More than 700,000 ADSL routers provided to subscribers by ISPs around the world are vulnerable to remote hacking due to a flaw called “directory traversal.”
More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Security researcher Kyle Lovett first detected the vulnerability a few months ago while analyzing some ADSL routers in his spare time. Upon delving a bit deeper, he discovered hundreds of thousands of susceptible devices from different manufacturers that had been distributed by ISPs to subscribers in nearly a dozen countries.
Most of the routers were found to have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data. It should be noted that the flaw isn’t entirely new; in fact, it was initially reported by multiple researchers dating back to 2011 in various router models that have been distributed in countries such as Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. Some of these routers are also sold off the shelf in the United States.
The researcher unearthed a commonality among all of these routers: the vast majority were using firmware from China-based Shenzhen Gongjin Electronics, which also does business under the trademark T&W. This company manufactures networking equipment for router vendors such as D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear.
The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.The file also contains the password hashes for the administrator and other accounts on the device, the username and password for the user’s ISP connection (PPPoE), the client and server credentials for the TR-069 remote management protocol used by some ISPs, as well as the password for the configured wireless network, if the device has Wi-Fi capabilities.
According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router’s DNS settings. By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers — which is known as router pharming — have become common over the past two years.
Lovett admits that 700,000 is a conservative estimate. There are likely many more devices that possess the same flaws, yet are not configured for remote management. Instead, those can be attacked from within local networks through malware or cross-site request forgery (CSRF).
Want to learn more? You can read the entire article from PC World here. It is becoming increasingly clear that embedded system insecurity affects everyone and every company, so how can you ensure that your device is indeed protected?