Confusion ensued last week after a well-known security researcher identified a number of incredibly troubling security vulnerabilities in a popular Linksys router developed by Cisco Systems. The networking giant almost immediately downplayed the issues, claiming that the vulnerabilities had been resolved with a months-old security update.
The researcher, Phil Purviance of the application security consulting firm AppSec Consulting, claimed that the Cisco Linksys EA2700 Network Manager N6000 Wireless-N routers, which are widely deployed on home and small-business networks, were riddled with vulnerabilities. The bugs, he said, could give remote attackers the ability to access the device itself, its passwords and configuration files, and ultimately change its settings and upload modified and potentially malicious firmware onto the routers. If an attacker happens to be on the same network as the vulnerable router, he or she could change passwords and take control of the networking device.
There are a variety of exploits, ranging from fairly simple to quite complicated, that take advantage of the vulnerabilities and can be deployed to compromise the affected routers, according to Purviance. One of the simpler exploit methods involved the attacker luring a user on an affected network to an infected, exploit-hosting website. Another would require the attacker to paste a special character into the address bar while attempting to access the router’s administrative interface. While the first exploit would let an attacker change a vulnerable device’s password to the default password, which is ‘password,’ the second exploit was far more dangerous, exposing the device’s proprietary source code. In other words, it would grant an attacker access to the code that secures and makes the router work. For lack of a better way to put it, this code plus some wiring and a plastic casing is the router.
“What I found was so terrible, awful, and completely inexcusable,” Purviance wrote on his blog. “It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network.”
He went on:
“This vulnerability tells me that this router’s software was never given a security pen-test because it is just too easy.”
Tech firms that manufacture consumer and other devices are expected to perform penetration tests looking for vulnerabilities in their products to make sure that they cannot be easily and immediately exploited by attackers.
For its part, Cisco was quick to clarify that these vulnerabilities were resolved with an update released in June 2012, and that anyone who purchased or installed an EA2700 router on their network after that date was immune to these flaws.
So what’s the big deal? The vulnerabilities have been patched and the devices have been updated. Open and shut case, right?
Not so fast, as Tod Beardsley, an engineering manager at Rapid7 points out, implementing a router-firmware update to correct a vulnerability is not as easy (or automated) as installing normal software or computer updates, which you should be installing on the regular, despite the problems presented by Microsoft’s latest patch.
“The major difference between these vulnerabilities and the more traditional PC-based vulnerabilities (such as Java and Windows vulnerabilities) is that the existence of vendor patches doesn’t really matter,” said Beardsley. “Even if vendors release patched firmware for these devices, the vast majority of users will never learn about them. There aren’t automatic update functions on any of these devices, and there is nothing like anti-virus software that can run on these low-memory, low-power devices. As a result, these kinds of bugs are extremely long-lived.”
“In addition, if an attacker is able to get control of a device, that attacker has effective control over all the devices that associate with it. He can poison DNS, he can reflect traffic to a malicious site, he can inject phishing links in HTTP sessions, he can disable firewall rules – the number of attack vectors is limited only by imagination,” Beardsley said. “This extends not only to the computers on the internal network, but also phones that associate to the wireless.”