In recent years we have seen an increase in accessibility to internet packages, not only is there a wide array of service providers to chose from but the cost has become rather reasonable for most households and small businesses. This in turn also means there are more targets than before, making security breaches a common occurrence if care is not taken. Router security is no joke and scheduled maintenance is a requirement.
In your router are defined settings that allow you to access the internet and you do not want anyone playing around with it as it may lead internet traffic being rerouted resulting in identity theft among other attacks.
As an example lets look at the network device manufacturer Mikrotik.
Mikrotik is is a Latvian company based in Riga well known for making affordable and highly configurable networking hardware, in particular routers. However their major product is software, their linux based operating system (RouterOS, SwitchOS) and many more network utilities. It supports a wide variety of architectures (ARM, x86 and Mips) .
The RouterOS has come under the spot light recently because of its successive exploitation, the first interesting one surfacing from the Vault 7: CIA Hacking Tools Revealed – WikiLeaks code named Chimay – Red. It leads to remote code execution whereby the attacker can take control of your router.
The second one a flaw in SMB file sharing service that also resulted in remote code execution, the buffer-overflow affects RouterOS versions before 6.41.3/6.42rc27.
The last (for now) was an attack on the Winbox service (port 8291) a graphical user interface for managing the router. Affecting RouterOS 6.x-6.41.2, this vulnerability retrieves user credentials.
System Administrators, Internet Service Providers, the end user in general. Especially those assigned public IP addresses accessible from anywhere on the internet.
What Could Possibly Go Wrong?
Earlier on I mentioned the RouterOS and the associated hardware being highly versatile, it has an in built packet sniffer capable of capturing your internet traffic and stream to a computer running packet capturing software like Wireshark.
Oh, and yes capable of providing virtual private network access to a remote attacker basically allowing them to attach themselves to your office network and do as they please. Considering how local network security might be lax, this should scare you. Plus, a built -in tool to find other network devices in its vicinity, devices probably sharing the same password as the router.
The worst part of it is exploits are publicly available and anyone with a little bit of “know how” can perform these attacks. Most of us are caught unaware since security research and analysis “is not that much of a priority”.
Cookie theft, those un-patched Windows machines on your local network ….
What to do?
a) Upgrade RouterOS to the latest (6.42.6 at time of writing) and setup automatic upgrade.
b) Secure Your Router by setting up firewall rules to block remote management.
c) Chances are high your password is out there in the wild, especially if you have the tendency of password reuse.
Proof of Concept (Winbox Exploit)
Are you safe?, is your router up to date? ¯\_(ツ)_/¯
Remote Exploitation : An attacker does not need physical access to perform the exploitation.
Buffer Overflow : an anomaly where a program, while writing data to a memory, overruns the buffer’s boundary and overwrites adjacent memory locations.
Stack Clash Collision : a vulnerability in the memory management of several operating systems. It can be exploited by attackers to corrupt memory and execute arbitrary code.
Lionel Musonza, currently studying computer engineering focusing on security research and information security.