14 DAY TRIAL // Home routers provided by Spanish Internet service provider Movistar Telefonica to its customers have been found to be vulnerable to an information disclosure vulnerability that can be exploited remotely, without the need to authenticate.
The bug exists in the BroadBand Pirelli ADSL2/2+ (P.DGA4001N) wireless routers and allows access from any public IP to about 150 HTML setting files. These include options for configuring DNS, password, UPnP, WAN, resetting the device or accessing its web administration console; none of them benefits from any sort of protection.
Full control of the devices can be achieved
In a public vulnerability disclosure, Eduardo Novella, the researcher who found the bug (CVE-2015-0554), says that an attacker could add the routers to a botnet for carrying out distributed denial-of-service (DDoS) attacks.
Using home routers for DDoS purposes has become a more common practice for cybercriminals lately.
Hacker group Lizard Squad, responsible for knocking offline the Sony PlayStation and Microsoft Xbox gaming networks multiple times, have released a DDoS-for-hire service based on thousands of such devices that were found to be protected only with the default credentials provided by the manufacturer.
However, given all the sensitive files that are exposed, cybercriminals could cause more damage, as they can gain full control of the device and redirect traffic to online locations hosting malware.
Glitch was reported in 2013
Novella reports that the one solution to mitigate the problem is to try to update the firmware to the latest version, or flash a custom one, such as those from OpenWRT and DDWRT. Another way to remain protected is to disable remote connectivity from outside the network.
Novella found the glitch and reported it to both Movistar, which is also the largest Internet Service Provider (ISP) in Spain, and Pirelli back in April 2013, but almost two years have passed without receiving an answer from either of the two parties.
Along with details about the vulnerability, the advisory provided by the researcher also contains code for exploiting it, as well as a method to reboot the router and thus create a denial-of-service condition.
The researcher also uploaded a video on YouTube (available below), where the security flaw is demonstrated. It shows how vulnerable devices can be discovered using Shodan search engine for Internet-connected devices.
