Home routers in Spain and Argentina sport critical vulnerabilities
Spanish security researcher Eduardo Novella has discovered two critical vulnerabilities affecting a specific ADB Pirelli home wireless router deployed by Spanish broadband provider Movistar and Argentinian ISP Arnet.
The vulnerable device is ADB Pirelli ADSL2 data gateway PDG A4001N, and according to Novella, who’s currently an intern at Dutch security audit firm Fox IT, he discovered the first vulnerability in early 2013, and dutifully disclosed it to both Pirelli and Movistar.
This is an information disclosure flaw (CVE-2015-0554) that makes the device vulnerable to being hijacked and misused by remote attackers who can then monitor what’s going on specific home networks, make changes to the settings, open ports, make the router part of a botnet, and so on.
The attack is trivial to execute, and Novella published PoC code that can be used to extract session keys, the Wi-Fi’s network password, reboot the device, etc.
“These routers are vulnerable to fetch HTML code from any IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information,” he explained. The routers’ public IP address can easily be found via Shodan or other net scanning services.
Users who worry about it can either try to update the device’s firmware or install a third-party one such as OpenWRT or DDWRT, but maybe the best thing to do at the moment is to disable the remote connection option, says Novella.
The second vulnerability (CVE-2015-0558), which he discovered in September 2014 and pointed out to Arnet and ADB Pirelli later that same month, makes it possible for attackers in possession of the firmware code (which can be found online) to reverse-engineer the device’s default key generation algorithm and, consequently, to determine the device’s default Wi-Fi encryption keys.
Novella made all this information public because the device manufacturer and the firms that deploy it have not reacted positively (some not at all) to his attempts of responsible and private disclosure.