Flashing Home Routers
In a recent blog posting (http://www.gnucitizen.org/blog/hacking-the-interwebs)the GNUCITIZEN security think tank published some new research on thesecurity of home routers – specifically on how to modify routersettings from an external location using Adobe Flash. The techniques,if I understand them correctly, are quite powerful and have widespreadimplications, so I wanted to describe them here.
Home broadband routers have a management configuration interfacethat allows users to change settings on the device. Typically, routersare configured through a Web interface. For example, the router’s ownerwould go to the administrative page for the router (which would belocated on an internal network host, such as http://192.168.1.100),authenticate by entering a username and password, and then log in.
Well, the GNUCITIZEN Flash attacks are a hundred times moredangerous. They take advantage of a second, perhaps lesser known,management interface on home routers – namely, the Universal Plug andPlay (UPnP interface). This interface leverages the simple objectaccess protocol (SOAP). In reality, SOAP messages are basically justHTTP POST requests where the contentType is set to application/xml, andthat includes a SOAPAction header as well as a request body that iscompliant with the protocol’s message format.
However, these messages can be set using the Adobe Flash plug-in.What’s worse is that many home routers accept SOAP messages withoutrequiring any type of authentication. When you combine these twoobservations, it’s possible to create a Web page (containing anappropriate malicious Flash object) that when simply viewed willreconfigure your home router settings. Even if you employ traditionalprotections such as password protection on the router or employing WPAencryption, you will not be protected against these types of threats.
These threats come about because of the increased complexity thatarises from interactions among numerous technological components. Forexample, the Flash Web browser plug-in as well as the SOAP interface onrouters. Often these components can interact in unexpected ways,causing new vulnerabilities to arise.
Fortunately, the particular attack I just described has not, as faras I know, been seen in the wild. And it’s not clear to me that we’llsee it any time soon either. Attackers like to take the simplestapproach that works – and the reality is that more attackers leverage“human” vulnerabilities rather than technological vulnerabilities.There’s little reason to exploit a hole in a particular product whenyou can simply just convince a computer user into lowering their ownsecurity. Nonetheless, attacks like these are powerful and we would allbe in serious trouble if attackers started employing them.