Security experts are warning of a critical new router vulnerability which could allow remote attackers to replace the firmware on a device to take complete control over it, and monitor all internet traffic flowing in and out.
F-Secure claimed the issue affects the Inteno EG500, FG101, DG201 routers. However, in an advisory it added that more models could be affected but it couldn’t be sure due to the “vendor’s unwillingness to cooperate.”
In fact, F-Secure claimed to have first contacted Inteno about the issue in January but when the vendor replied two months later it argued that software issues are dealt with by the “operators” that sell the equipment to end users.
“Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests,” an Inteno representative told F-Secure at the time.
The vulnerability itself stems from the fact that several router models don’t validate the Auto Configuration Server (ACS) certificate (CWE-295).
This means that an attacker capable of launching a Man in the Middle (MitM) attack between the ACS and the device could intercept all network traffic going in and out of the device to the ACS and gain full administrative access to the router, allowing them to reflash the firmware.
The implications of such a flaw are potentially serious, according to F-Secure cybersecurity expert, Janne Kauhanen.
“By changing the firmware, the attacker can change any and all rules of the router. Watching video content you’re storing on another computer? So is the attacker. Updating another device through the router? Hopefully it’s not vulnerable like this, or they’ll own that too,” he warned.
“Of course, HTTPS traffic is encrypted, so the attacker won’t see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine.”
The one saving grace is that an attacker would have to gain a “privileged network position” before being able to launch such an attack – something which HTTPS is designed to prevent.
However, if HTTPS is not implemented and an attacker is able to launch a MitM then there’s nothing a user can do to prevent a successful exploitation, short of installing a new router or a firmware update – once one is finally made available.
“Gaining a MitM position is not trivial, but it’s not outside the realm of possibilities either, whether physically attacking a whole building by breaking into the distribution trunk in the building or using software tricks to route network traffic through a malicious site,” Kauhanen told Infosecurity.
“If you use a vulnerable router to surf on my website for kitty pictures, here comes the payload.”
In the meantime, F-Secure recommended users keep browsers and other software updated to prevent hackers exploiting any flaws; to use effective AV to prevent any malware downloads; and to use a VPN to encrypt internet traffic and prevent hackers gaining that initial foothold into the network.
Unofficial reports suggest that there is a fix out there somewhere, although these have not been confirmed, according to Kauhanen.