Home routers supplied by ISPs can be compromised en masse

  • 10 August 2014
  • 5 replies
  • 2 views

Userlevel 7
Badge +54
This problem is huge. I have an ISP provided router and I wonder how many more of us are in that position as well.
 
Some ISP servers used to manage routers provisioned to customers can be hacked from the Internet, researchers from Check Point said

By Lucian Constantin August 10, 2014
 

"Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.

By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.

According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said."
 
Full Article
 
 

5 replies

I am neww to all of this and am depending on you all for any info you put forth.  I will read as much as i can and try to understand what i am reading.  thanks for your info. i am worried about ISO'S being comprimised en masse.
searcher23595
Userlevel 7
Badge +54
@ wrote:
I am neww to all of this and am depending on you all for any info you put forth.  I will read as much as i can and try to understand what i am reading.  thanks for your info. i am worried about ISO'S being comprimised en masse.
searcher23595
Hi and welcome to the Community marietodoraperez.
The key words in that excerpt above are could potentially compromise. You have done the best thing you could have done and that is by installing WSA because that will protect from malware etc.
Also the providers have now been notified so a fix should I would have thought be in the planning stage.
Userlevel 6
@ wrote:
@ wrote:
I am neww to all of this and am depending on you all for any info you put forth.  I will read as much as i can and try to understand what i am reading.  thanks for your info. i am worried about ISO'S being comprimised en masse.
searcher23595
Hi and welcome to the Community marietodoraperez.
The key words in that excerpt above are could potentially compromise. You have done the best thing you could have done and that is by installing WSA because that will protect from malware etc.
Also the providers have now been notified so a fix should I would have thought be in the planning stage.
Welcome to the community marietodoraperez!
 
Agreed Jasper!
 
Browse around the community marietodoraperez, there is a wealth of information here.
 
Please come often and share you experiences!
 
See you around in the community! :D
 
Beth
Userlevel 7
By: HNS Staff/ Posted on 11 August 2014.
 
Check Point has released its findings of security concerns in CPE WAN Management Protocol (CWMP/TR-069) deployments, used by major ISPs globally to control business and consumer home internet equipment such as Wi-Fi routers, VoIP phones, amongst other devices.

Researchers uncovered a number of critical zero-day vulnerabilities that might have resulted in the compromise of millions of homes and business worldwide, through flaws in several TR-069 server implementations.

Once compromised, the malicious exploitation could have led to massive malware infections, illegal mass-surveillance and privacy invasions, and/or service interruptions, including the disabling of an ISP's Internet service. Attackers could also steal personal and financial data from huge numbers of businesses and consumers.
 
Help Net Security/ Full Article Here/ http://www.net-security.org/secworld.php?id=17237
Userlevel 7
The following article is a update on Home routers

(Home Routers Hijacked via Compromised Websites)

 
By Eduard Kovacs on September 11, 2014
 
Researchers have been monitoring attacks in which cybercriminals hijack the routers of users in Brazil in an effort to redirect them to malicious websites.
The attacks were first investigated by Kaspersky Lab last week. The security firm found emails allegedly containing photos that demonstrate to the recipient that he/she is being cheated on. The link in the messages points to a website containing adult content.
The site in question hosts some scripts designed to hack into the administration panels of home routers and change their DNS settings so that victims are redirected to bank phishing websites. In order to gain access to the admin panel, the malicious code tries username/password combinations like "admin/admin," "root/root" or "admin:gvt12345" (default credentials set on routers provided by a major Brazilian ISP).
 
SecurityWeek/ full article here/ http://www.securityweek.com/home-routers-hijacked-compromised-websites
 

Reply