Posted by Virus Bulletin on Aug 26, 2014
Default password makes vulnerability easy to exploit.
Researchers at Trend Micro have discovered an easy-to-exploit backdoor in routers from Chinese manufacturer Netcore, that allows an attacker to take almost complete control of the device, with very little that users can do to protect themselves.
The backdoor consists of the router listening on UDP port 53413 - a port which, in a common setup, will be accessible from the Internet. While a password is required to access the backdoor, this password is the same among all routers the firm produces. Trend Micro's Tim Yeh found there to be at least two million vulnerable routers listening on the Internet.
Having gained access to the router, the attacker's life is made even easier as the credentials of the web interface are stored in the clear on the device. The attacker can then perform man-in-the-middle attacks on any device that uses the router for Internet connectivity.
Connections using SSL/TLS are in principle not affected by such man-in-the-middle attacks, at least not when performed by run-of-the-mill attackers, but many services still use, or happily fall back to, an unencrypted and unauthenticated connection. Moreover, many an impatient user will probably ignore the warnings anyway.
Trend Micro has alerted the vendor, whose routers are sold outside China under the name Netis, but has yet to receive a response.
As the backdoor cannot be disabled, a skilled user could replace the firmware of the router with an open-source alternative. However, support among these alternatives for Netcore devices is rather limited, leaving security-conscious users of the routers little option but to replace the device.
The lack of security on the 'Internet of Things' is causing concerns among many security experts. Have you recently found some vulnerable devices, or perhaps discovered a way to protect them? We're looking for some last-minute papers for VB2014. You have until Thursday 28th August to submit your abstract.
Posted on 26 August 2014 by Martijn Grooten