Security Audit Exposes 60 Flaws in 22 Home Broadband ISP Routers

A new security audit, which was manually conducted by a group of security researchers as part of their IT Security Master’s Thesis at a Madrid University in Spain, has uncovered multiple vulnerabilities with 22 different home and office broadband routers, including popular brands like Huawei, Netgear, Zyxel, D-Link, Linksys, Belkin and Sagem.

The audit uncovered a plethora of problems that ranged from Cross Site Scripting (XSS) vulnerabilities to Denial of Service (DoS) exploits, Privilege Escalation, Backdoors, USB Device Bypass Authentication, Universal Plug and Play related vulnerabilities and various other flaws.

Some of the affected devices are known to have been re-branded and distributed by ISPs elsewhere in Europe, although off-hand we don’t believe that any current UK fixed line providers have been using the below models (at least not recently). Never the less some consumers may have purchased one via the shops.

List of the Problem Routers
1. Observa Telecom AW4062
2. Comtrend WAP-5813n
3. Comtrend CT-5365
4. D-Link DSL-2750B
5. Belkin F5D7632-4
6. Sagem LiveBox Pro 2 SP
7. Amper Xavi 7968 and 7968+
8. Sagem Fast 1201
9. Linksys WRT54GL
10. Observa Telecom RTA01N
11. Observa Telecom Home Station BHS-RTA
12. Observa Telecom VH4032N
13. Huawei HG553
14. Huawei HG556a
15. Astoria ARV7510
16. Amper ASL-26555
17. Comtrend AR-5387un
18. Netgear CG3100D
19. Comtrend VG-8050
20. Zyxel P 660HW-B1A
21. Comtrend 536+
22. D-Link DIR-600

Sadly the dire state of security in home and office (SOHO) broadband routers is by no means a new problem and indeed we’ve already documented a significant number of vulnerabilities over the past two years (examples here, here, here, here and here).

The most commonly found flaws tend to pop-up in devices that have already been phased out, although in the real-world lots of consumers still use old hardware. Meanwhile router manufacturers are notorious for failing to keep the devices they sell up-to-date with security patches (new firmware).

In the above examples the top four most commonly found security flaws, which existed on a large number of the listed devices, were as follows:

– Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22.
– Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20.
– Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20.
– Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19.

Hackers are increasingly targeting vulnerable consumer routers, especially those that can be scanned for and attacked remotely over the Internet. But despite this the industry has been slow to adapt and recognise that keeping home and office routers secure has now become a significant concern for many consumers.

Unlike computer software that automatically patches itself, if you want to keep your router secure and the device wasn’t supplied by your ISP, then the onus is usually on you alone to visit the manufacturer’s website and ensure you’re running the latest firmware. In reality many people will find that process too confusing and in any case the manufacturers may have stopped support.