Is Your Router Secure? Probably Not!

[OVERKILL]

Originally Posted by uc50ic4more
Originally Posted by OVERKILL
Every time I've posted a thread on this it's amazing the number of people who pass it off as insignificant. Consumer gear is made to a price point. At that price point, you aren't getting Enterprise-class security. Many devices are abandoned by their manufacturers, despite being fraught with unpatched vulnerabilities, as soon as their successors hit the scene.


What is your take on 3rd-party firmware? Those projects seem like they're more actively developed and maintained. If one's hardware supported it, would you recommend a 3rd-party firmware?

EDIT: For example - https://openwrt.org/


It is definitely better than the shipping firmware. If you are going to use consumer gear, this is the route to go.

 

[OVERKILL]

Originally Posted by gathermewool
Originally Posted by OVERKILL
Originally Posted by gathermewool
What is the nature of these attacks? How are Russians getting access to the router to do nefarious things?


They are gaining access through unpatched vulnerabilities which can allow remote code execution, admin access, snooping, redirection, DNS manipulation for the purposes of phishing....etc.


Yea, I got all of that, but HOW are they gaining access to individual routers? How are these guys able to get admin access, outside of phishing and other avenues of attack in which the target needs to actually click-on, select or run malicious code first?

In other words, are these guys able to take advantage of vulnerable assets while practicing good cyber security awareness tactics?

Specifically, my router cannot be accessed wirelessly (that I know of!). I have it set, so that I have to gain access using an ethernet cord. Kind of a pain in the butt, but firmware updates don't come often enough to warrant changing this. Aside from that, I've got a complicated password that isn't stored on any of our assets. Does this mean that, so long as I don't click on shady links, succumb to phishing attempts, or visit shady sites, I'm good to go?


Say I can use a request to gain access to the admin webpage through the WAN interface by using *IP ADDRESS*/admin_settings.aspx:8841 just as an example. Or I can send a malformed packet to the device at *IP ADDRESS*:2265 that will then cause it to allow remote code execution. Or, I take advantage of a buffer overflow vulnerability via an attack on the device.

A vulnerable device doesn't need to be exploited by the LAN-facing side and even if you have admin access via WAN turned off, that's no guarantee that there isn't a workaround that enables it.

Read this link. While some of it applies to WiFi, the same methodology can be leveraged against your device's WAN interface: https://null-byte.wonderhowto.com/how-to/seize-control-router-with-routersploit-0177774/

 

[OVERKILL]

Originally Posted by MONKEYMAN
Originally Posted by OVERKILL
Every time I've posted a thread on this it's amazing the number of people who pass it off as insignificant. Consumer gear is made to a price point. At that price point, you aren't getting Enterprise-class security. Many devices are abandoned by their manufacturers, despite being fraught with unpatched vulnerabilities, as soon as their successors hit the scene.


Do you have a list of ones you recommend. Thanks!


For something that works OOTB and doesn't require a CCNA/CCNP crash course to configure I'd recommend, in no particular order:
- SonicWall
- Sophos XG or UTM
- Checkpoint Firewall
- WatchGuard Firewall

If you are OK with building your own, PFSense is a fantastic piece of software and Sophos offers free versions of both their XG Firewall Solution and UTM product. Smoothwall is another that is excellent, and easy to configure.

If you are a more advanced user, a Juniper SSG or Cisco ASA are both excellent options.

 

[Kawiguy454]

You need to understand that your internet provider doles out an IP address to your device. And that address is visible on the internet if it is powered ON and plugged into network.

The router/firewall typically is Linux processes and the security holes can allow processes to be used to remotely connect to the device and run code. For Joe Shmoe he could care less but if you run a business thru your router you should be updating firmware often. My ASUS has a telltale notification all I have to do is browse to it every now and then and clicky to update.

 

[gathermewool]

Originally Posted by OVERKILL
Originally Posted by gathermewool
Originally Posted by OVERKILL
Originally Posted by gathermewool
What is the nature of these attacks? How are Russians getting access to the router to do nefarious things?


