Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.
By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.
At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.
According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.
TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.
Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.
If an attacker compromises an ACS he could obtain information from the managed routers like wireless network names, hardware MAC addresses, voice-over-IP credentials, administration usernames and passwords. He could also configure the router to use a rogue DNS server, to pass the entire traffic Internet through a rogue tunnel, set up a hidden wireless network or remove the security password from the existing network. Even worse, he could upgrade the firmware on the devices with a rogue version that contains malware or a backdoor.
The TR-069 specification recommends the use of HTTPS (HTTP with SSL encryption) for connections between managed devices and the ACS, but tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don't use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS. This allows a man-in-the-middle attacker to impersonate the ACS server.
Sign up for CIO Asia eNewsletters.