Are Routers the Next Big Target for Hackers?

Are Routers the Next Big Target for Hackers?

Summary: I've recently seen a great Black Hat presentation by Felix (FX) Lindner (see pic 2) and a blog posting by Petko D. Petkov (PDP) (see pic 1) on the subject of hacking routers.

SHARE:

Petro D. Petkov (PDP)I've recently seen a great Black Hat presentation by Felix (FX) Lindner (see pic 2) and a blog posting by Petko D. Petkov (PDP) (see pic 1) on the subject of hacking routers.  What seems to be clear is that they are becoming a bigger target.  PDP, of the gnucitizen group, recently hosted a "Router Hacking Challenge", where the idea was to share various attacks against a wide array of routers.  In a post to the Full Disclosure mailing list, PDP summarizes the findings:Felix (FX) Lindner

Here is a quick summary, in no particular order, of the types of vulnerabilities we are exhibiting:

  • authentication bypass
  • a-to-c attacks
  • csrf (cross-site request forgeries)
  • xss (cross-site scripting)
  • call-jacking - like making your phone dial numbers or even survey room's sound where the phone resides
  • obfuscation/encryption deficiencies
  • UPnP, DHCP and mDNS problems - although not officially reported, most devices are affected
  • SNMP injection attacks due to poor SNMP creds
  • memory overwrites - well it is possible to overwrite the admin password while being in memory and therefore be able to login as admin
  • stealing config files
  • cross-file upload attacks - this is within the group of csrf attacks
  • remote war-driving - way cool
  • factory restore attacks
  • information disclosure
  • etc, etc, etc

I had a chance to talk to PDP about the results of the challenge and what he sees in the near future with router hacking:

Nate: PDP, there's a lot of flaws that the challenge uncovered, were there a few that stood out to you as being the most impactful?

PDP: Most of the flaws are quite impactful, but I like those that are different from the others; however, very often these are not the ones that are most severe.  The authbypass bugs are most severe, as they give you full access to the device without the need to login. Personally, I like the call-jacking stuff and the SNMP injection stuff, but it could be because I was working on these as well so I might be a bit prejudice.

Nate: Yeah, I read the pages you posted about call-jacking and SNMP injection, very cool stuff.  Could you just give me a brief run through of the two attacks?

PDP: The call-jacking is like the old days of phone phreaking.  Basically, you can do all sorts of things with VOIP phones; however, not all attacks are related to breaking SIP.  In the case of SNOM, the attack consists of exploiting a feature in the web interface which allows attackers to survey the sound in the room where the phone is located.  This is pretty cool, and you can do that remotely if the device is visible on the Internet side or if you know where the device is inside and your trick someone to arrive on your malicious page.  The SNMP injection and the SIP injection attacks are also very fun.  We did not mention any SIP vulnerabilities, but there are few that we found that we are keeping private for now. 

As I mentioned, a great talk on the subject of hacking routers was also given at Black Hat Federal this year, by Felix (FX) Lindner.  Felix and his company Recruity Labs, are currently working on a tool that will allow much more powerful monitoring, debugging, and post mortem crash analysis on the Cisco IOS than the currently accepted practices.  Felix mentions the following in a whitepaper on the subject:

Vulnerabilities in Cisco IOS are as common as with any other functionally rich and widely deployed operating system platform.  The architecture of IOS; however, makes exploitation a non-trivial task.  In the past, the common operating systems provide soft enough targets to maintain an ongoing stream of new vulnerabilities that could be used to break into the machines directly.  Recently, the major operating system vendors, first and foremost Microsoft, increased code security significantly.  Additionally exploit mitigation techniques and OS hardening have become the standard on all major platforms. 

Cisco IOS, therefore, moves further into the focus, as the bennefits start to measure up to the effort required.  Non-publicly operating groups will certainly follow an equivalent path, as infrastructure compromises are still highly rewarding and almost impossible to detect.

During his talk at Black Hat Federal, Felix suggested that it's not a question of if router hacking will become more prevalent, but when will it and more importantly, has it already.

-Nate

Topics: Mobility, Emerging Tech, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • He Who Controls the Routers Controls the Web

    This could become a very interesting control tactic. Imagine that grab for global conquest.
    nucrash
    • Re: He Who Controls the Routers Controls...

      Yes, agreed. Some of the research that PDP is talking about is very serious. FX's tool, while intended for Cisco forensics, crash analysis, good things like that, will be equally useful to attackers, if not more so.
      nmcfeters
      • Yeah, I don't like Luxemburg Today....

        Yeah, I don't like Luxemburg Today.... Let's shut off their internet.

        Or better yet, all of those packets that can be sniffed from routers... There is no end to the amount of damage that you could do if you control routers. They are pretty much the foundation of all networks.

        And we thought that dropping an anchor through a fiber line was dangerous.
        nucrash
        • RE: Yeah, I don't like Luxemburg Today...

          This is a good point... I think you could start to see why governments would be very interested in this research. Grab a copy of FX's new tool when it comes out, Halvar's BinNavi, little IDA Pro action, and have yourself a good ol' time hunting bugs in routers.

          I really feel like FX's point is a great one... it used to be easy to exploit flaws on OS's. Easier than exploiting routers. That's probably no longer the case.
          nmcfeters