This article is more than 1 year old
Boffin's easy remote hijack hack pops scores of router locks
Singaporean telco's customer premises equipment is a gateway to security hell
Thousands of routers mandated for use by a major Singaporean telco and operated by 'top enterprises" around the world are open to a remote zero day exploit that allows routers to be completely hijacked and is indefensible by most users.
Vantage Point Security senior security consultant Lyon Yang does not wish to disclose the name of the affected internet provider but says the ZHONE routers are required for subscribers to be able to connect to the service.
“When the ISP ships the router, it comes with a shitload of vulnerabilities,” Yang told Vulture South ahead of a talk at the Hack in the Box conference this week.
"I quickly found a large number of routers on Shodan from users in different countries --- some of the top enterprises use it."
"The remote hijack vulnerability is really easy to pull off."
The hack is one of seven vulnerabilities, all patched last week.
The telco concerned is, after some typical security communication failures, developing patches. Whether users have the skill to pull off the upgrade remains to be seen.
Yang says the most complex vulnerabilities of the set are two stack overflows. A remote hijack hole via the router's ping functionality is partially fixed but still exploitable as of the time of writing.
He says the ISP does not provide users with the router credentials normally required for users to access admin panels and update firmware, but it is stored in cleartext within a backup configuration file which users can access.
Attackers can overwrite that file to set their own arbitrary passwords, however.
|Feature: Broadband routers: SOHOpeless and vendors don't care|
Users can set the modem in bridge mode and set their own routers behind it, but they must still use the vulnerable product.
Yang says he appears to be the first researcher to examine the security of the ZHONE routers and adds that the state of SOHO security more broadly is lousy.
The penetration tester is planning on examining the "overlooked" area of internet-of-things security as Singapore undergoes its massive smart city project. ®