Businesses Warned of Router, Riddled with Security Holes and a Zero-day Exploit

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

When you buy a new piece of computer hardware, and connect it to your network, I really hope that you check whether there are any security updates available.

A security researcher from Singaporean firm Vantage Point Security is giving a presentation this week at the Hack in the Box conference about just how disturbingly easy it is to compromise SOHO routers. Lyon Yang claims to have found a series of zero-day vulnerabilities, and will demonstrate that it is "quite easy to pull off [a] remote hijack exploit" against routers made by ZHONE, potentially secretly monitoring victims' internet traffic or installing malicious code.

In particular, the problem is said to impact businesses and home users in Singapore, where at least one internet provider is said to mandate that the ZHONE router is used by customers to access their services.

ZHONE is said to have informed the telecoms operator (which hasn't been named yet) about the problem, and patches are said to have been developed. However, concerns remain about the effectiveness of the patches, and there are question marks about just how easy it is to update the vulnerable devices, as The Register reports:

"Yang says the most complex vulnerabilities of the set are two stack overflows. A remote hijack hole via the router's ping functionality is partially fixed but still exploitable as of the time of writing.

He says the ISP does not provide users with the router credentials normally required for users to access admin panels and update firmware, but it is stored in cleartext within a backup configuration file which users can access.

Attackers can overwrite that file to set their own arbitrary passwords, however."

So, how would a malicious attacker find out that you are running a vulnerable router on your enterprise network in the first place? The answer is that they could use a tool like Shodan, the search engine for the internet of things. Shodan is a different type of search engine than Google or DuckDuckGo, because rather than searching for words on webpages it hunts through the technical characteristics of devices attached to the net - something that traditional web searches typically ignore.

This can be a boon for malicious hackers, who can use Shodan to hunt for web servers, webcams, home heating or SCADA industrial control systems, and - of course - routers. So, a router with a particular known vulnerability, a weak default password or other security weakness that can be exploited, might be easily discovered through the use of Shodan.

As Lyon Yang told The Register, Shodan helped him quickly find "a large number of routers from users in different countries - some of the top enterprises use it." At this point you might be thinking that maybe Shodan should be banned (as if anything is possible to ban on the internet...), or at least that it cannot be considered a good thing. But think of it this way - maybe your IT security team could use a tool like Shodan to check your own company's security?

Maybe you could adjust Shodan's filters to discover just how much information about your network infrastructure you are leaking out to the public internet, and how good a job you are doing at keeping it up to date and secure? However, as with many things in the world of computer security, there's another side of the coin.

IT teams can use tools like Shodan to help them check their company's security, testing with various filters to determine if web servers - for instance - are running a particular version of Apache, or if devices which shouldn't be visible to the outside world are revealing their existence online.

Whether you test your own systems or not for security weaknesses is ultimately your choice. But please, at the very least, make sure that none of your network equipment is using the same default user/admin passwords that it shipped with - and if you don't need to be able to access your router remotely disable such functionality.

Virtualization and Cloud Security News from Bitdefender