2013. HP then tried, many times, to report the bug to RealTek. Twenty months later, there is still no fix.

(0Day) Realtek SDK miniigd AddPortMapping SOAP Action Command Injection Remote Code Execution Vulnerability by HP ZDI April 24th, 2015
SOHOpeless Realtek driver vuln hits Wi-Fi routers by Richard Chirgwin of The Register April 29 2015. This article says the bug is specific to 802.11 a/b/g and 802.11b controllers from Realtek.
Flaw in Realtek SDK for wireless chipsets exposes routers to hacking by Lucian Constantin IDG News Service Apr 29, 2015
A search on WikiDevi found over 350 devices using vulnerable hardware. However, it is not possible to know if the devices used a vulnerable version of the Realtek SDK software. One way to exploit the vulnerability is through the Universal Plug and Play (UPnP) which was designed for LAN use only. Many devices however accept UPnP commands over the Internet. A SHODAN search found 480,000 routers that both respond to UPnP over the Internet and include "Realtek/V1.3" in their response. Another 350,000 devices indicate older Realtek SDK versions. Plus, many devices are, no doubt, doing UPnP on the LAN side only with vulnerable software. As of Jan. 2013 anyone paying attention would have disabled UPnP in their router (see below). Constantin also points out here that "other services running on the router might also use miniigd, opening additional attack vectors." Going from worse to even more worse, Constantin says "However, even if the company [RealTek] is aware of the issue and provided SDK patches to manufacturers, its likely that many affected devices will never be fixed because they are old and no longer supported."
Realtek SDK miniigd : Authentication Bypass - Remote Code Execution D-Link security advisory released April 30, 2015. Fixes are coming (no dates) for 5 D-Link routers.
As of May 15, 2015 the D-Link advisory shows that firmware updates have been issued for 9 of their routers, specifically: DIR-501, DIR-515, DIR-600L, DIR-605L, DIR-615, DIR-619L, DIR-809, DIR-900L and DIR-905L.
Security Notice for Realtek SDK Vulnerability. NVD CVE-2014-8361 from Peplink. Quoting " Peplink has verified and confirmed that none of our products use Realtek SDK's 'miniigd SOAP' service and therefore we are NOT affected by this vulnerability." May 20, 2015
Vulnerability Summary for CVE-2014-8361 from the National Vulnerability Database. May 4, 2015

Three bugs in the Netgear WNR2000v4 router

Untitled report
by endeavor@rainbowsandpwnies.com April 21, 2015
There are three vulnerabilities in the WNR2000v4: Reflected XSS to execute javascript from origin of the http admin interface, Abuse password recovery feature to retrieve auth details and Exploit a command injection vulnerability in setting WEP passwords for code execution on the device. Netgear has confirmed this and says risk is only from the LAN side. They are apparently working on a fix.

twitter.com/rednovae/status/590677374452236288

NCC Service Command Injection flaw in several routers

D-Link/TRENDnet NCC Service Command Injection
by Michael Messner, Peter Adkins and Tiago Caetano Henriques of Packet Storm April 16, 2015
There is a remote command injection vulnerability in several routers. The vulnerability exists in the ncc service, while handling ping commands. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03, and TRENDnet TEW-731BR (Rev 2) v2.01b01.

D-Link screws up fixing their bugs

D-Link: sorry we're SOHOpeless
by Richard Chirgwin of The Register April 21, 2015
Quoting: " D-Link's SOHOpeless HNAP vulnerability has not been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists. The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that "fix" blew a hole in the device's authentication routines. Tactical Network Solutions' Craig Heffner called out the error, saying that 'this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions ...' " In all, 17 D-Link routers are buggy.