They are gaining access through unpatched vulnerabilities which can allow remote code execution, admin access, snooping, redirection, DNS manipulation for the purposes of phishing....etc.


Yea, I got all of that, but HOW are they gaining access to individual routers? How are these guys able to get admin access, outside of phishing and other avenues of attack in which the target needs to actually click-on, select or run malicious code first?

In other words, are these guys able to take advantage of vulnerable assets while practicing good cyber security awareness tactics?

Specifically, my router cannot be accessed wirelessly (that I know of!). I have it set, so that I have to gain access using an ethernet cord. Kind of a pain in the butt, but firmware updates don't come often enough to warrant changing this. Aside from that, I've got a complicated password that isn't stored on any of our assets. Does this mean that, so long as I don't click on shady links, succumb to phishing attempts, or visit shady sites, I'm good to go?


Say I can use a request to gain access to the admin webpage through the WAN interface by using *IP ADDRESS*/admin_settings.aspx:8841 just as an example. Or I can send a malformed packet to the device at *IP ADDRESS*:2265 that will then cause it to allow remote code execution. Or, I take advantage of a buffer overflow vulnerability via an attack on the device.

A vulnerable device doesn't need to be exploited by the LAN-facing side and even if you have admin access via WAN turned off, that's no guarantee that there isn't a workaround that enables it.

Read this link. While some of it applies to WiFi, the same methodology can be leveraged against your device's WAN interface: https://null-byte.wonderhowto.com/how-to/seize-control-router-with-routersploit-0177774/


Does this, or does it not, require someone attempting a direct attack to be within wifi range of my router?

If not, then what would they need to know about my router to obtain me as a target to exploit?

 

[OVERKILL]

Originally Posted by gathermewool

Does this, or does it not, require someone attempting a direct attack to be within wifi range of my router?

If not, then what would they need to know about my router to obtain me as a target to exploit?


No, if the attack is perpetrated through the WAN interface, WiFi is not part of the picture.

Look up your router in the exploit database, see what present vulnerabilities exist for it. That'll at least give you an idea.

 

[OVERKILL]

Originally Posted by Kawiguy454
You need to understand that your internet provider doles out an IP address to your device. And that address is visible on the internet if it is powered ON and plugged into network.

The router/firewall typically is Linux processes and the security holes can allow processes to be used to remotely connect to the device and run code. For Joe Shmoe he could care less but if you run a business thru your router you should be updating firmware often. My ASUS has a telltale notification all I have to do is browse to it every now and then and clicky to update.

Exactly, the services used (like BusyBox, which is a collection of utilities used by most consumer routers) can be vulnerable and in most cases ARE vulnerable. Despite not intended to be exposed via the WAN interface, many of them are, and these processes can then be leveraged to execute code or obtain root access.

 

[MONKEYMAN]

Originally Posted by OVERKILL
Originally Posted by MONKEYMAN
Originally Posted by OVERKILL
Every time I've posted a thread on this it's amazing the number of people who pass it off as insignificant. Consumer gear is made to a price point. At that price point, you aren't getting Enterprise-class security. Many devices are abandoned by their manufacturers, despite being fraught with unpatched vulnerabilities, as soon as their successors hit the scene.


Do you have a list of ones you recommend. Thanks!


For something that works OOTB and doesn't require a CCNA/CCNP crash course to configure I'd recommend, in no particular order:
- SonicWall
- Sophos XG or UTM
- Checkpoint Firewall
- WatchGuard Firewall

If you are OK with building your own, PFSense is a fantastic piece of software and Sophos offers free versions of both their XG Firewall Solution and UTM product. Smoothwall is another that is excellent, and easy to configure.

If you are a more advanced user, a Juniper SSG or Cisco ASA are both excellent options.

Too rich for my blood and beyond my understanding. Now my retired brother with a degree in computer science would understand. Always learning (or try) to learn from your posts.

