Revisiting SOHO Router Attacks

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 20, 2015, 11:50 a.m. (50 minutes)

Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of this paper is to appraise SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosed security vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers have still much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research. Outline of the talk: 1. Introduction. Brief explanation about the main goals of our research. 2. State of the art. Current progress in router security, including: previous investigations, cybercrime exploitation and manufacturers' response to previously disclosed vulnerabilities. 3. Common security problems.  a. Routers provide too many pointless services which largely increase attack surfaces.  b. Routers still make use of default public credentials. This eases the attacks. 4. Security flaws. Main part of the presentation in which the discovered security problems are explained, including the following live demos: a. DNS Hijacking exploiting a Cross Site Request Forgery vulnerability. b. Infecting a browser exploiting a Unauthenticated XSS vulnerability by sending a DHCP Request PDU. c. Bypassing the authentication in order to download the whole router filesystem (including passwd and configuration files) by exploiting a SMB misconfiguration vulnerability. d. Causing a persistent DoS / restoring router to default settings without requiring any authentication process. 5. Developed tools 6. Mitigations. Security advices for both customers and manufacturers. 7. Results. Graphical explanation of the audit report. 8. Conclusion. Has SOHO router security improved over the last couple of years?

Presenters:

• Jose Antonio Rodriguez Garcia - Independent Researchers
  José Antonio Rodríguez García was born in Salamanca, Spain. He received his BSc degree in computer engineering from Universidad de Salamanca and his MSc degree in ICT security from Universidad Europea de Madrid. Mr. Rodríguez is an independent researcher, who developed an expertise in computer hardware and performance benchmarking. He has published several articles and his own hardware monitoring tool, which gained great acceptance in the enthusiast community.
• Ivan Sanz de Castro - Independent Researchers
  Iván Sanz de Castro was born in Madrid, Spain. He received his BSc degree in telecommunications engineering from Universidad de Alcalá and his MSc degree in ICT security from Universidad Europea de Madrid. Mr. Sanz has taken part in several security projects for multinational enterprises during the last years. He is currently working in the Ethical Hacking department at a Spanish security company.
• Álvaro Folgado Rueda - Independent Researchers
  Álvaro Folgado Rueda was born in Seville, Spain. He received his BSc degree in computer engineering from Universidad de Sevilla and his MSc degree in ICT security from Universidad Europea de Madrid. Mr. Folgado is an independent researcher focusing in Ethical Hacking and Vulnerability research.

Links:

• https://deepsec.net/archive/2015.deepsec.net/speaker.html#PSLOT217
• https://infocon.org/cons/DeepSec/DeepSec 2015/Revisiting SOHO Router Attacks.mp4

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / SO Hopelessly Broken: the implications of pervasive vulnerabilities in SOHO router products.
• BSidesLV 2014 / Pwning the Pawns with WiHawk
• DeepSec 2015 „DeepSec No. 9“ / Advanced SOHO Router Exploitation