What the Ridiculous Fxxx, D-Link?! by Craig Heffner April 14, 2015. This is the blog posting that showed the world how bad the first bug fix was. Not even close.
D-Link says sorry for shoddy security and sloppy patching of its routers by Mark Wilson of BetaNews April 20 2015
D-Link router patch creates NEW SOHOpeless vuln by Darren Pauli of The Register April 16, 2015
D-Link router user? Keep your ears and eyes open for the next firmware fixes! by Paul Ducklin of Sophos April 21, 2015
D-Link Router HNAP Privilege Escalation - Command Injection the security advisory from D-Link. Created April 10, 2015. Last updated April 22, 2015. UPDATE NOV 9, 2016: This link no longer works. D-Link security advisories are now published at www.dlink.com/uk/en/support/support-news.
D-Link Router : HNAP Privilege Escalation - Command Injection from D-Link about new firmware. Not sure if this is the disgraced first attempt at fixing the bug or not. April 13, 2015

Multiple D-Link devices can be exploited via HNAP

Hacking the D-Link DIR-890L
by Craig Heffner at devttys0.com April 10, 2015
The D-Link DIR-890L is a new top-of-the-line $300 router with every feature a router could possibly have, including a software bug. The flaw is in the validation of HNAP requests. A malicious SOAPAction header can be used to pass arbitrary commands to the router. A telnetd command, for example, can spawn a telnet server that provides an unauthenticated root shell. If remote administration is enabled, the flaw can be exploited remotely. The bug has been confirmed in both the v1.00 and v1.03 firmware. Other D-Link devices are also vulnerable including: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L, DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR and TEW-733GR.

D-LINK FAILS AT STRINGS by Eric Evenchick April 14, 2015. Quoting: "System commands are built using HNAP data that is not sanitized. D-Link wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops ... So authentication can be bypassed ... and you cant disable HNAP."
D-Link Router : HNAP Privilege Escalation - Command Injection a D-Link technical alert April 13, 2015
DIR-645 - Command Injection - Buffer Overflow a D-Link security advisory. This appears to be the same flaw, discovered by Samuel Huntly. First published: Feb. 13, 2015. Last updated: April 6, 2015. UPDATE NOV. 9, 2016: This link no longer works. D-Link security advisories are now published at www.dlink.com/uk/en/support/support-news.
D-Link Router HNAP Privilege Escalation - Command Injection a D-Link security advisory. April 10, 2015. Fixes are on the way. UPDATE NOV. 9, 2016: This link no longer works. D-Link security advisories are now published at www.dlink.com/uk/en/support/support-news.

Multiple TP-LINK routers leak sensitive files to unauthenticated users

Unauthenticated Local File Disclosure
by Stefan Viehbock of SEC Consult Vulnerability Lab April 10, 2015
The good news here is that TP-LINK responded, when notified of the flaw, and issued updated firmware in a timely manner. Quoting: "Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed." The fix for the flaw was available when the problem was made public. Vulnerable routers were TP-LINK Archer C5, Archer C7, Archer C8, Archer C9, TL-WDR3500, TL-WDR3600, TL-WDR4300, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND.

Another case of breaking WPS in seconds

Reversing Belkins WPS Pin Algorithm
by Craig Heffner at devttys0.com April 10, 2015
WPS is a security disaster. Given a few hours, any router with WPS enabled can be hacked into. There are so few pin codes that it's just a matter of time (typically 10 hours) to guess them all, assuming the bad guy knows nothing about the WPS pin code. Looking at the firmware, Craig Heffner found that on many Belkin routers, the WPS pin code is derived from the LAN MAC address and the serial number of the router. That could make it reasonably random, but there is a fatal flaw: 802.11 probe response packets include the serial number in the WPS information element. Since WiFi probe request/response packets are not encrypted, a single probe provides all the inputs to the formula that creates the WPS pin code. 24 Belkin routers were tested and 80% of them were using the the algorithm Heffner found in the firmware for their WPS pin code. These routers can now be hacked, via WPS, in seconds: F9K1001v4, F9K1001v5, F9K1002v1, F9K1002v2, F9K1002v5, F9K1103v1, F9K1112v1, F9K1113v1, F9K1105v1, F6D4230-4v2, F6D4230-4v3, F7D2301v1, F7D1301v1, F5D7234-4v3, F5D7234-4v4, F5D7234-4v5, F5D8233-4v1, F5D8233-4v3 and F5D9231-4v1. And, this is not limited to Belkin, it appears to be specific to Arcadyan, an ODM for many companies.

