Residential routers easy to hack

The infamous “admin” user ID and hackable, weak passwords are prevalent on large numbers of home routers, says a security firm. That’s despite the public’s increasing awareness of vulnerabilities and associated hacking.

Researchers at ESET recently tested more than 12,000 home routers and found that many of the devices are insecure. Firmware was flawed in some cases.

+ Also on Network World: Answers to ‘Is the internet broken?’ and other Dyn DDoS questions +

“Approximately 7 percent of the routers tested show vulnerabilities of high or medium severity,” ESET says in an article on its Welivesecurity editorial website. “Fifteen percent of the tested routers used weak passwords, with ‘admin’ left as the username in most cases.”

Weak passwords can be easily exploited. Fourteen percent of simulated attacks on the routers were, in fact, victorious. The probing attack methodology was simply to use common default usernames and passwords, along with some frequently used combinations.

Telnet was left open on 20 percent of the routers, and command injection vulnerabilities were also caught.

Telnet, as an unsecured service, shouldn’t be openly available to even a local network, ESET explains. Command injection vulnerabilities “aim for the execution of arbitrary commands on the host operating system.” They use a vulnerable application, the security company says. Proper input validation fixes the deficiency.

Of that 7 percent of the now-common household devices with software vulnerabilities, about half (53 percent) had “bad access rights vulnerabilities,” or permissions problems, in other words.

The command injection vulnerabilities made up 39 percent of the failings. Cross-site scripting (XSS) vulnerabilities, which allow hackers to change router setups and run bogus scripts, made up 8 percent.

“The results clearly show that routers can be attacked fairly easily,” the article says.

ESET also says port scanning during its testing showed that in numerous cases, network services were accessible from internal networks, as well as from external networks.

Are your IoT devices vulnerable?

With the partial collapse of the internet last week, reportedly caused by home network Internet of Things (IoT) security cameras creating holes for DDoS attacks, I’m reminded of the Shodan IoT open port searching website that I wrote about in 2014.

Shodan, still active, is a search engine that trawls the internet looking for port-connected devices. Mapped, visual representations of connected IoT devices, such as open cameras around the world, are depicted.

Interestingly, Reddit-user Fistagon7 points out that Shodan services can be used to see if Reddit members participated in the aforementioned, and now-famous, IoT-originating DDoS attack last week.

“Scan your IoT devices to see if they may have participated in yesterday’s DDoS,” Fistagon7 writes, linking to a new version of Shodan.

That refreshed page, called the Internet of Things Scanner, powered by BullGuard, allows users to check if devices on a network are publicly accessible from the internet.

Open ports that might be indicative of a vulnerability are supposed to show up in the scans.

If open ports are found, Internet of Things Scanner will advise on corrective action, which can include modifying the router’s configuration. That might include restricting access to the port if you didn’t purposefully open the port.

“If you deliberately opened this port to enable specific device functionality, then you’re probably OK,” the results page says.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.