- January 13, 2015
- Info notes
Small Office and Home users of the internet often access the network through a device provided by their Internet Service Providers (ISPs). This device usually performs multiple functions: router, Wi-Fi access point, subscription control, etc. The device can be completely off-the-shelf, or customised by the user's ISP.
This info note aims at highlighting some security problems that users are exposed to in connection to their home router.
Many of these devices are prone to vulnerabilities that expose the subscriber and/or other users to unnecessary risk. The devices' default configuration is often insecure, with well-known default passwords. In a typical example of favouring user-friendliness over security, Wi-Fi Protected Setup (WPS) is generally enabled by default, even though the protocol is vulnerable to brute-force attacks. Beyond default configuration, there are numerous reports of Cross-Site Scripting and Authentication Bypass vulnerabilities. To make matters worse, vendors are not very responsive to vulnerability reports.
Home routers are already actively exploited by cyber-criminals. Earlier in 2014, an internet worm infected certain models of Linksys routers. More recently, hacked home routers have been used to perform the attack that crippled Sony's PlayStation Network and Microsoft's Xbox Live service.
Another worrying instance of this problem was disclosed in December 2014 by researchers from Check Point. Devices that use the "RomPager" software can be taken over by anyone on the internet. This would allow a hacker to monitor traffic, intercept passwords, interrupt connections, perform illegal operations that would be traced back to an innocent user, etc. This software is used in more than 200 devices by all major brands. Check Point estimates the number of vulnerable devices at more than 12 million, spread all over the world.
Worse, this latest vulnerability has been patched by the software's authors for years, but device makers and ISPs have been slow to roll-out the patches. In most cases, this is due to the following factors:
- There is no auto-update mechanism in place that allows vendors to push patches;
ISPs that customise the devices don't always follow-up on patches.
Some users are tech-savvy enough to install new software on their device, but they have no guarantee that this process will not break their internet connection.
It is not reasonable to expect users to update their home routers themselves, as the risk of completely breaking their internet connection is too great. They have thus to mitigate the impact of the problem:
Enable or install host-based firewall on their machines, that prevent unauthorised access;
Enable or install anti-virus and anti-malware;
Prefer the use of encrypted web traffic (https) over non-encrypted.
More tech-savy users can nevertheless update their routers manually, provided they know what they are doing, and their provider makes available update to be applied by the user.
Vendors' first responsibility is to ship quality products, including security features and configuration. They also have the responsibility to update their devices, and to follow-up on patches provided by their suppliers. We thus recommend that vendors
- Design software securely;
Test the security of the devices;
Provide a secure configuration by default;
Provide installation instructions that lead to a secure set-up (changing default password, etc.);
Provide reporting channels, and act on vulnerability reports;
Provide patches for vulnerabilities in a timely manner – including vulnerabilities included in third-party software and libraries;
As much as possible, provide easy methods for users to update their device.
ISPs that provide customised devices have the same responsibility as vendors, but they are also in a position to test patches and make sure that they do not break access to the network. In addition to our recommendations for vendors, we also recommend that ISPs:
- Harden the configuration of the devices they deliver to their subscribers;
Test the compatibility of patches;
Provide an automatic, secure and reliable update mechanism for their devices.
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).