We TOLD you not to use WPS on your Wi-Fi router! We TOLD you not to knit your own crypto! by Paul Ducklin of Sophos April 13, 2015

Arris/Motorola SURFboard SBG6580 Series gateways have 3 flaws

CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems
by Tod Beardsley of Rapid7 April 8, 2015
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. These bugs were discovered by independent security researcher Joe Vennix. Although the article refers to the SURFboard SBG6580 as a "modem" it is, in fact, a gateway device. That is, it combines the functions of both a router and a modem. It also refers only to the "web interface" of the device without differentiating between LAN and WAN side access, so its not clear if the device can be remotely exploited. It seems that all exploits are LAN side. Reading between the lines, it also seems that Arris never responded to the bug reports. The timeline says that they were contacted roughly 2.5 months prior to public disclosure of the flaws and then nothing about their response. The workarounds do not say to upgrade the firmware, so I have to guess that Arris blew the guy off. Keep this in mind the next time you shop for a Arris/Motorola device. The backdoor flaw is a hard coded userid/password for logging in to the device. Userid: technician Password: yZgO8Bvj. Anyone taking my recommendations would have been immune to this attack as it requires knowing the LAN side IP address of the router.

Oh no, Moto! Cable modem has hardcoded technician backdoor by Richard Chirgwin for The Register April 9, 2015
Arris / Motorola Surfboard SBG6580 Web Interface Takeover by joev of metasploit.com. Undated.
R7-2015-01: CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems by todb April 8, 2015.

Bell routers in Canada have guessable WiFi passwords

Bell's Default Password Policy Leaves Tens of Thousand of Users Exposed
by Viktor Stanchev April 6, 2015
The default WiFi passwords, set by Canadian ISP Bell on their gateway devices, are short enough that they can be brute forced in a few days. Reminds me of WPS. The passwords are 8 hex characters. With hashcat and good hardware the password could be brute forced in less than 12 hours. Stanchev used lower end hardware which took him 3 days. This is not the first issue with default WiFi passwords set by an ISP. You should change all default passwords set by your ISP. Better yet, don't use any hardware from an ISP.

Weak SOHO Router Default Passwords Leave Tens-of-Thousands at Risk by Anthony Freed of Norse Corp. April 8, 2015

MARCH 2015

Hotel router rsync flaw - Things do not get much worse than this

Hotel Wi-Fi router security hole: will this be the Ultimate Pwnie Award Winning Bug for 2015?
By Paul Ducklin of Sophos March 30, 2015
This is as bad as a bug can get - simple to exploit and unlimited in what it lets a bad guy do. ANTlabs InnGate devices are routers used by hotels and convention centers to run guest/visitor networks. They have a misconfigured rsync service that lets a bad guy connect to TCP port 873 using rsync and then read and write any file on the device. No password needed. There is no end to the number of bad things an attacker might do. The flaw was discovered by Justin W. Clarke of Cylance Inc. Scanning the Internet, Cylance found 277 InnGate devices in 29 countries. They found vulnerable devices belonging to 8 of the worlds top 10 hotel chains. This is, however, the tip of the iceberg as vulnerable devices behind a firewall can likely be exploited from the hotels local network. A fix was issued by ANTlabs at the time the flaw was made public. The defense here is nothing new: when traveling always use a VPN. Period.

