Security researchers from Independent Security Evaluators have tested thirteen widely used small office/home office routers and wireless access points, and have discovered that every single one of them has critical security vulnerabilities that allow local and remote attackers to take control of the device.
The examined devices are built by Linksys, Belkin, Netgear, TP-Link, Verizon, D-Link and by yet unnamed manufacturers, and have all been tested with their default configuration and the latest firmware.
The researchers found that even though only some of them are susceptible to trivial attacks, all can be compromised when the attacker has access to credentials (or the device still uses the default ones) or if there is an active management session.
“Once compromised, any router—SO/HO or otherwise—may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router’s domain,” the researchers stated.
“This includes sniffing and rerouting all non-SSL protected traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers. Worse still, is that these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended.”
They also pointed out that apart from the endpoint users, even ISPs, their own core infrastructure or other organizations are at risk if the provider deploys these routers
The worst part of it is that there is not much that an average user can do to prevent these attacks from happening.
“Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims),” the researchers claim, so they included a number of recommendations for those who can: vendors and device administrators.
The researchers have responsibly disclosed the found vulnerabilities to the device manufacturers, and have announced their plan to test the same devices (and possibly others) six months after the security advisories for the issues affecting them are released.