Newbie Science: A Brief Discussion on the Changes in Home Router Security

Routers are the entrance to home networks. In the IoT era, routers also play the role of network guardians. Because of this, attacks against routers have increased in recent years. This article will take you through the attacks against routers in recent years.

Wireless protocol vulnerabilities

In the early years, most of the attacks on routers were based on vulnerabilities in wireless protocols. In the early years, wireless routers used the WEP encryption system, which is "wired equivalent privacy", but like many encryption algorithms with problems, WEP encryption also used the RC4 encryption method. In August 2001, Fluhrer et al. published a cryptanalysis of WEP, using the characteristics of RC4 encryption and decryption and the use of IV. As a result, after eavesdropping on the network for a few hours, the RC4 key could be cracked. This attack method was quickly implemented, and automated tools were released. This attack can be carried out using only personal computers, off-the-shelf hardware and freely available software. Therefore, WEP was eliminated in 2003 by WPA (Wi-Fi Protected Access), which implements most of the IEEE 802.11i standard.

​​

[[238598]]

WPA has improved some security compared to WEP. WPA is designed to use an 802.1X authentication server to distribute different keys to each user; however, it can also be used in the less secure "pre-shared key" (PSK) mode. The Wi-Fi Alliance calls this version using pre-shared key WPA Personal or WPA2 Personal, and the version using 802.1X authentication is called WPA Enterprise or WPA2 Enterprise.

WPA data is encrypted with an RC4 stream cipher with a 128-bit key and a 48-bit IV. The main improvement of WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which can dynamically change the key during use. This, combined with a longer IV, can defeat well-known key extraction attacks against WEP.

In addition to authentication and encryption, WPA also provides a huge improvement in data integrity. The CRC (Cyclic Redundancy Check) used by WEP is inherently insecure. Without knowing the WEP key, it is possible to tamper with the data and the corresponding CRC. WPA uses a more secure message authentication code called "Michael" (called Message Integrity Check, MIC in WPA).

In 2004, WPA was replaced by WPA2, which fully implements the IEEE 802.11i standard. The most important security improvement of WPA2 over WPA is the use of AES instead of the original RC4 encryption method.

In fact, both WPA and WPA2 have corresponding cracking methods. Specifically, the DEAUTH attack is used to disconnect the connected client and reconnect to generate a handshake packet, and then a dictionary is used to crack it. However, since a dictionary is used, the success rate is quite uncertain.

On December 28, 2011, security expert Stefan Viehbock revealed a major security vulnerability in the WPS (Wi-Fi Protected Setup) function, which allows remote attackers to use brute force attacks to obtain the WPS PIN code and WPA/WPA2 PSK code within a few hours. The pin code is an 8-digit integer, and the cracking process takes a relatively short time. The 8th digit of the WPS PIN code is a checksum, so hackers only need to calculate the first 7 digits. In addition, the first four and last three digits of the first 7 digits are authenticated separately. Therefore, it only takes a maximum of 11,000 attempts to crack the pin code, which takes about 3 hours if everything goes well. The WPS authentication process is as follows:

However, the reality is that many routers will restrict the exhaustive PIN, and the interval between each guess will become longer and longer. Therefore, the editor has made many attempts before and has never succeeded.

Due to the limitations of the attack methods, most of the vulnerabilities mentioned above have become history. Nowadays, attacks on routers have mostly turned to attacks on specific router vulnerabilities, and have shifted from attacks on wireless protocol weaknesses to attacks on router firmware and Web interfaces.

Attacks on router firmware

[[238599]]

In recent years, there have been many attacks on routers. Many well-known manufacturers have been attacked, and often a series of products are implicated. Many of the vulnerabilities exposed in these routers are backdoors opened by manufacturers for maintenance needs, and some are problems with the verification mechanism and are easily bypassed:

In October 2016, ASUS routers were infected by the P2P botnet program TheMoon. There is a security vulnerability in the common.c file in infosvr of ASUS WRT, which is used in ASUS routers such as RT-AC66U and RT-N66U. The vulnerability is caused by the program not correctly checking the requested MAC address. A remote attacker can use this vulnerability to bypass authentication and execute arbitrary commands by sending NET_CMD_ID_MANU_CMD packets to UDP port 9999.

In the same month, multiple backdoors were found in the D-Link DWR-932B LTE router. Researchers found that D-Link wireless routers use two hardcoded secret accounts (admin:admin and root:1234) by default to run Telnet and SSH services. Attackers can easily access these vulnerable routers with shell command lines, and then conduct man-in-the-middle attacks, monitor network traffic, and run malicious scripts to change router settings. If the string "HELODBG" is sent as a hardcoded command to UDP port 39889, this backdoor can be exploited to start a root Telnet on the router without any verification.