Vulnerability: CVE-2015-0932 by Brian Wallace of Cylance March 26, 2015
Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk by Kim Zetter March 26, 2015
Security Advisory: Rsync remote file system access vulnerability CVE-2015-0932 by ANTlabs March 26, 2015
Vulnerability Note VU#930956 Multiple ANTlabs InnGate models allow unauthenticated read/write to filesystem March 26, 2015

Google Analytics abused to inject ads and porn

Ad-Fraud Malware Hijacks Router DNS - Injects Ads Via Google Analytics
by Sergei Frankoff of Sentrant (previously Ara Labs) March 25, 2015
Yet another account of DNS servers being changed in routers. No details are offered on the routers being targeted or how they are hacked into. The interesting wrinkle here is the targeting of Google Analytics, the most widely used traffic analytics service. Its popularity makes it a perfect target for bad guys. JavaScript is loaded from a malicious website pretending to be Google Analytics and it injects extra ads onto web pages. The rogue DNS server is 91.194.254.105. The tester page of this site lists a couple websites that you can use to see what your current DNS servers are.

Too Many Adverts and Porn pop-ups in your Web Browser? Maybe your Router has been Hijacked by Graham Cluley for TripWire March 26, 2015
New router DNS attack delivers porn and game ads on mainstream websites by Joel Hruska for ExtremeTech March 26, 2015

Vulnerable D-Link DSL routers in the UK

Some UK TalkTalk D-Link DSL-3680 Routers Vulnerable to DNS Hijack
By Mark Jackson of ISPreview March 27, 2015
A couple Talk Talk customers noticed that the DNS servers in their D-Link routers had been changed. The problem affects model DSL-3680 with remote administration enabled. Exploiting the routers is trivially easy, all you need to know is a secret URL and the public IP address of the router. Quoting: "The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it is hard to know which one is the actual culprit. On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year."

Multiple bugs in multiple ADSL routers

At least 700K routers given to customers by ISPs can be hacked
By Lucian Constantin IDG News Service March 19, 2015
Quoting: "More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a "directory traversal" flaw...that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models. Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers ... On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough ... around 60 percent have another flaw, a hidden support account with an easy-to-guess hard-coded password."
These routers were only discovered because they can be attacked remotely. Others may be vulnerable from the LAN side. Among the vulnerable devices are routers from ZTE, D-Link, Sitecom, FiberHome, Planet, Digisol and Observa Telecom. The vast majority of buggy routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics. Attempts to notify the company went unanswered.

Wi-Fi Warning: ISP-Provided Routers Put You at Risk by Paul Wagenseil of Toms Guide March 23, 2015
Masses of Broadband Routers Still Vulnerable to Directory Traversal Hack by Mark Jackson of ISPreview March 20, 2015

D-Link and TRENDnet bugs getting fixed

Security Advisory SAP10052
by D-Link initial: March 2, 2015 updated: March 16, 2015
There are three separate bugs, see the Feb. 2015 section below, the item attributed to Peter Adkins. One flaw allows unauthenticated access from the local network, if remote administration is enabled, then it also allows unauthenticated access remotely. The third bug is a drive-by CSRF. The affected routers are: D-Link DIR-636L, D-Link DIR-808L, D-Link DIR-810L, D-Link DIR-820L, D-Link DIR-826L, D-Link DIR-830L, D-Link DIR-836L and the TRENDnet TEW-731BR. Other models thought to be affected: D-Link DIR-651, TRENDnet TEW-651BR, TRENDnet TEW-652BRP, TRENDnet TEW-711BR, TRENDnet TEW-810DR and the TRENDnet TEW-813DRU.

This seems to be the main documentation on the problems.

Yet another attack on router passwords

Malware Snoops Through Your Home Network
by Kenney Lu of Trend Micro March 9, 2015
New malware, detected as TROJ_VICEPASS.A, pretends to be an Adobe Flash update. When run, it attempts to connect to the router using a pre-defined list of user names and passwords. It does not limit itself to just the default userids and passwords of common routers. The full list is in the article. If the malware can get into the router, it scans the network looking for connected devices, sends this data back to the mother ship and then deletes itself. It does not detect the IP range of the router, instead it scans only 192.168.[0-6]. For each of these 7 networks it only looks for a final digit between 0 and 11. So, as advised elsewhere on this website, using a non-standard range of IP addresses would have foiled this. Also note that better routers let you change both the userid and the password. Less secure routers only let you change the password.

