Broadband routers from ADB Pirelli – used by Movistar in Spain and an ISP in Argentina – are vulnerable to at least two nasty security weaknesses, it's claimed.
The ADB Pirelli ADSL2/2+ Wireless Routers can be trivially controlled remotely from across the internet, allowing someone to surreptitiously monitor or disrupt home networks, according to a security researcher.
"Neither authentication nor any protection to avoid unauthorised extraction of sensitive information" is used, said Eduardo Novella, who says he uncovered the flaw.
Essentially, the routers appear to expose their internal web server, used to easily configure the device from a browser, to the public internet with no authentication checks. This would allow anyone to, say, request an owner's Wi-Fi network password using a simple plain-text HTTP request, such as:
curl -s http://x.x.x.x/wlsecurity.html | grep -i "var wpapskkey"
Where x.x.x.x is the router's public IP address; these can be found from 'net scanners like Shodan. The same trick can be used to obtain a session key to then access the controls to the device, allowing a miscreant to force a reboot, open ports to machines on the LAN, hijack DNS settings and so on, according to Novella.
His vulnerability advisory includes example commands to access the devices. There's also a video on YouTube of one being exploited, here. Novella suggests updating to the latest firmware, if a fix is present, or installing a custom OS such as OpenWRT, if possible.
A second security weakness, also apparently discovered by Novella, means it's possible to reverse-engineer the WPA key generation algorithm in Pirelli routers in Argentina, and thus calculate their default Wi-Fi encryption keys.
Novella discovered the first problem in April 2013 and the second in September. He has notified the ISPs and hardware vendor, but says he has yet to hear back, prompting his decision to go public last week.
"Neither Movistar nor Pirelli answered my attempts for fixing the problems," said Novella. "Only Arnet Telecom Argentina replied the first email. After I explained the vulnerability, they disappeared and never got a message back."
El Reg asked ADB Pirelli for comment on the reported vulnerabilities last week, and received no response. We'll update this story as and when we hear more. ®