14 DAY TRIAL // Home routers provided by Internet Service Providers (ISPs) and accessed through TR-069 (CWMP) protocol for remote management have been found to be vulnerable, some security researchers say.
At the DefCon hacker convention in Las Vegas last week, Shahar Tal, security researcher at CheckPoint Software Technologies, presented the risks of an attacker compromising the Auto Configuration Servers (ACS) used by ISPs to manage customer devices.
Devices with TR-069 enabled communicate with their operator for zero-touch configuration, tech support remote management, monitoring for failures, errors or malicious activity or for silently receiving firmware updates.
According to Tal, the adoption of TR-069 is on the rise, and in 2011 there was an estimate 147 million TR-069 enabled devices online, 70% of them being residential gateways. Furthermore, scanning IPv4 addresses revealed that port 7547 specific for CWMP was the second most detected, after HTTP.
Should an attacker manage to compromise an ACS, they would not only have access to customer private data (SSID, hostnames, MAC addresses, VoIP credentials, configuration files), but they would also be able to make changes for routing traffic through a tunnel in their control.
Moreover, they can easily modify the WiFi settings, allowing them to remove the connection password, or adding a hidden SSID.
One of the greatest risks is that threat actors can push malicious firmware on devices in order to gain backdoor access or to distribute malware.
In the presentation slides, Tal says that secure communication is recommended for exchanges between ACS and the managed devices, but the researcher found that, in 81% of the cases he encountered during tests, communication was carried out via the insecure HTTP.
The result of the research was that TR-069 implementations on the servers do not benefit from sufficient security measures.
With his colleagues at CheckPoint, Tal discovered serious issues in ACS software solutions employed by different ISPs.
After auditing OpenACS for three days, Tal and his colleagues discovered remote code execution vulnerabilities in the software. The same result was recorded in the case of GenieACS, after two days of evaluation.
In the case of an undisclosed vendor, whose ACS software has a massive global install base that includes major providers, the CheckPoint team found numerous glitches. After receiving permission from a provider to make some tests on the vulnerable solution, they found that a total of 509,158 devices could be compromised.
Although a fix for the issue is not easy to find, in some cases access to the TR-069 settings is possible. Auditing TR-069 configuration and ensuring that SSL and proper certificate validation is done are among the safety measures a user can take at the moment.
It falls on the shoulders of ACS vendors to create better software and on of ISPs to protect their customers.