Security in routers stinks - and some reasons why

Broadband routers: SOHOpeless and vendors don't care
by Darren Pauli March 5, 2015
"Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing.". First rule of doing a bad job: say nothing -- The Register received no response from major routers vendors when we asked about the lack of security in their products. One good point made here is that features are a common enemy of security.

FEBRUARY 2015

Routers from multiple companies have a back door

Rogue Router Firmware Chaos Backdoor
by Bijay Limbu Senihang February 22, 2015
Even after changing the router password, you can still login with userid "super" and password "super" to routers from these companies: TrendNet, Digicom, Alpha Network, Pro-Link, Planet Networks, Bless, Realtek, Blue Link and SmartGate. This is exploitable over the Internet as shown in this video.

CSRF flaw in multiple D-Link and TRENDnet routers

D-Link / TRENDnet ncc2 CSRF / Unauthenticated Access
by Peter Adkins February 27, 2015
Multiple D-Link and TRENDnet devices suffer from cross site request forgery and unauthenticated access vulnerabilities. According to Mr. Adkins, who discovered the problem, "... visiting a webpage with a malicious javascript payload embedded is enough for an attacker to gain full access to the device." Ouch. Adkins contacted each company well before going public. TRENDnet was great about this and they have released updated firmware, version 2.02b01. Good for them. D-Link was the exact opposite. Quoting:
"D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially."
In other words: go away kid, don't bother me.

Remote access vulnerabilities in D-Link routers remain unpatched by Jeremy Kirk of IDG News Service Feb 27, 2015.
D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to Peter Adkins who has been in intermittent contact with D-Link since Jan. 11th. The company has not indicated when it might patch these bugs. The most serious problem is a cross-site request forgery vulnerability (CSRF) that delivers an HTML form using Javascript. The form can access a service running on the router called ncc/ncc2 which appears to handle dynamic requests, such as updating usernames and passwords The problem is that it does not filter out malicious commands.
Original source: D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities by Peter Adkins.
D-Link patches critical router flaws, says more fixes to come by y Lee Munson of Sophos March 4, 2015.

Brazilian attack on default passwords

Spam Uses Default Passwords to Hack Routers
by Brian Krebs February 26, 2015
Security firm Proofpoint has detected malicious emails targeting Brazilian Internet users. The emails appear to come from a Brazilian ISP and the scam has to do with an unpaid bill. The emails exploit known vulnerabilities in routers from UT Starcom and TP-Link to change the DNS servers, a very common thing for bad guys to do. Interesting wrinkle is that instead of providing two malicious DNS servers they only provide one and set Googles public DNS (8.8.8.8) as the secondary.

Phish pharm: Cybercriminals use phishing to exploit router vulnerabilities and carry out man-in-the-middle attacks by Proofpoint

Three Singapore routers vulnerable to multiple flaws

Up to 32,000 could be affected by wireless router vulnerabilities: Security firm
By Kevin Kwang Feb 26, 2015
Security company Vantage Point reports that three routers have "critical vulnerabilities". Zhone routers have three types of flaws: Remote Code Execution, Privilege Escalation and Admin Password Disclosure. An Aztech router is vulnerable to Remote Command Injection. An Asus router is vulnerable to Authentication Bypass and Cross-Site Scripting. There are no known attacks so far. Up to 32,000 subscribers in Singapore may be vulnerable. The most interesting part of the article is a quote from the researcher that discovered the bugs: "There are many routers with many different kinds of firmware on the market. The problem is that when the firmware is developed in-house by the vendor, security is often an afterthought". This supports my recommendation to avoid all consumer class routers.

Original source: SECURITY ALERT: SINGAPORE INTERNET USERS, SECURE YOUR ROUTERS! by Lyon Yang February 24, 2015
The Aztech router can only be exploited from the LAN side. The Asus and Zhone routers can be exploited from the outside (WAN). Fixes are in progress. The article offers Defensive Computing advice.

