About two years ago, a Spanish security researcher named Eduardo Novella found an astonishing bug in the Pirelli P.DGA4001N routers that were used by a Spanish ISP.
After a long wait, he’s now gone public with what must be the most straightforward Proof of Concept “code” ever seen.
Very simply put, Novella claims that the router’s administration web pages are visible on the external (internet-facing) interface.
And by “visible” he means just that.
Imagine that you were on the inside of your network, and you tried to go to a router setup page such as:
You’d expect the router’s web server to redirect you to a login page that would ask you to present a username and password, and then to set a session cookie to authenticate you to access the web GUI’s configuration pages.
Only after you’d authenticated, at least until you logged out or closed your browser, you’d expect to be able to carry out tasks like Wi-Fi setup and more.
In fact, you’d hope that the relevant pages used https:// instead of merely http://, in order to keep your password, your session cookie and the contents of the configuration pages secret.
On the outside of the network, you’d expect no access to the web GUI at all, at least by default.
Of course, if the router had an “administer over external (internet) interface” option, you might consider turning it on, after logging in from the inside, of course. (We’d advise you not to, but the choice is yours.)
Only then would you expect to be able to connect to the web GUI over the internet, hopefully using HTTPS to prevent sniffers and imposters hijacking your connection.
What you wouldn’t expect is that by simply accessing, say:
from the outside, you’d get in automatically, without encryption or authentication.
No HTTPS and no password required.
Novella has published a list of .html administration pages that he claims are exposed in this way.
And with filenames such as dnscfg, certadd, certcaimport and wlsecurity in the list, it looks as though any crooks who knows you’re there could take over your network for just about any nefarious purpose.
That’s the sort of bug that beggars belief – indeed, it would have beggared belief 20 years ago, even before computer security was the serious matter it is today.
What to do?
Servers are often shielded from attack by sandwiching them between two secure gateways (such as a pair of Sophos Free UTMs) to form what’s called a DMZ, or demilitarised zone.
Ignoring the irony of securing a router by putting it between two routers (why not just retire the buggy router and use a secure one instead?), that isn’t feasible here.
The P.DGA4001N seems to be one of those “all in one” connectivity products, combining ASDL modem, network switch’router, and Wi-Fi access point.
So you can’t easily put a secure gateway between the P.DGA4001N and the internet, because the external interface of the latter plugs directly into your phone line.
And you can’t easily put a secure gateway between the router and your Wi-Fi network because the Wi-Fi hardware is wired up inside the P.DGA4001N itself.
The bottom line
If you have a P.DGA4001N or similar:
- Check if there is a firmware update available from your ISP or router vendor.
- Consider running an alternative router operating system such as OpenWRT.
- Consider using an alternative router.
Understanding firewalls and secure gateways
Listen to our Sophos Techknow podcast, Firewalls Demystified
Sophos UTM Home Edition
Want to build a network DMZ for your computers at home?
Try our award winning UTM.
The Home Edition includes all the Sophos UTM features: email scanning, web filtering, a VPN, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.
In you live in a shared house, or you have children to look out for online, this could be just the product you need.
Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.