Bugwatch: Routing out hackers

The Computer Emergency Response Team (Cert) recently released a paper drawing attention to the increase in the number of hacking attacks that are targeting routers, rather than individual machines.

Routers generally have always been a target for hackers. I was surprised to see the Cert information that says they are on the rise. However, with cable modem and DSL you are seeing a lot more routers at the home and small office level. Previously that path wasn't available to hackers.

But how can a malicious user get access to the router? First, routers are often shipped with default passwords. If these are not changed by the administrator, people can remotely log in and change things such as the routing table.

Routers in the past often had secret 'backdoor' passwords. These were put in place so that router manufacturers like Cisco and 3Com could help companies which may have forgotten their passwords. By using such backdoor passwords they could help you back into your system.

Next, malicious users can 'sniff' the wire, watching for passwords. For example, an administrator using the web interface will need to type in a password. A malicious user could see this password, go across the network and then use it.

Bugs in services (such as a web server or telnet server) may give access to hackers. For example, if the web management console has a buffer overflow, a hacker can gain access to the router. Once a hacker has access to the router, what would they do with it?

A hacker could modify the routing table to cause a denial of service (DoS) attack. A hacker can change the routing table so that all packets are routed to a single destination such as whitehouse.gov resulting in a DoS. Imagine if the phone company had a bug and all phone calls made in England ended up ringing your phone!

In addition, the hacker doesn't need the password or a buffer overflow to modify the routing tables. Many routers support Routing Information Protocol (RIP). This allows routers to broadcast their routing tables and dynamically update their tables. A hacker can spoof RIP packets and thus trick routers into modifying their tables.

A hacker could intercept information to send you information. By modifying the routing table, they could cause your packets to pass through their server allowing them to view your network traffic. In addition, they could replace data you are downloading with malicious content.

They can also use the router as a launch point. By logging into a router, a hacker could execute network analysis programs such as ping, and send large amounts of traffic to a single site creating a DoS attack.

A hacker can bring down, stop, reconfigure, etc. the router causing a DoS. If the router isn't working properly for whatever reason, traffic can't be routed.

What steps can you take to secure a router? First, change all default passwords to 'non-guessable' ones and remove any 'backdoor' accounts. Disable any unnecessary services such as a web server. Avoid using web management interfaces and insecure protocols such as SNMPv1.

Create router rules to prevent IP spoofing; to prevent hackers from finding the router (for example, not replying to pings); and to limit remote management access to only trusted machines that do both ingress and egress filtering. Enable logging and, more importantly, review those logs.

The attacks themselves are nothing special today. As Cert notes, they are being conducted using default passwords.

In the future, as routers gain functionality and become more easily managed, there is the possibility for more vulnerabilities, like buffer overflows, to be found in them.

We may yet have time to secure ourselves against this latest trend - routers used by corporations are very expensive. The average hacker can't afford a router and you can't download it from the internet like pirated software. Thus, your average hacker won't have the opportunity to research router exploits and vulnerabilities.