The risk posed by vulnerable home internet routers was a common theme at this year’s Black Hat and DEF CON conferences. These devices are becoming notorious for having security vulnerabilities, which often go unpatched. The SOHOpelessly Broken contest at DEF CON provided a dramatic demonstration of these flaws, as contestants attacked consumer-grade routers and quickly broke into them. But despite widespread agreement that these routers are a security threat, the security community seems divided about how to approach the problem.
At Black Hat, Jonathan Spring, Paul Vixie, and Chris Hallenbeck presented a talk about abuse of broadband routers. They focused most heavily on open DNS resolvers in this equipment being used for DDoS attacks. The talk explored several avenues for mitigating the problem, but was ultimately pessimistic. Ideally ISPs would follow best practices and filter egress traffic to avoid the kind of IP spoofing that makes these DDoS attacks possible, but implementing this imposes costs on each individual ISP, and very little direct benefit for the ISP implementing the filtering. The presenters were skeptical that it would be possible to find a solution through regulation, because ISPs would tend to oppose regulation that places more burdens on them, and a global problem like this one is very difficult to resolve through regulation.
These presenters expressed frustration that home broadband routers generally don’t get software patches installed automatically. Instead, these patches are either unavailable because the devices are no longer supported, or the patches are likely to never be installed, because it involves a manual process that only very technical users know about. They compared the situation to PC security before PCs could patch themselves over the Internet. The speakers seemed to think these devices should update their software transparently to patch security flaws. Otherwise, as sardonically suggested in the Black Hat keynote, devices like this might need an expiration date.
Automatic updates sounded like a good idea to me, but then I heard a talk by Shahar Tal at DEF CON that left me wondering whether they would help or hurt. He described a protocol called TR-069, which many ISPs use to manage home broadband routers connected to their networks. The protocol allows the ISP to remotely reconfigure the routers in its customers’ homes, and upgrade software on the routers. He found that the existing deployments generally have poor security: fewer than 20% of the endpoints he scanned were using SSL, and many router models don’t verify certificates properly. The situation on the management server side was even worse. Most of the server implementations are proprietary, and as a niche product, their security properties aren’t well known. These management servers are very lucrative targets to criminals, since they have the ability to reconfigure and push software to huge numbers of devices at once.
Shahar Tal started by examining two open source TR-069 management servers, and within days found remote code execution vulnerabilities in both. Through an internet scan, he found a large Middle Eastern ISP using one of the software packages, and advised them of the vulnerability.
The security flaws aren’t limited to these open source products. Similar research found that one of the major commercial offerings was exploitable through a SQL injection vulnerability. The name of this product was not disclosed, apparently because the bug hasn’t been fixed yet.
Pushing software updates to routers automatically could have huge security benefits, but the type of management infrastructure involved carries similarly huge security risks. If routers don’t get patched because they aren’t connected to a mechanism that can update them automatically, they will continue to be used for DDoS attacks, DNS poisoning attacks, and other malicious purposes. But if automatic updates become more widespread, there will be even greater danger that criminals will be able compromise hundreds of thousands of devices at once if they gain access to a management server. Being able to overwrite the firmware on home routers would be hugely powerful for attackers. They could potentially create large botnets of these devices and use them to send spam, perform click fraud, or steal private data from home networks. I found myself conflicted about which approach to home router security makes more sense. Judging by these two talks at Black Hat and DEF CON, perhaps the information security community is conflicted as well.