 

[OVERKILL]

Originally Posted by MONKEYMAN
Originally Posted by OVERKILL
Originally Posted by MONKEYMAN
Originally Posted by OVERKILL
Every time I've posted a thread on this it's amazing the number of people who pass it off as insignificant. Consumer gear is made to a price point. At that price point, you aren't getting Enterprise-class security. Many devices are abandoned by their manufacturers, despite being fraught with unpatched vulnerabilities, as soon as their successors hit the scene.


Do you have a list of ones you recommend. Thanks!


For something that works OOTB and doesn't require a CCNA/CCNP crash course to configure I'd recommend, in no particular order:
- SonicWall
- Sophos XG or UTM
- Checkpoint Firewall
- WatchGuard Firewall

If you are OK with building your own, PFSense is a fantastic piece of software and Sophos offers free versions of both their XG Firewall Solution and UTM product. Smoothwall is another that is excellent, and easy to configure.

If you are a more advanced user, a Juniper SSG or Cisco ASA are both excellent options.

Too rich for my blood and beyond my understanding. Now my retired brother with a degree in computer science would understand. Always learning (or try) to learn from your posts.

You can usually pickup a cheap SonicWall on E-bay or Amazon

 

[SubLGT]

Is a smartphone more secure, for doing financial transactions, than a computer connected to a consumer grade router? Or are smartphones also riddled with vulnerabilities ?

Clearly, router manufacturers and ISPs are not going to improve security if it means spending money. Time for some national cybersecurity legislation from Congress.

 

[gathermewool]

Originally Posted by OVERKILL
Originally Posted by gathermewool

Does this, or does it not, require someone attempting a direct attack to be within wifi range of my router?

If not, then what would they need to know about my router to obtain me as a target to exploit?


No, if the attack is perpetrated through the WAN interface, WiFi is not part of the picture.

Look up your router in the exploit database, see what present vulnerabilities exist for it. That'll at least give you an idea.


How can someone infiltrate my LAN? How can they gain admin access to my router if there are no infected machines on the LAN (hypothetically)?

 

[OVERKILL]

Originally Posted by gathermewool
Originally Posted by OVERKILL
Originally Posted by gathermewool

Does this, or does it not, require someone attempting a direct attack to be within wifi range of my router?

If not, then what would they need to know about my router to obtain me as a target to exploit?


No, if the attack is perpetrated through the WAN interface, WiFi is not part of the picture.

Look up your router in the exploit database, see what present vulnerabilities exist for it. That'll at least give you an idea.


How can someone infiltrate my LAN? How can they gain admin access to my router if there are no infected machines on the LAN (hypothetically)?


Through the WAN interface.

 

[gathermewool]

Originally Posted by OVERKILL
Originally Posted by gathermewool
Originally Posted by OVERKILL
Originally Posted by gathermewool

Does this, or does it not, require someone attempting a direct attack to be within wifi range of my router?

If not, then what would they need to know about my router to obtain me as a target to exploit?


No, if the attack is perpetrated through the WAN interface, WiFi is not part of the picture.

Look up your router in the exploit database, see what present vulnerabilities exist for it. That'll at least give you an idea.


How can someone infiltrate my LAN? How can they gain admin access to my router if there are no infected machines on the LAN (hypothetically)?


Through the WAN interface.


We're going in circles. I understood what you meant in the first place; however many of us don't know the specifics, in laymans terms.

What I'm asking, is how does it happen?

Are you saying that someone can hack my router from anywhere in the world and somehow send code from where ever to gain access? How? Is it random or do they need to specifically target me alone?

 

[OVERKILL]

Originally Posted by gathermewool


We're going in circles. I understood what you meant in the first place; however many of us don't know the specifics, in laymans terms.

What I'm asking, is how does it happen?

Are you saying that someone can hack my router from anywhere in the world and somehow send code from where ever to gain access? How? Is it random or do they need to specifically target me alone?


Port scan, subnet scan....etc. Choose an ISP, do a quick probe of a given subnet/block. And yes, I am saying from anywhere in the world, if your router is vulnerable to a WAN-side attack, that this can be perpetrated.

