The humble home router…who would think that it could possibly be the Achilles’ heel of millions of home network installations? Here are three examples of well-known router cyberattacks that have highlighted serious network intrusion vulnerabilities in the past 12 months:
- Vulnerabilities in Xiaomi Mi Router 3
- Vulnerabilities in Linksys E Series routers
- Vulnerabilities in old D-Link DSL gateways was never fixed, now being abused
Of course, the stars of the year were undoubtedly the VPNFilter router malware and the MicroTik cryptojacking affair, each which reportedly affected around 500,000 routers, although the real number was probably much higher. Then there are accidents waiting to happen like the situation of GPON home routers, of which there are around one million in service. Yes, the home router may sit there, innocently flashing away in your living room,
but its susceptibility as an easy route into your private home network should not be underestimated. For a comprehensive list of router bugs and flaws from 2012 to 2018, click on this link. However, be warned, it doesn’t make for particularly pleasant reading.
The two major issues with routers are (a) they are normally left switched on, and (b), their firmware is rarely updated. Add to this the fact that home users hardly ever change the credentials on this vital piece of networking infrastructure, with most leaving their devices with factory setting credentials.
And it’s not just home users that should be angry about this situation—governments are also pretty annoyed. In January 2017, the US Federal Trade Commission (FTC) accused network equipment supplier D-Link of selling its webcam and network router devices that were vulnerable to attack by hackers. In a lawsuit filed against the company, the FTC stated that D-Link,
“…failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access…".
The issue of router vulnerability has become such a hot potato that the US FBI even issued a public service announcement when the VPNFilter attack occurred aimed at assuaging the situation. They provided some pertinent advice to the owners of small office and home office routers to reboot their devices and take a number of other protective measures to secure their networks (more on this below). The trouble with this advice is that the
VPNFilter malware can persist, even if the router is switched off. Virtually no consumer router manufacturer was insulated from these waves of attacks on this relatively simple attack surface. The main companies involved were Asus, Huawei, MicroTik, Linksys, NetGear Inc., TP-Link, D-Link, and QNAP. While periodically switching off any of these routers is one, probably futile way
of combatting hacker intrusion, further, more comprehensive measures are required.
Internet Protocols - the Achilles’ Heel
Basic, consumer-grade routers use a broad range of communications protocols, many of which contain access vulnerabilities that can easily be exploited by hackers. One very common protocol used by lower-end router devices is the Simple Network Management Protocol (SNMP), which reads and writes router data. Almost all networking equipment implements an SNMP agent. Its legitimate task involves monitoring the health and welfare of network equipment. However, it also supplies topology information about networks and can enable management control of network devices and servers. It is inherently insecure as SNMP messages are not encrypted. Another commonly-used protocol is Universal Plug and Play (UPnP). This protocol comes enabled by default on many new routers and was another focus of an FBI warning where the security advice was to disable this helpful, although risky communications format.
Router security breaches can expose a range of risks to home network owners, including:
- Intelligence gathering & subsequent potential identity theft
- Theft of personal data
- Damage to, or disruption of computer equipment
- Network traffic blocking and disruption
- Firmware deletion, providing free access to hackers
- Botnet creation as part of larger attacks such as DDoS
One of the most common router attacks is to use the device as a Man in the Middle (MITM). This occurs when the router is used as a portal between a hacker and the target’s network. During an MITM attack, the router essentially impersonates both sides of the attack event. Another term for this type of attack is “session hijacking”. MITM attacks are particularly insidious as they are sometimes capable of altering encrypted data making them a significant challenge to cybersecurity protection attempts. However, measures can be taken to alleviate the risks of such attacks. On the Server side, strong encryption protocols between the server and client can be
deployed, which will disrupt some, if not all MITM attacks. Digital certificate verification is another measure that can be deployed to harden router protection. On the client side, the addition of user plugins such as HTTPS Everywhere and Force TLS can force secured connection on the network.
Another frequent form of router attack is to send targets to “evil twin” websites that impersonate familiar sites such as mail servers or banking portals. The aim is to trick users to enter their credentials to access these sites, which the hackers then steal and use to acquire personal data or funds from the target.
