Millions of Routers Supplied by Broadband ISPs Vulnerable to TR-069 Hackers

A team working for Check Point Software Technologies have warned that the TR-069 (CWMP) remote management protocol, which is commonly enabled in broadband routers supplied by ISPs and helps the provider to keep your device updated with the latest firmware or to perform various other tasks (e.g. diagnostics), is vulnerable to a variety of potential exploits.

Readers of ISPreview.co.uk will have noted a distinct rise in the number of security scares about home broadband routers over the past 12 months (e.g. here, here, here, here, here and here), with several focusing on devices sold or supplied by ISPs in the United Kingdom. But one of the areas that often causes the most concern is whether or not hackers could abuse the common TR-069 remote management protocol.

The TR-069 protocol is nothing new, with both big ISPs like BT, TalkTalk and even some smaller providers often using it to keep your hardware up-to-date or for diagnostic purposes. The protocol can also be used to manage more sophisticated services, such as VoIP. But so far, despite a few specific security scares for certain devices, TR-069 hasn’t caused too many problems.

Unfortunately that could be about to change after Check Point’s team uncovered a number of “critical zero-day vulnerabilities” that could have resulted in the “compromise of millions of homes and business worldwide” through flaws in several TR-069 server implementations. Hackers could use such flaws to steal personal data, infected your device with malware, disrupt your service and any number of other nefarious activities.

Shahar Tal, Team Leader at Check Point, said:

“Check Point’s mission is to keep one step ahead of malicious attackers. The security flaws uncovered in TR-069 implementations could have resulted in catastrophic attacks against Internet Service Providers and their customers across the world. Our Malware and Vulnerability Research Group continues to focus on uncovering security flaws and developing the necessary real-time protections to secure the Internet.”

An “alarming number” of ISPs and their TR-069 servers (Auto Configuration Servers) are said to be “insecure” and thus vulnerable to remote takeover. The details of several flaws were revealed on Saturday to the annual DEF-CON conference in Las Vegas (USA) and some were quite surprising.

For example, the TR-069 specification calls for the use of HTTPS (i.e. SSL secure encryption) between the ISPs ACS server and the remote customer’s router, but some ISPs didn’t even bother to secure this and simply used HTTP. Meanwhile a few that did use HTTPS were also found to be open to certificate validation flaws, which could allow a man-in-the-middle style attack vector to spoof the ACS.

A number of ACS software solutions (e.g. GenieACS), which are used by ISPs to manage the communication with their TR-069 capable end-user routers, were also discovered as being open to several remote code execution and other vulnerabilities. In fact one solution was apparently so bad and widely used that Check Point chose not to name it until all of the holes had been plugged because hundreds of thousands of people around the world could be affected.

Sadly ISPs that enabled TR-069 often do so on devices by hiding or disabling access to the routers related management settings, which means that you couldn’t disable it even if you wanted to (unless you’re comfortable hacking the firmware and most people won’t be). At the same time disabling TR-069 on a pre-configured ISP router carries other risks since the provider might struggle to keep your hardware updated against separate security threats or to resolve separate network/hardware issues.

It’s hoped that Check Point’s report will act as a catalyst and encourage ISPs to ensure they’re using the best practice for TR-069 and have the most secure implementations possible. Just to put this in some perspective, the Broadband Forum recently celebrated ten years of TR-069 and a projected 250 million devices managed via the protocol.