Security researchers at the International Conference On Cyber Security And Cyber Law reported that they have found a fatal security hole in a wide variety of SOHO Internet Routers.
As is often the case, the researchers discovered this problem accidentally while examining the code of a router for a completely different problem (see the researcher’s blog here).
What the researcher found is that, in the firmware of the router, an administrator level userid and password was hard coded and that userid/password combination was super/super.
Hard coded. Doesn’t show up on the list of userids in the user interface. This means that you cannot delete it.
Worse yet, by default, administration from the Internet (or hacker) side of the router is turned ON. You can, if you are familiar with the router, disable this feature, at least.
The link above has a list of routers manufacturers and models that have found to be affected, but it does not mean that there are not others.
The researchers did a scan of the public Internet and found about 200,000 affected (or infected) routers. They think that likely 500,000 routers are affected, but in reality, who knows.
This really is the same issue that I spoke about the other day – software supply chain issues (see post). Just like with Superfish who needed some SSL software, all these router manufacturers likely needed some firmware, so they went out into the marketplace and found this code that would work and put it in their routers. Likely no testing to speak of and probably no vulnerability assessment. Since they are not liable for any problems (read the software license agreement), their liability is pretty low. Legally, they don’t even have to issue a patch.
While it is technically possible that a few of the affected manufacturers may release a firmware update that removes this problem, you really don’t know if or when they will.
Whether hackers, the NSA, the Chinese government or anyone else was already aware of the problem is, of course, unknown.
Having this userid and password allows them to control your router and from there, every device on your network and every bit that transits your Internet connection in either direction.
These are really inexpensive routers, so my suggestion is that, if you have one, to disconnect it from the Internet, take it out to your driveway and run it over with your car. Then buy a new, brand name router. Of course, being a brand name router does not mean it won’t have vulnerabilities (after all, Lenovo brought us Superfish), but it does mean they are more likely to patch it if it becomes public and hurts their brand name (again, like Lenovo).
There are also open source solutions that are likely more secure, but those are probably for the more geeky among us.
Another day, another vulnerability.
Thanks to Steve Gibson at Gibson Research for bringing this up (see link).