Skip to main content

Security of Hong Kong Home Routers

Release Date: 29 May 2015 2266 Views

HKCERT published a security blog article "Some Home Routers in Hong Kong prone to security issues" in March 2015. This article aroused broad attention and we solicited some comments from the IT industry. We have enhanced the data collection methodology, with a more objective way to select brands of routers and a more precise filtering, to ensure the results reflecting more the reality.

 

HKCERT conducted a second study on 18 May, 2015 (after the three months of first study) using the new methodology, and to analyze the same three areas:

  1. Commonly used Home Routers in Hong Kong that can be discovered by scanning,
  2. Discovered Home Routers with remote management service opened, and
  3. Discovered Home Routers with file transfer service opened.

Due to the use of a different method to collect data, the first area of analysis cannot be directly compared with the previous study. The second and third areas of analysis which are not directly associated with data collection methods, can be compared with the previous study.

 

1. Commonly used Home Routers in Hong Kong than can be discovered by scanning

 

We chose ten Hong Kong common home routers brands and one open source firmware, DD-WRT. The following result was obtained:

 Brand Number of routers found
 Linksys 7,826
 Asus 6,103
 DD-WRT 2,935
 TP-Link 1,817
 Buffalo 1,320
 LevelOne 778
 D-Link 532
 Netgear 502
 TOTOLink 224
 ZyXEL 201
 Tenda 23
 Total 22,261

 

The result was similar -- Linksys, Asus and DD-WRT were the first three brands, but with Asus rising to the second place, and DD-WRT dropped to the third place.

 

2. Discovered Home Routers with remote management service opened

 

It was found that some routers had TCP 22 (SSH) port opened (SSH is usually used for remote management) amongst the 22,261 routers.

 SSH service Number Percentage Percentage of
 previous study
 Closed 15,649 70% 74%
 Open 6,612 30% 26%
 Total number of router 22,261 100% 100%

 

The figure obtained in this study is close to the previous study. The percentage of closed SSH service slightly decreased by 4% (from 74% to 70%), and opened SSH service rose to 30%.

 

Because SSH requires username and password to login, hackers can use brute-force attack to attempt to get an administrator account access. Once successful, he can modify the settings of and install additional tools on the router. Then he can use the router to launch network attacks or steal personal information.

 

In fact, the official firmware of most home routers does not provide SSH service. Why were there a lot of SSH services discovered? We estimated that these routers probably have  the firmware replaced by open source DD-WRT. Some DD-WRT firmware versions might have TCP 23 (Telnet) or TCP 22 (SSH) open by default.

 

3. Discovered Home Routers with file transfer service opened

 

It was found that some routers had TCP 21 (FTP) port opened (FTP is usually used for file transfer service) amongst the 22,261 routers.

 FTP service Number Percentage Percentage of
 previous study
 Closed 20,440 92% 89%
 Open 1,821 8% 11%
 Total number of router 22,261 100% 100%

The result was close to the last study, with a difference of 3%.

 

Because FTP requires only username and password to login, hackers can use brute-force password attack on the router. If successful, the hacker can place any files in the router, including malware and botnets configure file.

 

So of these services might be still using the out-of-box passwords, so hackers could hack it without much efforts.

 

4. Recommendations

Security of home routers is often overlooked. Majority of the users leave them on after first installation without ongoing management. Over time, the problem might appear. HKCERT advises home user to pay attention to the following points:

  1. Change the router default password and factory settings to a more secure one.
  2. Please check the manufacturer for firmware update and update router regularly.
  3. Unless it is definitely required, do not expose the management page or any remote management services to the Internet.
  4. Turn off all unusual or unnecessary services (such as file transfer, virtual private networks, web server, etc.).
  5. If the manufacturer has stopped support for the router model, you should consider replacing with models that has continuous support.
  6. Please do not convert to open source firmware, unless you possess the knowledge to manage it.

 If you interest the first analysis result (Data collection date on 13 February , 2015), you can access the following link:

/my_url/en/blog/15032502