Routers – home and small business router vulnerabilities

We think (a lot) about keeping our computers up to date, virus free and protected with passwords. But stop and consider this: the wireless router that sits in the corner of the office and quietly handles all your WiFi and Ethernet network traffic is actually a small computer, and it is connected to the outside world. When is the last time you thought of updating it or making sure it is secure?

There have been some recently published hacks for popular brands of routers that can allow someone from the outside to reconfigure your router, or even see files on your shared drives. It’s time to update your router and lock it down properly.

General rules for all routers:

  1. Set strong admin passwords,
  2. Turn off all unneeded services and
  3. Update firmware.

Go into the administrative interface – usually by using a Web browser on a Ethernet connected computer to go to the router’s address such as 192.168.0.1 (this varies by brand and model, see your owner’s manual or check www.computer-answers.ca/2012/internet-networking/q-what-is-my-routers-address/)
You can do this with a WiFi connected computer as well, but it is a pain because it will drop the WiFi signal every time you restart the router. Better to get out a cable for this work.

Now check that you have an Administrative password set (this is different from the WiFi password/key). If it is still at the default “Admin: Admin” or “Admin: {blank}” then your router could be wide open for anyone to change its settings.
First step is  to change the Administrative password to something strong, a non-disctionary word with a mixture of letters and numbers. Don’t use an easy keyboard walk like ‘12345’ or ‘qwerty’ and don’t use a simple substitution like ‘r0ut3r’. Write this password down on the inside cover of the user manual for reference later.  If you cannot get into the Admin interface, you can reset the router and start from scratch. See http://computer-answers.ca/2012/internet-networking/q-i-have-lost-the-password-to-my-router-how-do-i-reset-it/

Also consider changing the default IP address of the router away from the well known 192.168.1.1 or similar, to another address in a protected IP range like 10.10.156.08
Then all of your machines would use 10.10.156.08 as the Gateway or Router address, and 10.10.156.xxx as the internal IP addresses. This doesn’t make the router more secure, but it make it harder to find when malware does scans of the typical default addresses.

Next, turn off any and all

  • Remote Administration and any other Remote access,
  • FTP,
  • Torrent/P2P,
  • Telnet,
  • WPS / PnP
  • VPN or
  • Cloud services

that the router may have.

These will vary by brand and model. If you are not sure, check the router manual or go online to the manufacturer’s support pages for your model. If your business requires cloud/VPN/Remote access, consider investing in a more secure business-class router instead of a home/small business class product.

Then, check your router firmware. Microsoft releases hotfixes for Windows every week (or more often) to patch vulnerabilities and bugs. Your router manufacturer also updates their firmware for the same reason, but you probably haven’t had a router upgrade installed since 2009.  Most manufacturers let you check for upgrades from within the router admin software, some will require you to go to the website and download it separately. Before you update, write down all of your settings including WiFi passwords and Admin passwords as you may need to reenter them later. Read and follow the update instructions carefully.

Remember to log out each time you have used the Administrative interface, and execute a Restart on the router, then clear your browser cookies and restart your browser. Staying logged in to the Admin screen increases the vulnerability of the router, as there is an additional vector (thorough your browser) that an attacker can use to enter.

Do not follow web links sent through email, displayed in web browser popups or by other methods, they may link to malware and poisoned web page. Be especially vigilant for links that are directed to internal network addresses (in the protected ranges 192.168.xxx.xxx, 172.16.xxx.xxx to 172.31.xxx xxx, and 10.xxx.xxx.xxx) – these could be attempted attacks against your network equipment or servers.

Specific vulnerabilities

Asus Routers

Leaving some of the Asus standard features enabled could allow an outsider to read files on a shared hard disk or USB stick plugged into the router.

In addition to the general steps above including updating the firmware,
Turn off “AiCloud”, “Cloud Disk”, “Smart Access”,  “Smart Sync” and “Samba” (SMB file sharing)

Asus downloads  support.asus.com/download/options.aspx?SLanguage=en

TP-Link and D-Link Routers and routers running ZynOS

An attack against TP-Link D-Link, Micronet, Tenda, ZyXEL and other brands of routers can change where your website searches and web page requests are directed to. By altering the DNS settings, the attacker can send you to lookalike sites for your bank, charge card company or other likely target.

The first defense is to reset your router to factory defaults, then immediately set a new and secure administrative password. Turn off remote administration.

Then upgrade the firmware of the router. Go to the website of the router manufacturer and download the latest firmware revision

TP-Link www.tp-link.com/ca/Support/download/
D-Link support.dlink.com/
Micronet (Taiwan) www.micronet.com.tw/mod/support/index.php?REQUEST_ID=cGFnZT1kbA==
Tenda (China)  www.tenda.cn/tendacn/DownLoads/?TagId=42
Zyxel  www.zyxel.com/us/en/support/download_library.shtml

www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html

Linksys Routers

Linksys routers including potentially models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900 were hit by malware called the Moon Worm. It bypasses the Admin password through a vulnerability in the router’s software. As of today there is no fix for the software.

The most important action to take is to turn off Remote Administration and reset the router.

Then check Linksys or Belkin’s website for the existence of a firmware upgrade (Belkin recently purchased the Linksys brand from Cisco). Most Linksys E Series routers do not have a firmware upgrade listed in the past 6 months to a year, if at all.  This is a pressing issue since the worm has been described for at least a month; you will need to make a decision at some point whether to continue using the Linksys product with an exposed vulnerability, or change it for a different brand of product that has regular firmware support.

support.linksys.com/en-us/support?icid=global-header-support-link

www.belkin.com/us/support-article?articleNum=10797

www.computerworld.com/s/article/9246344/_The_Moon_worm_infects_Linksys_routers?taxonomyId=17

NetGear Routers 

Netgear has release some firmware upgrades at the end of January 2014 to patch a vulnerability in some routers. downloadcenter.netgear.com/

ReadyNAS:

Although not a router, the ReadyNAS storage devices are often exposed to the Internet to act as FTP servers, download stations, etc.  There is a bug in the RAIDiator software that runs the ReadyNAS that allows an outsider to inject scripts into the machine via HTTP.

Upgrade the RAIDiator or OS6 firmware of the NAS kb.netgear.com/app/answers/detail/a_id/20684/~/readynas-downloads

This entry was posted in General Computer, Internet and Networking, Security, Viruses and malware and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.