BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Shockingly Simple Flaw Leaves 'Millions Of Home Routers Open To Attack'

Following
This article is more than 8 years old.

Millions of routers are likely affected by a fresh vulnerability affecting a significant number of home and office routers, meaning they're remarkably simple to exploit under the right conditions, researchers warned today.

The problem lies in the NetUSB component resident on many modern routers, including models from major manufacturers Netgear, TP-Link and TrendNet. NetUSB, produced by Taiwanese vendor Kcodes, allows for users to plug printers, flash drives and other USB connected devices into their routers so they can be accessed over the network.

When a PC or other client connects to NetUSB, it provides a name so it can be recognised as an authorised device. Whilst the authentication process is “useless” as the encryption keys used are easy to extract, said Austrian security testing outfit SEC Consult, it’s also possible for an attacker who has acquired access to the network to force a buffer overflow by providing a name longer than 64 characters. “Attackers within the local network can easily exploit this issue,” said Johannes Greil, head of SEC Consult Vulnerability Lab.

Buffer overflow flaws are one of the best-known classes of vulnerability, as they allow code to be written to memory outside the boundaries of a piece of software. But the weakness found by SEC Consult is a somewhat rarer beast - the exploit code would run at the kernel level, the heart of the routers’ computing functions. That means an attacker could either wipe out or compromise a router to install malware and spy on its owners, though Greil and his team haven't proven the latter, only the former. And a hacker may need to have more specialist knowledge of specific router kernels to install malware on the machine, as the wrong code could simply crash the router, noted HD Moore, from security consultancy Rapid7.

SEC Consult confirmed the vulnerability in a number of router adaptations of NetUSB, including Netgear ReadyShare and TP-Link Print Share. By downloading firmware, the researchers also uncovered NetUSB in a range of other products, including D-Link, TrendNet and Zyxel routers, but have not probed them in labs yet. In total, they uncovered 92 separate products from those vendors they believe to be vulnerable. The NetUSB feature was switched on by default across the devices.

But the problem could be even more pervasive. SEC found a driver used during NetUSB setup on PCs that named another 21 vendors whose products could be affected, including Western Digital and IOGEAR. The full list can be found on SEC Consult’s advisory.

It's currently unclear whether the flaw is exploitable remotely. If devices are configured incorrectly, or another flaw resides on them, they may leave port 20005 open, meaning the NetUSB functionality is accessible from the wider internet.

Researcher Stefan Viehböck uncovered the flaw in February. Though they had some contact with Kcodes, the manufacturer never responded to SEC Consult’s questions around fixes and even cancelled a conference call to discuss the issue, according to an advisory handed to FORBES ahead of general publication. Viehböck decided to take his findings to CERT/CC (the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute), which also put out a warning today and has helped coordinate disclosure with affected vendors.

Vendors respond

A TP-Link spokesperson said addressing the vulnerability had been a company priority ever since SEC Consult flagged the issue.  “TP-Link is the only vendor that has already started releasing fixed firmware and has a schedule of continuously updating firmware,” they added.

Netgear said it would be issuing updates in the third quarter of this year to address this issue, providing the following comment: "Netgear takes customer security seriously and is actively updating the firmware to address any potential security vulnerability. We encourage our customers to make sure Wi-Fi security is turned on (this is the default setting on our routers and gateways) and to change the default password for the router to prevent unauthorised devices from accessing your network. In addition, we encourage our customers to always upgrade to the latest firmware and as a security precaution, to enable firewall on the operating system and periodically perform virus scan on your devices." FORBES understands the company has not been able to push out a patch immediately, due to the massive number of affected devices.

A D-Link spokesperson said: "We are not aware of this security issue affecting any D–Link products but are currently carrying out the necessary investigations to ensure all products comply with safety and quality standards."

None of the other manufacturers named above had responded to a request for comment.

How to protect yourself

Home routers have been deemed hopelessly vulnerable by many in the security community. Just last month, a basic coding error in D-Link routers was uncovered, potentially allowing outsiders a route into people’s home networks. The mistake provided attackers with “a sort of skeleton key to anything and everything on the router”, according to Sophos’ Paul Ducklin.

Security firm ISE and digital rights body the Electronic Frontier Foundation have been so appalled by the lack of security on routers they set up the SOHOpelessly Broken campaign to try to compel manufacturers to embed protections in their kit. In a competition they ran during last year’s Defcon conference, 15 new vulnerabilities were uncovered across a range of models.

As for the NetUSB flaw, users should be aware the feature was enabled on all devices SEC Consult checked and the service was still running even when no USB devices were attached. That means it is likely turned on all the time unless a user switches it off manually.

"We are recommending to disable the service (if supported by the vendor) and block port 20005 with a firewall. For Netgear devices there is no workaround according to the vendor - there is no possibility to disable the service or block the port with an integrated firewall. Hence an additional firewall would be needed," added Greil.

Users should keep an eye out for patches too. When they arrive, update as soon as possible to prevent any possibility of NetUSB exploits.