In December 2016, multiple models of Netgear routers were exposed to a remote arbitrary command injection vulnerability. An attacker only needed to construct a website and add a command at the end of the URL to execute arbitrary commands with root privileges without authorization.

In February 2017, a large number of Netgear routers were exposed to password bypass vulnerabilities. When users try to access the router's web control interface, they need to authenticate; if the authentication is canceled and the password recovery function is disabled, the user will be redirected to a page that exposes the password recovery token. The user can obtain the router administrator password by providing this token.

In April 2017, dozens of Linksys routers were exposed to high-risk vulnerabilities that could lead to remote command execution and sensitive information leakage. Attackers can inject and execute commands with root privileges on the router operating system. Hackers may create backdoor accounts to control the router for a long time. The backdoor account will not be displayed on the web management interface and cannot be deleted by the administrator account.

TheMoon bot attack traffic

Although there are not many cases mentioned above, these manufacturers have occupied half of the router market, especially Netgear and Linksys. According to data from NPD Monthly, NETGEAR and LINKSYS, two old American router manufacturers, have become the first and second in the market, with a market share of more than 60%. Manufacturers such as D-LINK from the Asia-Pacific region lead the US market with 40% share respectively.

After invading the router, the hacker controls the victim's Internet access, and the attacks that can be carried out are beyond imagination. Some hackers will modify the DNS and change it to malicious DNS, so that they can monitor traffic, insert advertisements, or conduct malicious redirection to induce users to download malware; while some hackers will use the router to carry out larger-scale DDoS attacks, such as TheMoon bot program and Mirai, a botnet targeting IoT devices. But in fact, hackers can do much more than that. If they want to carry out targeted attacks, hackers can further penetrate the intranet.

Mirai botnet affects a large number of hosts worldwide

Until now, there are still a large number of routers that have not fixed the vulnerabilities. The editor simply tested it with the search results of Shodan and found a Netgear R7000 router with a vulnerability among 20 search results. Please note that these are the search results of the first two pages. It is conceivable that a large number of hackers must have checked these results.

The reason why there are still a large number of router vulnerabilities in the network is that manufacturers are unable to push updates in a timely manner. Although routers are the entrance to the network, there is no complete firmware update mechanism that allows users to always use the latest firmware. This may be a problem that manufacturers urgently need to solve.

New ideas for attack routing

Although the vulnerabilities mentioned above are extremely harmful, there is a necessary condition that the router port must be exposed to the public network, or the attacker needs to be in the same network environment, that is, the hacker needs to enter the same wireless network through some methods. To achieve this goal, in addition to relying on the wireless protocol vulnerabilities mentioned above, there are some novel ideas:

WiFi Master Key

WiFi Master Key, which was quite popular in the past few years, can be used to carry out attacks. This application will upload the router password you entered and make it available to others. If the password is unknown, Master Key will also provide a weak password dictionary, which includes more commonly used passwords, to help users crack wireless networks. Although the original purpose of the tool is to allow everyone to share the network, attackers can use this application to successfully enter other people's networks for further attacks. Hackers can use different attack methods for different routers, and even use some of the vulnerabilities mentioned above for specific routers to launch attacks.

Switcher virus

In December 2016, there was a "Switcher" virus that hijacked the router's DNS settings. It also chose a new infection route. It would first infect the mobile phone, and then use the weak password dictionary built into the software to blast the router web interface. If successful, it would set the malicious DNS as the primary DNS server, thereby hijacking the user's entire network.

Fluxion

At the end of last year, we also introduced a tool called Fluxion, whose invasion channel is not the network cable, but the user of the router.

Fluxion uses the WPA handshake function to control the behavior of the login page and the behavior of the entire script. It blocks the original network and creates a clone network with the same name, causing disconnected users to join, and provides a fake router restart or firmware loading page, and requests the network password to continue logging in. When the user provides the password, the attacker can use the password to invade the network. Similarly, after entering the network, the attacker can use various vulnerabilities against the router to launch further attacks.

Fake page that users see

Prevention

I believe everyone is familiar with the prevention of wireless protocol vulnerabilities: when setting up a router, you should choose WPA/WPA2 encryption and select a sufficiently complex unlimited password; in order to prevent PIN attacks, you also need to turn off the WPS function in the router.

As for attacks that exploit router backdoors, you can prevent them from the following aspects:

First, check the router port forwarding configuration. In fact, home routers are rarely exposed to the public network, especially domestic operators will block some ports. Therefore, if hackers want to invade from the router's Web management page, the router must have been exposed to the public network.

The second is to configure the security function of the router, such as setting a password for the router's Web management page, and binding the MAC address. If port forwarding is not configured, hackers need to enter the Wifi network to invade, and neither the WiFi Master Key mentioned above nor other intrusion methods can avoid MAC address checking.