More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.
Most of the routers have a "directory traversal" flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models.
Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.
The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.
The file also contains the password hashes for the administrator and other accounts on the device; the username and password for the user's ISP connection (PPPoE); the client and server credentials for the TR-069 remote management protocol used by some ISPs; and the password for the configured wireless network, if the device has Wi-Fi capabilities.
According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router's DNS settings.
By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers, known as router pharming, have become common over the past two years.
On some devices, downloading the config.xml file doesn't even require a directory traversal flaw; just knowing the correct URL to its location is enough, Lovett said.
Many of the routers have additional flaws. For example, around 60 percent have a hidden support account with an easy-to-guess hard-coded password that's shared by all of them. Some devices don't have the directory traversal flaw but have this backdoor account, Lovett said.
For about a quarter of the routers, it's also possible to remotely get a snapshot of their active memory, known as a memory dump. This is bad because the memory of such devices can contain sensitive information about the Internet traffic that passes through them, including credentials for various websites in plain text.
By analyzing several memory dumps, Lovett found signs that the routers were already being probed by attackers, mostly from IP addresses in China.
Most of the vulnerable devices he identified are ADSL modems with router functionality that were supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. A few were also found in the U.S. and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.
Sign up for CIO Asia eNewsletters.