 

[gathermewool]

Also, not trying to be a pain in your butt. I'm a genuine novice when it comes to this. I know enough to Google how to secure my router, as best as possible. I know to use a VPN and carry out good cyber security practices. That's pretty much it.

 

[OVERKILL]

Originally Posted by gathermewool
Also, not trying to be a pain in your butt. I'm a genuine novice when it comes to this. I know enough to Google how to secure my router, as best as possible. I know to use a VPN and carry out good cyber security practices. That's pretty much it.


As I noted earlier, look up your model in the router vulnerability database (posted by somebody else earlier in the thread) to see what it is/isn't vulnerable to. Not all of them are WAN-facing vulnerable, or known to be at this time.

 

[gathermewool]

Originally Posted by OVERKILL
Originally Posted by gathermewool


We're going in circles. I understood what you meant in the first place; however many of us don't know the specifics, in laymans terms.

What I'm asking, is how does it happen?

Are you saying that someone can hack my router from anywhere in the world and somehow send code from where ever to gain access? How? Is it random or do they need to specifically target me alone?


Port scan, subnet scan....etc. Choose an ISP, do a quick probe of a given subnet/block. And yes, I am saying from anywhere in the world, if your router is vulnerable to a WAN-side attack, that this can be perpetrated.


Does this subnet scan provide a hacker with a list of multiple subnets that are vulnerable or would they need to onesy-twosy this thing, manually scanning the WAN for vulnerable targets?

How does a hacker choose which WAN to attack and how wide does would this attack be? Is it really ISP wide?

How would a hacker know which vulnerable subnet to attempt opening a port to?

 

[2004tdigls]

this thread clearly demonstrates why no one should ever rely on a home router for security, each computer connected to the router must have their firewalls enabled (even Macs) and a virus program

most small home office routers are garbage because they give you the impression they are secure, but many are not

https://routersecurity.org/bugs.php

 

[Garak]

Originally Posted by OVERKILL
A vulnerable device doesn't need to be exploited by the LAN-facing side and even if you have admin access via WAN turned off, that's no guarantee that there isn't a workaround that enables it.

Just follow my two-pronged approach. First, get a good Chinese router that's already loaded up with Chinese backdoors to keep the Russians at bay. Then, when not using the computer, turn the power bar off completely. Yes, I know, I should write an article.

 

[OVERKILL]

Originally Posted by gathermewool
Originally Posted by OVERKILL
Originally Posted by gathermewool


We're going in circles. I understood what you meant in the first place; however many of us don't know the specifics, in laymans terms.

What I'm asking, is how does it happen?

Are you saying that someone can hack my router from anywhere in the world and somehow send code from where ever to gain access? How? Is it random or do they need to specifically target me alone?


Port scan, subnet scan....etc. Choose an ISP, do a quick probe of a given subnet/block. And yes, I am saying from anywhere in the world, if your router is vulnerable to a WAN-side attack, that this can be perpetrated.


Does this subnet scan provide a hacker with a list of multiple subnets that are vulnerable or would they need to onesy-twosy this thing, manually scanning the WAN for vulnerable targets?

How does a hacker choose which WAN to attack and how wide does would this attack be? Is it really ISP wide?

How would a hacker know which vulnerable subnet to attempt opening a port to?


Say an ISP was using 64.24.x.x as one of their subnets. One could incrementally scan/probe that entire subnet for vulnerable hosts. One would do it in phases so as to not cause the ISP to notice. One would then compile a list of what hosts were vulnerable and could then probe those hosts more thoroughly or just target them outright, depending on the scope of the original scan. Typically, you scan for a known vulnerability/vulnerabilities, so the scope of what is being scanned for is pretty narrow and thus the process is quite quick. One can leverage a botnet that utilizes a mass of hosts to target a subnet or series of subnets so as to make it less obvious as to what's being done and to also add a significant layer of anonymity.