Singapore Internet Users, Secure Your Routers!

We are currently conducting a study of the routers commonly used by Singapore ISPs. Surprisingly, of the three routers we have been testing so far, we were able to find critical vulnerabilities that allow an attacker to become at least admin (and in most cases also gain a remote root shell) with relatively low effort.

Fixes are in progress and we have been working  with the affected vendors for several months on fixing the issues. We won't release vulnerability details unless the issues have been fixed comprehensively for all end users in Singapore. However, there are some steps that users can take to mitigate the issues right away, which we will describe further down in the article.

First, here is an overview of the vulnerabilities discovered so far (if you have one of these routers at home, please take our remediation steps ASAP):

Note: On the Aztech FG7008R(AC) WAN Access to the vulnerable services is disabled by default, so the issues can be exploited via the local network only. Users running the router in the default configuration cannot be compromised over the Internet.

During our research we have developed several proof-of-concept exploits. Given the vulnerabilities found so far, we found thousands of ViewQwest users to be particularly vulnerable - they use the ZHONE GPON router with a statically assigned IP address with all default services exposed on the Internet. Using the vulnerabilities above, it is possible to compromise routers of ViewQwest subscribers at will. An attacker can not only read out the subscriber's name and residential address via the web interface, but also run arbitrary code on the subscriber's router, e.g. to install malware on the user's client systems or read and manipulate the user's network traffic.

Please note that ViewQwest and ZHONE are both working on remediating these issues. In the meantime, please follow the steps outlined below.

Protecting home routers against attacks

For all Singapore users, it is advisable to:

  • Change the default user/admin passwords;
  • Disable all network services (especially remote access) on the router.

 

Securing ZHONE GPON

Through the internet, access to your router via HTTP and telnet is turned on by default.

1. Access your Zhone router web administrative console (http://192.168.1.1)

2. Click on Configuration -> Firewall -> Mgmt Access:

Description of Network Interfaces:

  • brvlan7 - ViewQwest Internal Access
  • brvlan923 - Internal Network
  • eth0.v923 - Public Network (Internet)
  • brvlan899 - One Voice

The network interface eth0.v923 should be turned off for all services as this is exposed to the internet.

3. Click Apply/Save 4. Get your Public IP Address via http://www.whatismyip.com/ Access your public IP directly via your web browser to confirm that it has been turned off successfully. Securing Aztech Router Go to Management -> Access Control Ensure that all the services are disabled.

 

 

Securing other router models

Virtually all routers are configured through a web interface with similar settings. Please refer to the router's manual or help pages for the particular routers. For further queries, please contact us (we'll forward any router related questions directly to Lyon Yang)!