Skip to main content

Some Home routers in Hong Kong prone to security issues

Release Date: 25 Mar 2015 2735 Views

 

Using the Shodan Internet services search engine to analyze home router problem in Hong Kong, HKCERT found a large number of home routers can be scanned out, 26% with the secure shell service opened, 21% with the file transfer service opened. These opened services provided hackers opportunities and deserve our attention.

  1. What is the problem?
    With the rapid development of the Internet, each home or small office is equipped with one or more pieces of Customer Premise Equipment (CPE). Hackers are well aware of this development, and have already been targeting these devices. Their objective is to control the device to either steal sensitive information of the device owner, or using the device to launch attacks against other targets.

  2. What is Customer Premise Equipment (CPE)?
    Customer Premise Equipment is the user side device used to connect the service provider network. In home environment, CPEs include network modems provided by Internet service providers, set-top box or TV box provided and user owned broadband routers. These devices are usually powered on around the clock and left unattended.

  3. Why we care about the home router?
    Home wireless routers are now the most popular customer premise equipments. They are found everywhere at home, in small offices, coffee shop, convenience stores, shopping centers and telephone booth to provide Wi-Fi Internet service.

  4. Result of the Study
    We use the Shodan Internet services search engine (URL: www.shodan.io) to search for commonly used home router in Hong Kong. The following result was obtained on 13 February 2015:

     Brand Number of routers found
     Linksys 29,722
     DD-WRT 6,755
     Asus 4,320
     Netgear 730
     D-link 708
     ZyXEL 697
     DrayTek 327
     Pci 101
     Total 43,360


    From the Shodan database, we could find 43,360 routers within Hong Kong that can be mapped out via scanning. Most of them are using Linksys (29,722) and Asus(4,320). Some users replaced the router firmware with the open source DD-WRT firmware (6,755). In these routers a variety of services were provided and could be fingerprinted. Hackers might attempt to exploit the security vulnerabilities of these routers using the brand and model information.


    We further search for routers with TCP 22 (SSH) port opened (SSH is usually used for remote management) amongst the 43,360 routers and obtain the following result:

     SSH service Number Percentage
     Closed 32,009 74%
     Open 11,351 26%
     Total number of router 43,360 100%


    Because SSH requires username and password to login, hackers can use brute-force attack to attempt to get an administrator account access. Once successful, he can modify the settings of and install additional tools on the router. Then he can use the router to launch network attacks or steal personal information.


    In fact, the official firmware of most home routers does not provide SSH service. Why were there a lot of SSH services discovered? In the 11,351 routers, 96% is of Linksys brand. We estimated that these Linksys routers have firmware replaced by open source DD-WRT. Some DD-WRT firmware versions might have TCP 23 (Telnet) or TCP 22 (SSH) open by default.


    We also research the number of routers with TCP 21 (FTP) port opened for file transfer service and obtained the following results:

     FTP service Number Percentage
     Closed 38,562 89%
     Open 4,798 11%
     Total number of router 43,360 100%


    Because FTP requires only  username and password to login, hackers can use brute-force password attack on the router. If successful, the hacker can place any files in the router, including malware and botnets configure file.


    So of these services might be still using the out-of-box passwords, so hackers could hack it without much efforts.

  5. Recommendations
    Security of home routers is often overlooked. Majority of the users leave them on after first installation without ongoing management. Over time, the problem might appear. HKCERT advises home user to pay attention to the following points:
    • Change the router default password and factory settings to a more secure one.
    • Please check the manufacturer for firmware update and update router regularly.
    • Unless it is definitely required, do not expose the management page or any remote management services to the Internet.
    • Turn off all unusual or unnecessary services (such as file transfer, virtual private networks, web server, etc.).
    • If the manufacturer has stopped support for the router model, you should consider replacing with models that has continuous support.
    • Please do not convert to open source organization provided firmware, unless you possess the knowledge to manage it.

Is there anything more serious than this?

Besides the potential security risks of open services exposed on home router, vulnerability is an issue that deserves more attention. In the Blackhat 2014 conference, security researcher showed that in the year 2013/2014, there were 27 remote attack vulnerabilities on CPE. The situation is not optimistic. In a coming blog article HKCERT will analyze the related problem in Hong Kong. Please stay tuned.

 

*Shodan data to 13 February 2015