Many ISP Issued Routers can Pose Security Risk, Studies Say

Hey guys,

It’s been quite a few months since I have written a blog on here.

Any-who, on to the topic for this blog. I recently got an article from PC world, there has been a study conducted on residential routers issued by internet service providers dealing with security.

Here is how it works basically, there are numerous specially built servers, they are the managers of all the routers that are provided by the ISP. So basically, someone can gain access to those servers could possibly compromise millions of routers, typically routers on home networks.

The protocol TR-069 has been the primary protocol for this most often used to assist with remote troubleshooting the configurations of each router.

Referring to the statistics from 2011, there are 147 (probably a lot more then that 3 years later) routers with TR-069 enabled, approximately 70% are gateways. Analyses of the IPv4 address space indicates that TR-069 runs on port 7547, note that it is the second most encountered port next to HTTP (port 80)

The TR-069 enabled routers connect to the Auto Configuration Servers (ACS), which are operated by these ISP’s. The ACS is designed to configure the routers, also monitor for faults and malicious activity, perform diagnostics and update the firmware in the background.

There are many consumers that don’t even know that the ISP’s had this type of control with their routers. Many of the firmwares don’t display the TR-069 page on the configuration page in your web browser, nor is there an option to disable it.

Here is where how the weakness of TR-069 takes place. Say like if a person attacks an ACS, that certain attacker can obtain a lot of information such as: 

  • Wireless Network Names
  • MAC Addresses
  • VoIP Creditials
  • Administrator Usernames and Passwords

Even worse, the attacker can reconfigure the router to be a rouge DNS server, this would allow him/her to construct a route internet tunnel; setup hidden wireless networks and/or remove the password from your network. This is to top the cake, the attacker can put a custom written firmware that contains malware and/or a backdoor.

There were some tests conducted by Shahar Tal and some of his colleagues, roughly 80% of the real world deployments aren’t even encrypted. TR-069 specs have highly recommended that HTTPS be implemented. There is still a concern about that however, there is equipment that accept self-signed certificates from a ACS. The reason behind this concern is clear right here, what would happen if one of the ACS’s got compromised? Simple, the attacker could and will impersonate a ACS.

The TR-069 protocol also has authentication from a device on the ACS, however that can be easily captured because that key is shared across all devices.

Tal and his colleagues continued their research, this time testing several ACS software that the ISP’s are using. They recently found a highly critical vulnerability. It is a remote code execution that would allow the attacker to hijack the management servers that are open on the internet. GenieACS had two of those vulnerabilities, and there is another software that was not named, Tal had permission from this ISP to conduct this test, they discovered that this one security hole could allow the take over 500,000 or more devices.

The problem here is that the consumers don’t have the option to shut off the TR-069 protocol unless they find a way to get root access to their routers, there was one suggestion, the consumer could hook up a 2nd router to the ISP router. However, that won’t negate all the risks.

TR-069 is designed to run on a wide are network connection. Tal recommended that the ISP’s should restrict access to these servers putting them on a separate network segments, he also recommended that the ACS software vendors should consider writing more secure coding practices and run security tests along side.

Tal and his colleagues stated that they have checkpointed the investigation on the server side and will be conducting tests on the device side.

The attacks have went up significantly within the past year. the attackers have been allocating different ways to access devices.

My tip would be to ditch your router that your ISP has issued you and get your own modem and router. That will make your network much more secure. I’m thinking about starting a petition telling the ACS developers and ISP’s to implement more security measures to keep our information more secure.

Thanks for reading!

Source: Click Here

Good to have you back, filling in our void.

Not a problem. Going to be a little more difficult seeing I've been working and now expecting. But, I'll do my best to keep the blogs coming. How well did I write this one out btw?

seriously ... you don't look pregnant ...

I read about this a while back. Kinda of a scary thought good thing I have a custom Linux box running as my router. I am curious about the modems though.

LOL! I was refering my GF is pregnant.

I'm wondering about the same thing with the modems.

Well written as usual bro.

Since I have FiOS with TV, I MUST use their router or I can't get TV. I thought that violated antitrust laws

My guess would be the routers that were manufactured for the ISP's. Like UBEE for Time Warner.

My question is, how does it affect the cable modems?

I think comcast manufactures their own routers. I got the answer to my question, and this flaw also affects Cable Modems

Most of the customers who this affects are not network literate enough to have the capability to properly install what I'm going to call aftermarket network tools such as modems and routers.  Scary.  I'd probably have trouble myself finding a compatible modem without help from the ISP tech support.  Most of your support guys aren't going to give you the time of day if you go with an aftermarket modem anyway.  But I'm willing to try.  Nice write up btw.

I would say any on this list that they provide for you ... 

http://mydeviceinfo.comcast.net/

With Comcast ... if it is on their list of approved devices ... they do let you use your own. (even if you flash it with dd-wrt)  But it I am not positive this fixes all issues (could be something nefarious on a chip maybe?)

The more boxes that are checked and more stars the better ...

http://mydeviceinfo.comcast.net/