Home and small office routers are critical to the security of the small networks connected through broadband and yet until quite recently they were barely talked about as a possible security vulnerability. Beyond telling people to use Wi-Fi encryption they were ignored.
Turns out, there’s a lot more to it than that. Meanwhile, the number of attacks is growing. There’s now plenty of router security advice out there, not all of it easy to follow for the non-expert. We talked to Craig Young of Tripwire to try and disentangle not only the best advice but the thinking behind it. If it’s true you should turn off vulnerable services on your router to stop remote hacking are there any downsides in doing this?
All advice below is accessed through the management interface on any home router (usually by typing 192.168.1.0 in the web browser address bar) although the way individual settings are modified will vary by make and model. Tripwire's State of Security blog can be found here.
Techworld: So what is the core problem with home routers and their security?
Craig Young: SOHO router security is a problem of enormous proportions with the potential to wreak havoc on the Internet as we know it. According to the US Census Bureau, in 2013 73.4 percent of households reported that they have a high-speed connection. Our research has revealed that four out of five top-selling home routers are vulnerable to attack with nearly half of them being exploitable with publicly available reports. My napkin math would indicate that 25-30 percent of US households use routers vulnerable to known/published exploits - far more households are using routers with easily discovered flaws. The cumulative bandwidth of all these vulnerable devices could be harnessed to create a devastating DDoS attack against any target. Some threat actors such as Lizard Squad have already begun selling DDoS services using bandwidth from hijacked home routers.
Techworld: You recommend disabling remote management over the Internet. This used to be enabled by default on many home routers but more recent routers reverse that setting – these days it has to be turned on rather than turned off.
Craig Young: Yes, in general remote management is not enabled by default on many current generation SOHO routers. For as long as I have been working with router vendors and evangelising about router security, I have observed a common line of thinking that only someone on the local network can target HTTP based router vulnerabilities unless remote management has been enabled. This is a big misconception as cross-site attack vectors can be leveraged through phishing campaigns, malvertising, or other social engineering techniques.
Techworld: Do you think it’s worth turning off UPnP support too?
Craig Young: UPnP is one of the many features I would turn off. Not only have popular UPnP libraries been shown to have numerous critical security failings, but also at its core Universal Plug and Play is a technology for gaining convenience at the expense of security. Personally I think the idea of letting unauthenticated software or devices poke holes in the perimeter firewall is ludicrous.
Techworld: People are told not to use the default IP ranges such as 192.168.1.1. There’s a lot of confusion about private address ranges beyond this range. You recommend using 10.9.8.7 or suchlike to defend against Cross-Site Request Forgery (CSRF) attacks, but why is this so effective and are there any downsides for an SME or home user?
Craig Young: Private ranges are defined by the IETF in the 1996 publication of RFC1918. This document specifies three Internet address ranges that will not be routed over the Internet so that they may be reserved for private IPv4 networks such as home LANs. The biggest chunk of reserved addresses has the 10/8 prefix meaning that any of the more than 16 million addresses starting ’10.’ may be used for a private network. All told there are nearly 18 million addresses available for private networks but only 4 or 5 tend to be used as default addresses for SOHO routers.
Cross-site request forgery (CSRF – ‘see-surf’) is an attack in which the victim’s web browser is abused to connect to services that are not exposed to the attacker either due to authentication or firewalling. Traditionally CSRF is used to leverage the trust relationship between a web browser and a web application. This generally means that the victim must be logged into the vulnerable application while accessing malicious content. I have found however that several very popular routers contain authentication weakness issues making it possible to use CSRF to manipulate router settings or achieve code execution through simple web requests that can be sent from any system connected to the local network.
In both cases attackers must know or correctly guess an address for the router. With default router settings it is trivial for an attacking site to identify the router address. This is because SOHO router vendors use only four or five of the nearly 18 million available private addresses. Using one of these default addresses (e.g. 192.168.0.1, 192.168.1.1, 192.168.2.1, 10.0.0.1, etc.) drastically reduces the amount of guesswork needed for a CSRF attack to succeed.
Unfortunately some router vendors go even further in facilitating CSRF by having a hardcoded DNS entry for all routers from that brand. (e.g. routerlogin.net, tplinklogin.net, dlinkrouter.local, etc). Even with a non-standard IP address, these hostnames may still be useful for a CSRF attack. It is possible however to avoid this hostname-based CSRF through configuration changes to devices on the network. Basically the idea is to add a host record to any local computers so that they will never send a DNS request for the router’s hardcoded hostname (most operating systems have a ‘hosts’ file or something similar allowing hostname lookup to be performed locally rather than from DNS).
In my view, there is little downside for home users to change the IP scheme on their router. The only concern would be if the device owner needs to access the router interface but cannot remember its new IP. This is entirely avoided by writing down the router IP or resolved by viewing the network settings of any device on the network.
Next section: Encryption