Gaping admin access holes found in SoHo routers from Linksys, Netgear and others

For many home users, the router-slash-firewall at the edge of their network plays an vital security role.

It acts as a stockade to keep crooks on the internet at arms’ length, typically blocking inbound network connections by default.

It shields the internal layout of the network from outside observers.

It probably also serves as a wireless access point for the household, and thus bears the responsibility of preventing random passers-by from jumping online and getting up to mischief at someone else’s expense.

In a word, your SoHo router is important.

So it is always alarming to read about sloppy programming in the firmware that ships with this sort of device.

Late last year, we wrote about “Joel’s Backdoor,” a misfeature in some D-Link routers which would have been a great joke, if only the side-effects hadn’t been so serious.

Joel’s bug was that if you told your browser to identify itself as xmlset_roodkcab­leoj28840ybtide (read it backwards!) instead of, say, Mozilla or AppleWebKit, then many D-Link routers would skip the need for a password.

Unauthenticated administrative access, just like that!

Here’s another flaw, this time in various router products from Sercomm, that shows a similarly casual attitude to security by programmers who really owe you better code.

Sercomm produces routers under its own name, as well as building hardware sold under a diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard.

→ Note that not all Sercomm-based products use Sercomm’s firmware, and not all Sercomm firmware builds include the vulnerability detailed below. The finder of the flaw has a partial list of devices and whether they are, might be, or are not affected. The only completely reliable way to tell if you have a router that is affected is to try to exploit the vulnerability on your own device. We’ll repeat that last bit: on your own device.

This latest example of dodgy router firmware coding was found over the recent holiday period by Eloi Vanderbeken, a reverse engineering enthusiast from France.

Eloi’s story started over Christmas, when – presumably due to having a bunch of guests full of festive online spirit – he claims to have found his home network unresponsive.

So he went to tweak a few settings in his router, only to remember that he had forgotten the administrative password.

What better way to spend a vacation, then, that trying to find a way into your own router without the password?

With a bit of prodding, and a spot of reverse engineering applied to a downoaded copy of the router’s firmware, Eloi quickly found just the hole he needed: an unauthenticated access vulnerability that he could use to list, edit or reset his router’s configuration.

What’s that service?

Eloi spotted a TCP service listening on network port 32764 on the router’s internal (wireless) interface.

Poking a stick at it caused it to reply like this:

By reversing, he realised that the reply was three 32-bit values, or DWORDS:

  1. ScMM was a magic number, probably just short for Sercomm.
  2. FFFFFFFF (-1 when treated as a signed integer) signalled an error.
  3. 00000000 was the length of the rest of the reply, zero because the error meant there was nothing to report.

Further reversing showed that a similar packet format was used when making requests, with the middle DWORD containing a number denoting the message type, and the third DWORD containing the length of the data accompanying the message, if any.

Eloi identified thirteen different message types, including two that didn’t require any special data, but were each sufficient to give you access without knowing the password.

Message Type 1 could be triggered by sending a packet like this:

The reply came back with a list of configuration strings from the router’s non-volatile memory (NVRAM), like this:

That’s the crown jewels, right there!

Anyone you let onto your home network, even as a temporary guest, can easily find out how to login to your router, and to your ISP. (The PPPOE username and password are the credentials your router uses when it connects to your ISP after a dropout or a reboot.)

Ironically, when Eloi was testing his exploit code, he iterated through all 13 message types in order.

After he’d finished, he found he’d been kicked offline.

That turned out to be Message Type 11, which resets the router to its factory defaults.

Of course, that means the router no longer had the right pppoe_username and pppoe_password settings, so it couldn’t get back onto the internet.

But with the router administration username and password set to the defaults, Eloi had nevertheless achieved his desired result: unauthenticated administrative access.

What to do?

As mentioned above, there is a partial list of affected and unaffected devices on Eloi Vanderbeken’s Github page.

If you are affected, you’re going to need a firmware update, which probably won’t come from Sercomm, but rather from the vendor whose brand is on the router.

In the meantime, be careful whom you let on your wireless network; choose a strong Wi-Fi password; and make sure that you don’t have the router’s web adminstration service activated on the external interface, which would let any crook wander in at will.

If you’re technically inclined, or have a friend or family member who is and can help you, you might also want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don’t need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos’s award-winning UTM product, which you can run entirely for free at home.

Click to go to download page...

There’s no catch (though you need to register with an email address so we can send you a licence code), and included in the free licence is Sophos Anti-Virus protection for up to 12 Windows PCs, managed right from the UTM.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

→ The Sophos UTM offers a full-blown firewall, spam and web filtering (including anti-virus scanning), a VPN, and much more. That means it can’t be installed on a low-end router. You will need a spare computer with a 64-bit Intel CPU, such as a retired laptop.

Further advice and information

You can mitigate the risk of this router hole by ensuring you’re doing Wi-Fi security properly, so why not review your own Wi-fi setup today?

In particular, use WPA2 with a long and hard-to-guess passphrase (you only need to enter it once on each device), and don’t rely on security short-cuts like network name hiding or MAC address filtering.

These short-cuts don’t give you the security you might think, and here’s why:

Image of floating Wi-Fi logo courtesy of Shutterstock.