More than two million home routers have 'wide open backdoor'

Posted by   Virus Bulletin on   Aug 26, 2014

Default password makes vulnerability easy to exploit.

Researchers at Trend Micro have discovered an easy-to-exploit backdoor in routers from Chinese manufacturer Netcore, that allows an attacker to take almost complete control of the device, with very little that users can do to protect themselves.

The backdoor consists of the router listening on UDP port 53413 - a port which, in a common setup, will be accessible from the Internet. While a password is required to access the backdoor, this password is the same among all routers the firm produces. Trend Micro's Tim Yeh found there to be at least two million vulnerable routers listening on the Internet.

Having gained access to the router, the attacker's life is made even easier as the credentials of the web interface are stored in the clear on the device. The attacker can then perform man-in-the-middle attacks on any device that uses the router for Internet connectivity.

Connections using SSL/TLS are in principle not affected by such man-in-the-middle attacks, at least not when performed by run-of-the-mill attackers, but many services still use, or happily fall back to, an unencrypted and unauthenticated connection. Moreover, many an impatient user will probably ignore the warnings anyway.

Trend Micro has alerted the vendor, whose routers are sold outside China under the name Netis, but has yet to receive a response.

As the backdoor cannot be disabled, a skilled user could replace the firmware of the router with an open-source alternative. However, support among these alternatives for Netcore devices is rather limited, leaving security-conscious users of the routers little option but to replace the device.

The lack of security on the 'Internet of Things' is causing concerns among many security experts. Have you recently found some vulnerable devices, or perhaps discovered a way to protect them? We're looking for some last-minute papers for VB2014. You have until Thursday 28th August to submit your abstract.

Posted on 26 August 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.