Yet another router protocol vulnerability is the Home Network Administration Protocol (HNAP). The HNAP enables the transmission of sensitive information across the Internet. If that was secure then that would be fine, but HNAP is far from that. It provides complete access to users who hold a router’s user name and password credentials. Unfortunately, most home users will have minimal technical knowledge and will not change those credentials from the factory defaults. Hackers have a list of those default credentials and using the HNAP they can access a target’s home network in seconds. For example, in 2014, a router worm called The Moon used the HNAP to identify vulnerable Linksys routers through which it spread its malware.
Test if a router supports HNAP on: http://184.108.40.206/HNAP1/ where 220.127.116.11 is the IP address of your router. If you receive a response, suggesting that your HNAP port is enabled, then your router is probably compromised and should be changed.
Finally, (although, as the link above shows, there really is an apparently endless number of ways that routers have been compromised), there is the Wi-Fi Setup (WPS) protocol. This little fellow enables hackers to bypass network passwords altogether. All a hacker must do is to enter the eight-digit PIN that is printed on the underside of the router itself. Even if the user has conscientiously changed their passwords, hackers can bypass this event by entering the PIN then accessing the target’s network.
But Here’s the Good News
Much of the concern around router security could be assuaged by purchasing better quality routers. Most home users will accept routers supplied to them by their ISP, while others will likely opt for the cheapest consumer-grade home router that they can find in their local computer store. Both of these routes are probably bad news as the routers then deployed in your home are unlikely to contain anything but minimal security protection. The first step the home user should take is to purchase a commercialgrade router. This will cost in the region of 200 USD, but it will be supplied with most of the risky protocols disabled by default. It is also recommended to deploy routers and modems separately. Home users can contact their ISPs and request that they “dumb down” their routers effectively turning them into modem-only devices, which the user would then link to a commercialgrade router purchased separately. One of the big issues with consumer grade/ISP routers is that even if the manufacturers of these devices produce firmware updates to plug security gaps, they often won’t push these to the attention of the customer.
The only way the user will know about updates is if they visit the manufacturers’ websites. Commercial-grader router manufacturers will not only keep current with cyberthreats, they will also send that information to their customers, or even update their routers online.
As mentioned above, there is sadly no end to the number of router breaches, so let’s look at some ways of protecting the home user from cyberattack. Fortunately, there are many steps that the home user can take, many of which do not require an advanced computing degree.
Fixes that home users can take range from easy, to moderate, and advanced.
Easy Router Fixes:
- Change the router admin credentials and network name (this normally defaults to the name of the router manufacturer).
- Enable WPA2 wireless encryption and define specific groups of authorized users.
- Set up a temporary Guest Wi-Fi for temporary users of home networks and use this Wi-Fi access for any insecure home IoT devices.
Moderate Router Fixes:
- Install updated firmware patches.
- Use the 5 GHz Wi-Fi band instead of the more crowded 2.5 GHz wavelength. 5 GHz has a shorter range, so the hacker has a distance disadvantage.
- Disable remote admin and remote-admin access over Wi-Fi. Admins should only connect to the home network through a wired Ethernet connection.
Advanced Router Fixes:
- Change settings for the admin Web interface. The interface will then force an HTTPS standard over any non-standard ports.
- Disable PING, Telnet, SSH, UPnP, and HNAP remote access protocols. They should be set to “stealth” as opposed to “closed” so that no response at all is sent to an external message query.
- Change the router’s DNS from the ISP’s own server to one maintained by OpenDNS, Google Public DNS, or Cloudflare.
While it may look like the home network user is fighting a losing battle, there are many steps they can take to increase their level of cybersecurity. The fixes listed above will mitigate many of the attack vulnerabilities faced by home network owners. However, to be realistic, most home network owners are unlikely to take these security measures. This leaves one critical resolution pathway that can be protected, that is through the ISP itself. Allot’s HomeSecure product takes full responsibility for any router vulnerabilities by identifying all devices on a home network and protecting them against online attack. The system also provides full parental control of network devices used by younger family members.