In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.
The researchers performed the manual security review in preparation for their master's thesis in IT security at Universidad Europea de Madrid in Spain. They published details about the vulnerabilities they found Sunday on the Full Disclosure security mailing list.
The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.
The vulnerable models listed by the researchers were: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.
Some of the vulnerable Observa Telecom, Comtrend, ZyXEL and Amper models were distributed to customers by the Spanish ISP Telefonica. Vodafone also distributed one of the vulnerable Observa Telecom models, as well as the Huawei and Astoria ones.
The Sagem models were distributed by Orange, the Spanish ISP Jazztel distributed one of the Comtrend models and Ono, a Vodafone subsidiary in Spain, distributed the Netgear model.
Even though the group's research focused on routers that were given by ISPs to customers in Spain, some of the same models were likely distributed by ISPs in other countries as well.
Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers' management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.
Even though ISPs have the ability to remotely update the firmware on the routers they distribute to customers, they often don't and in some cases the users can't do it either because they only have restricted access on the devices.
On the Observa Telecom RTA01N router, the Spanish research group found a hidden administrative account called admin with a hard-coded password that can be accessed via the Web-based management interface or via Telnet. Similar undocumented "backdoor" accounts have been found in other ISP-supplied routers in the past and were likely intended for remote support.
Sign up for CIO Asia eNewsletters.