Netgear routers FTP flaw

Thousands of Netgear routers accessible via FTP by anyone - second issue in a week
by Jan Willem Aldershoff February 24, 2015
Quoting: "Thousands of Netgear routers with Network Attached Storage (NAS) can be freely accessed by anyone without permission of the owner. Netgears WNDR4700 routers run an outdated version of the ProFTPd FTP server which not only allows logging-in anonymously, but also contains a vulnerability that allows an attacker to remotely execute code on the router ... By simply logging in anonymously with a FTP client an attacker (and pretty much anyone who knows how to work with a FTP client) can get full write and read permission."
This is the only article on the topic I have seen. Its not clear whether other Netgear routers are also vulnerable.

Netgear routers SOAP flaw

Netgear routers leak passwords using nothing more than malicious HTTP requests
by Lucian Constantin IDG News Service February 16, 2015
Bad guys can learn the administrator password and wireless passwords along with details of the router such as the model, serial number and firmware version. The flaw can be exploited from the LAN side and, if remote administration is enabled, also from the outside/Internet/WAN. The bug is with validation (or the lack of such) of the SOAP protocol used to communicate with the router. A bad guy just has to send HTTP requests with a blank form and a "SOAPAction" header to exploit the flaw. The vulnerability is confirmed in four Netgear routers and may well exist in other models too. The worst part of this story is trying to contact Netgear:
"Peter Adkins, the researcher who found the flaw, claims that he contacted Netgear but that his attempts to explain the nature of the issue to the companys technical support department failed."
The only defense, for now, is not to use a Netgear router. This confirms my recommendation to avoid consumer routers.

The original source is at seclists.org/fulldisclosure/2015/Feb/56

Duplicate SSH keys in Spain

Tens of thousands of home routers at risk with duplicate SSH keys
by Jeremy Kirk IDG News Service February 19, 2015
Hundreds of thousands of home routers running SSH have identical private and public keys. This comes from John Matherly of the Shodan search engine. In Spain, over 250,000 devices, deployed by Telefonica de Espana, and running the Dropbear SSH software, have the same keys. Another Shodan search found 150,000 devices, mostly in China and Taiwan, with identical keys. It is questionable whether SSH should be running on home router in the first place. Some routers let you turn it off, if yours does, then do so. Disabling remote administration will probably not help here, but the subject did not come up in any of the articles I read.

Duplicate SSH Keys Everywhere by John Matherly February 17, 2015
Shodan boss finds 250,000 routers have common keys by Darren Pauli February 20, 2015
In the UK, thousands of duplicate keys were found on devices from Sky Broadband, TalkTalk and BT Plusnet.

JANUARY 2015

Pirelli routers totally open to hacking

Is Your ISP Making Your Home Network Insecure?
by Christian Cawley at MakeUseOf January 31, 2015
This is as bad as it gets. The administration web pages of Pirelli routers are visible from the Internet and no password is needed to make changes. The routers were supplied by a Spanish ISP which has not responded to the problem. Quoting: " ... security researcher Eduardo Novella discovered that Pirelli P.DGA4001N routers have a rather worrying bug. Its around two years since Novella made the discovery, and in the meantime he has been patiently waiting for something to be done about it. Sadly, its still there. The bug is so simple to exploit that you dont even need to be able to code in order to use it. All you need to do is enter the web-facing IP address of a router, suffix it with wifisetup.html (so something like 111.222.333.444/wifisetup.html) and you can start playing around with the router configuration. "

To test if your router is vulnerable to this problem tell someone outside your location the public IP address of your router. Assume its 1.2.3.4. From outside your location do http://1.2.3.4/wlsecurity.html and http://1.2.3.4/wifisetup.html. For good luck also do http://1.2.3.4. A cellphone with 3G/4G/LTE access counts as an outside location. If the router is safe, then all tests should return nothing but an error message.
Ouch! Home router security "bypass" actually means no security AT ALL by Paul Ducklin on Jan. 15, 2015
Original source: ednolo.alumnos.upv.es/papers/advisories/CVE-2015-0554_pirelli.txt

