The protocol also requires authentication from the device to the ACS, but the username and password is typically shared across devices and can easily be extracted from a compromised device; for example by changing the URL of the ACS in the TR-069 client settings to one controlled by the attacker, Tal said.
The researcher and his colleagues tested several ACS software implementations used by ISPs and found critical remote code execution vulnerabilities in them that would allow attackers to take over management servers that are accessible over the Internet.
One ACS software package called GenieACS had two remote code execution vulnerabilities. The researchers found an ISP in a Middle Eastern country that was using the software to manage several thousand devices.
Another ACS software package whose name was not disclosed because it is used by major ISPs around the world had multiple vulnerabilities that could allow attackers to compromise servers running it. Tal said they tested a deployment of this ACS software at one ISP with the company's permission and found that they could take over more than 500,000 devices.
Unfortunately, there's no easy fix for end-users since in most cases they cannot disable TR-069 on their devices without getting root access in some other way, Tal said. Customers could install a second router behind the one supplied by the ISP, but that wouldn't mitigate all of the risks, he said.
TR-069 was designed to function over the wide area network connection, but ISPs should restrict access to their auto-configuration servers by running them on separate, restricted, network segments or through other means, Tal said. Also, ACS software vendors should adopt secure coding practices and subject their products to vulnerability assessments, he said.
So far Tal and his colleagues at Check Point have investigated vulnerabilities on the server side, but they also plan to investigate possible attack vectors against the TR-069 client implementations on devices.
The number of large-scale attacks against home routers has increased significantly over the past twelve months, with attackers using different ways to monetize access to such devices, from intercepting online banking traffic to installing cryptocurrency mining malware and hijacking DNS settings for click fraud.
Sign up for CIO Asia eNewsletters.