Establishing Digital Trust: Don't Sacrifice Security for Convenience
Routers, by definition, have multiple personalities. One Ethernet port is connected to the outside world, four (typically) Ethernet ports offer Internet access to wired devices on a Local Area Network (LAN), and a radio transmitter offers access to Wi-Fi clients. The Wi-Fi interface may even offer multiple SSIDs.
Routers normally keep the various aspects of their personalities separate, but a presentation at the last Black Hat conference, How to Hack Millions of Routers, reported on a crack in this armor. Some understanding of IP addresses is required to understand the problem, so that's where I'll begin.
Every device on a TCP/IP-based network (and almost all networks use TCP/IP to communicate) gets a unique number, called an IP address. IP addresses are 32 bits and are written as four decimal numbers, each between zero and 255 separated by periods. A common IP address is 192.168.1.1. The IP address for the esecurityplanet.com website is 220.127.116.11. You can enter an IP address directly into the address bar of a Web browser to visit a website.
Most IP addresses are on the public Internet, but some are reserved for internal use only. That is, everyone can use the same internal-use-only addresses on their LAN without any confusion. These special IP addresses are not allowed on the public Internet.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The most commonly used internal IP addresses start with either 192.168 or 10. A computer connected to an internal Ethernet port of a router, may see the router as having IP address 192.168.0.1, for example. Millions of routers on millions of LANs can all use this IP address because it is guaranteed never to go out the other side of the router, to the Internet. Routers ship with a default internal IP address and the owner of the router can change it to any internal-use-only address.
In a somewhat Jekyll and Hyde manner, a router uses a different IP address, a "public" one, when communicating on the Internet. The router owner has no control over the public IP address, it is assigned by the Internet Service Provider (ISP) that connects the router to the Internet.
All the computers on the LAN appear to the outside world to have the same IP address. You can think of the router as the public spokesperson for all the LAN-side computers.
As you may suspect by now, the security problem that some routers have, has to do with not keeping the public and private personalities totally separate and distinct.
The public IP address should only be visible to a computer on the Internet and the private IP address should only be visible to computers on the LAN, be they wired or wireless.
If this barrier is not maintained, bad guys on the Internet can possibly log into the router. And, if that happens, you're in big trouble.
Routers are configured using internal websites; that is, websites that live in the router itself, not on the Internet. To modify a router, a computer on the LAN gets to the internal website by IP address. For example, you might type http://192.168.0.1 into the address bar of a Web browser and then log in with a userid and password.
The router is normally addressable only by the internal IP address. This insures that only computers on the LAN can make changes to it.
Every website that you communicate with knows the public IP address of your router. And, of course, so too does your ISP. But, a couple of things prevent someone from the outside from logging in to a router.
First, there is the firewall in the router, which normally denies unsolicited incoming traffic. In addition, routers have an option for remote administration. Non-techies with far away tech helpers can allow their remote helpers to log in to their router without having to physically visit. Typically, remote administration is disabled.
Now, finally, we can understand the security problem that Craig Heffner publicized at the Black Hat conference.
In a nutshell, the bug he discovered lets a malicious Web page access the router via the public IP address.
LAN-based computers should be limited to accessing the router by its internal IP address, something that remote Web sites cannot learn. Since a remote Web site can easily learn your public IP address, the bug can allow a bad guy to log on to your router. Not good, for a whole host of reasons.
Making things worse, is that far too many people ("victims" might be the better word here) don't change the default password for their router. I've run into many people that weren't aware that routers even have passwords. The bad guys have ready access to the default passwords for routers (here and here for example) and can detect, to some degree, which router you have.
In his initial testing of 30 routers, Heffner found 17 of them were vulnerable to this problem. His list of tested routers is available here; it was last udpated August 3, 2010. Included in the list is the ActionTec MI424-WR used by Verizon FIOS (pictured).
Are you vulnerable?
It's easy to test if your router is vulnerable to this attack.
You can learn your public IP address at many websites, such as ipchicken.com or checkip.dyndns.com. Just enter this address into your favorite Web browser and see what happens. For example, if the public IP address were 18.104.22.168, then try browsing to http://22.214.171.124 (there is no period at the end of an IP address).
If you get prompted for a userid and password, your router is vulnerable to this type of attack. If you get an error that the Web page can't be loaded, you're safe.
On the technical side, the attack is a new wrinkle on an old problem called DNS rebinding. It depends on the fact that a single website can have multiple IP addresses. When you first visit a malicious website, your computer is given two IP addresses for the bad site. The first is legit, the second is not, it's your public IP address. Then, through caching tricks and purposefully generated errors, the malicious Web page tricks your computer into accessing what it thinks is the alternate IP address of the malicious site, but is actually the public IP address of your router.
Heffner adds that "... remote administration does not need to be enabled for this attack to work. All that is required is that a user inside the target network surf to a Web site that is controlled, or has been compromised, by the attacker." Implicit in this, is that that the attack works regardless of the Web browser or the victim's operating system. The attack is against the router, that's where the vulnerability lies.
Defend your router
The simplest defense is to not use the router's default password. Change it to something that can't be guessed, the longer the better. As always with passwords, don't use a word in the dictionary. For safe keeping, I suggest writing the password on a piece of paper (along with the routers IP address and userid) and taping it to the router, face down.
If your router is vulnerable, check if the manufacturer has a newer firmware that fixes the problem.
Any new router should be tested for this problem first thing, while it can still be returned.
Although not directly relevant to this problem, I suggest verifying that remote administration is, in fact, turned off on your router.
If you use Wi-Fi, check if your router can limit administrative access to wired connections. This should prevent any and all wireless users from ever logging in to the router.
You can see a white paper and Heffner's slides at the archives of the Black Hat conference.
Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He is a regular contributor to eSecurityPlanet.com.
Keep up-to-date on WLAN security issues; follow eSecurityPlanet on Twitter @eSecurityP.