With this bug in the web-based management console, hackers can disarm security features on home and business routers without any password.
Through an experiment to understand general techniques, tools and procedures available to router hackers, cybersecurity firm Sophos has discovered how easy it is for hackers to enter into the web-based control interfaces of homes and small-business routers without having the access password.
Upon disassembling the web server program code of routers, it has been discovered that many routers have a list of built-in web server subdirectories where authentication is not required and where the use of ‘harmless’ files such as http://[router]/images/logo.png would be sanctioned as safe.
From there, once the router has matched the name of the ‘harmless’ subdirectory, no other security checks such as scanning for risky characters in the filename will be applied.
This sort of bug, known as a directional traversal vulnerability, is known for its special directory name .. (two dots) which is shorthand for ‘go up one directory’.
Routers with this vulnerability also set an authentication cookie, which is valid for any other password-protected page, as soon as a page for which authentication was supposed to have taken place has been accessed.
What this means is that the authentication token was not generated as a side-effect of a correct password being entered, but rather, as a side-effect of a protected page being accessed. Ultimately, a bypass in one place, using the above-mentioned directory traversal bug, can lead reliably to bypasses everywhere.
The firm found 37 widely-used products that all had this similar code, and their researchers predict that many other router products may also be affected.
This is an alarming piece of information, and with so many people working from home, as well as many organizations moving their operations online, Sophos recommends the public to observe the following protective measures:
- Checking this list to see if your router is affected
- Ensuring your router is on the latest firmware
- Avoid turning on remote access to your router’s management console, and never turn it on just because someone you are asking for technical help tells you to do so.
Many routers used to come with a common access ID and password such as Admin already preset at the factory, or have the log-in credentials specified on a label on the chassis. Make sure this is not an issue on your router now.