LAS VEGAS — According to new research delivered today here at the Black Hat security conference, millions of home routers may have a serious security flaw.
In his presentation at Black Hat, security researcher Craig Heffner detailed how an external attacker could gain full control of a user’s router and use that to gain access to the internal local area network (LAN). Though the implications are ominous, Heffner, also detailed a variety of steps users can take to protect themselves.
“The question is not how to hack the routers, that’s easy,” Heffner said. “The question is how to get access when you’re not on the local LAN.”
Every network router has both an external WAN interface, as well as an internal LAN interface. The WAN interface has the public IP address while the LAN interface is a private IP address. The way things are supposed to work is that external users are not supposed to be able to publicly access the router internals.
But Heffner said he was able to leverage DNS rebinding, which exposes the local private IP address and binds it to the public address. Heffner wrote a tool called Rebind to make it easier to automatically perform the whole operation. The Rebind tool is set to be freely available on the Google Code project hosting site.
“The attacker then gets access to the router and can browse the local LAN of the target user as if they were a user on the local LAN,” Heffner said.
In an on-stage demo, Heffner showed how he could access an Actiontec router that is used by Verizon for its broadband customers.
“Once I’m into your router I can put whatever tools I want and run them against your network,” Heffner said. “The great thing about routers is that they’re connected to the Internet and your LAN.”
In addition to leveraging Rebind to access the LAN, Heffner noted it could potentially be used to turn the router into a proxy for other attacks.
Protecting your router
Like other speakers at Black Hat, Heffner didn’t detail the security flaw to aid potential attackers, but rather to alert users and the relevant vendors.
Heffner suggested one preventative measure users can take is to change their firewall rules to prevent an external IP from rebinding with internal ones. Additionally he suggested that it’s likely a best practice for home users to just disable the http admin interface of their routers, if that’s an option.
Another key thing that Heffner suggested users should do is change the default password for their home routers and to make sure that the router’s firmware is up-to-date.
Heffner also called on router vendors to build in DNS Rebinding mitigations into their routers directly.
“The only router software that I know of that does this now is pfsense,” Heffner said. “They contacted me when my Black Hat talk abstract went up.”