Misfortune Cookie Vulnerability Affects 12 Million Devices

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Researchers at Check Point Software Technologies' Malware and Vulnerability Research Group recently uncovered a vulnerability in millions of SOHO routers that could enable attackers to take control of affected devices.

"If your gateway device is vulnerable, then any device connected to your network -- including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network -- may have increased risk of compromise," the researchers note.

The Check Point researchers detected approximately 12 million devices in 189 countries that are exploitable via the vulnerability, which they're calling Misfortune Cookie.

A list of affected device models is available here [PDF].

"Misfortune Cookie is a serious vulnerability present in millions of homes and small businesses around the world, and if left undetected and unguarded, could allow hackers to not only steal personal data, but control peoples' homes," Check Point malware and vulnerability research manager Shahar Tal said in a statement.

The vulnerable software is AllegroSoft's RomPager embedded Web server, which is embedded in the firmware released with many SOHO routers.

The vulnerability was found in RomPager v4.07, which was released back in 2002.

AllegroSoft patched the vulnerability with the release of RomPager v4.34 in 2005, but many devices still ship with the vulnerable version of the software in place.

"We take embedded device security seriously and want our customer partners to do the same," AllegroSoft president Bob Van Andel said in a recent statement. "We strongly urge manufacturers to maintain their firmware with the latest software components to deliver the highest level of Internet communications compatibility and embedded device security to the end customer."

The researchers urge users to protect against the flaw by ensuring that all devices and any documents or folders containing sensitive information are password-protected, and to consider using HTTPS connections to encrypt their browser activity.

Service providers are urged to read Check Point's white paper [PDF] offering more technical advice on device protection.

"Misfortune Cookie is unique due to a combination of multiple factors, including its severity, ease of exploitability, lacking of almost any preconditions, and the sheer volume of vulnerable networks. ... All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address," the researchers write. "No hacking tools required, just a simple modern browser."

"Everyone is aware that embedded devices are insecure, but we haven't had one game-changing event that crosses boundaries and makes the industry understand this," Tal told Kaspersky Lab's Threatpost. "This one is definitely worth the attention and needs fixing."

A recent Tripwire survey of 653 IT and security professionals and 1,009 employees who work remotely found that 52 percent of IT professionals and 59 percent of employees haven't updated the firmware on their routers to the latest version.