ISPs have provided at least 700,000 ADSL routers to the public and unfortunately these kinds of routers have been really vulnerable to every possible hacker who wants to gain the control of the computer of a possible victim.
A large number of those routers have featured a directory traversal flaw that contains a component called webproc.cgi. It is a component that unfortunately gives the ability to possible hackers to “steal” some of the most important data of future victims. It is sure that the number of routers who were released to the public are many and the number of victims will be more but there are always ways that to avoid all this trouble. Of course, this release is not something that happened recently, it is something that has been found from researchers since 2011 and in many and different routers.
Kyle Lovett, a known security researcher, found this kind of flaw some months ago in some ADSL routers that were been analyzed by him over his free time. At the same time, he was investigating many and different devices that appeared to be vulnerable to threats that were created from different manufacturers. Nevertheless, the company that distributed them was the same and was none other than the ISPs.
These devices and the routers were sold to thousands of countries to subscribers of the Internet. The worst thing about these routers is that the component that they include can be used from possible attackers in order to have the control of a file called config.xml that is included in most of them and unfortunately contains all the information that are needed about the configuration settings. It also contains the passwords that are needed in order for the administrator to connect with the network that he had chosen and many other accounts just like the user name and the password for the ISPs connection and it does not stops there. It includes the clients and the server credentials for the TR-069.
Based on the words of the researcher that was mentioned above, the algorithm that is used from these routers is very weak and this is something that makes it to attackers really easy to have the absolute control and the first thing that they usually do is to log in as they are the actual administrators and change the router’s settings. So, it is sure that the DNS hijacking attacks against routers or in other words “router pharming” is one of the most common tactics of the attackers.
All the flaws that have appeared in these routers are not all the same. In fact, 60% of them appear to have a hidden support account with a really weak password and some other devices have a backdoor account. To little less than the half of these routers are really vulnerable to snapshots of the active memory of them. As you can easily understand this is something really bad as in this memory you may have include information that considered being personal.
Researchers have found out that the routers have already be violated from attackers who have managed to collect everything that they want and most of the IP addresses were located in China. Mr. Lovett has found these vulnerable routers through the scanning procedure and with the help of SHODAN that is a kind of search engine for Internet connected devices.
All of these findings that were mostly found from Kyle Lovett, the famous researcher, were presented in a security conference in the U.K that had as a theme the vulnerable SOHO devices, routers, storage appliances and many other kinds of devices. In this conference, researchers said that over 25 million of SOHO devices are exposed to these kinds of dangers that were mentioned above due to the damaged credentials and the other vulnerabilities that they include.
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – router, hacking)