Video Screencast Help
Security Response

Flashing Home Routers

Created: 21 Jan 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:54 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

In a recent blog posting (http://www.gnucitizen.org/blog/hacking-the-interwebs)the GNUCITIZEN security think tank published some new research on thesecurity of home routers – specifically on how to modify routersettings from an external location using Adobe Flash. The techniques,if I understand them correctly, are quite powerful and have widespreadimplications, so I wanted to describe them here.

Home broadband routers have a management configuration interfacethat allows users to change settings on the device. Typically, routersare configured through a Web interface. For example, the router’s ownerwould go to the administrative page for the router (which would belocated on an internal network host, such as http://192.168.1.100),authenticate by entering a username and password, and then log in.

In an earlier blog entryI talked about how one could modify router settings from an externallocation through this interface. We recently observed an instance ofthis attack in the wild. The attack, which was built on JavaScript hostscanning techniques described by Jeremiah Grossman at BlackHat 2006,could be used to modify the router’s DNS server settings and therebylead to instant pharming. The attack relies on the user not changingtheir default password (which is true in most cases) and the presenceof a cross-site request forgery vulnerability on the router (which waspresent in all the major router models I had tested). At the time Ithought this was a pretty devastating attack and I still think it’sworrisome.

Well, the GNUCITIZEN Flash attacks are a hundred times moredangerous. They take advantage of a second, perhaps lesser known,management interface on home routers – namely, the Universal Plug andPlay (UPnP interface). This interface leverages the simple objectaccess protocol (SOAP). In reality, SOAP messages are basically justHTTP POST requests where the contentType is set to application/xml, andthat includes a SOAPAction header as well as a request body that iscompliant with the protocol’s message format.

SOAP messages can be used to modify router settings, such as thechoice of DNS Server. While one can construct these messages using theJavaScript XMLHttpRequest object, it’s not possible to successfullymount an attack in this way since the Web browser’s Same Origin policywould be violated, which cannot be done unless one takes advantage ofother vulnerabilities.

However, these messages can be set using the Adobe Flash plug-in.What’s worse is that many home routers accept SOAP messages withoutrequiring any type of authentication. When you combine these twoobservations, it’s possible to create a Web page (containing anappropriate malicious Flash object) that when simply viewed willreconfigure your home router settings. Even if you employ traditionalprotections such as password protection on the router or employing WPAencryption, you will not be protected against these types of threats.

These threats come about because of the increased complexity thatarises from interactions among numerous technological components. Forexample, the Flash Web browser plug-in as well as the SOAP interface onrouters. Often these components can interact in unexpected ways,causing new vulnerabilities to arise.

Fortunately, the particular attack I just described has not, as faras I know, been seen in the wild. And it’s not clear to me that we’llsee it any time soon either. Attackers like to take the simplestapproach that works – and the reality is that more attackers leverage“human” vulnerabilities rather than technological vulnerabilities.There’s little reason to exploit a hole in a particular product whenyou can simply just convince a computer user into lowering their ownsecurity. Nonetheless, attacks like these are powerful and we would allbe in serious trouble if attackers started employing them.