Bug in ZynOS used by D-Link, TP-Link and ZTE

DNS hijacking vulnerability affects D-Link DSL router, possibly other devices
by Lucian Constantin January 27, 2015
Todor Donev, member of a Bulgarian security firm called Ethical Hacker says that a flaw in ZynOS can lead to an ever-popular DNS hijack in a router. He confirmed the flaw in a DSL router from D-Link but vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that is used by multiple vendors, including D-Link, TP-Link Technologies and ZTE. Vulnerable devices can be hacked remotely if remote administration is enabled. They can also be hacked from the LAN side. There were no fixes offered when this became public. None of the articles mentioned a way to test if a router is vulnerable.

DNS Hijack in D-Link Routers, No Authentication Required by Brian Donohue February 2, 2015
Quoting: "Donev told Threatpost in an email interview that some other D-Link devices are affected as well, but that he lacks the resources to perform an exhaustive test of all potentially affected devices." In other words, exactly which router models are at risk is unknown.
D-Link routers vulnerable to DNS hijacking by Lee Munson on February 4, 2015
New claim: D-Link router exposes unprotected config controls to web - DNS hijackers, ahoy! by John Leyden of The Register Feb. 2, 2015. On vulnerable routers, this command changes the DNS servers
http://x.x.x.x/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=a.a.a.a

Hacked Routers used in Denial of Service Attacks

Lizard Stresser Runs on Hacked Home Routers by Brian Krebs January 9, 2015
Quoting: "The online attack service launched late last year by the same criminals who knocked Sony and Microsofts gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers... " New terminology (at least to me): a website offering DDOS as a service is known as a "booter" or "stresser" site.

Asus infosvr vulnerability

Got an Asus router? Someone on your network can probably hack it
by Dan Goodin of ArsTechnica January 8, 2015
Anyone connected to your LAN can gain control of an Asus router simply by sending a single packet to the router. Ouch. The bug is in virtually all versions of the firmware. The vulnerable software is the infosvr service which listens for connections on UDP port 9999 on the LAN side. The bug lets an unauthenticated LAN side user execute commands in the router as the root user. This is not exploitable from the WAN side of the router. Infosvr runs as root and is used for device discovery using the "ASUS Wireless Router Device Discovery Utility ". Many of us could live without this service. Joshua Drake, research director at Accuvant first publicized the flaw. He suggests updating to firmware version 3.0.0.4.376.3754 or later. It's not clear if firewalling the port is a valid work-around.

Exploit allows Asus routers to be hacked from local network by Lucian Constantin of IDG January 9, 2015
ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution by Friedrich Postelstorfer Jan. 4, 2015
Quoting: "Affected devices may also include wireless repeaters and other networking products, especially the ones which have 'Device Discovery' in their features".
SECURITY: LAN-side security hole - mitigation by RMerlin Jan. 6, 2015. Quoting: "There's currently a security hole in all known versions of Asuswrt and Asuswrt-Merlin that can allow a LAN user to execute a command on the router without requiring authentication ... Asus resolved the issue with firmware updates released on January 12th for all models ... If you are running my firmware, please install 376.49_5, which has the vulnerable feature of infosvr disabled".

Two vulnerabilities in routers from an Algerian ISP

A vulnerability and a hidden admin account all inside SITEL DS114-W routers !
by Nasro January 4, 2015
The routers have a session management vulnerability. When someone logs in to the router multiple sessions are initialized giving an attacker access to the router, without knowing the password, with a simple brute force attack. Also, the routers are shipped with a backdoor account. This was found in a configuration file. The routers are provided by Algerian ISP "Djaweb". The vendor was notified but did not respond.

Bugs from 2015 have been viewed 17,640 times
(7/day over 2,545 days)