Sunday, February 7, 2016

Poor UX leads to poorly secured SoHo routers


I typically do not disclose vulnerabilities when I know the vendor is working on a solution. In this case however, there is a very easy and reliable workaround available: enable the firewall in addition to disabling web access from the WAN.

Asus makes consumer wireless routers - so-called "SoHo" or Small Office / Home Office devices. The intended purchasers are homeowners and small businesses that don't want to invest in commercial-grade equipment or the professional IT staff to manage it, but still want higher-end features and reasonable security.

Alas Asus goofed in their design, making it easy for owners to think they have properly secured their router and yet still be vulnerable to an Internet attacker. In fact, over 135,000 Asus wireless routers can be logged into from the Internet - over 15,000 of which the owners took the time to secure properly (or so they thought).


What You Should Know


An important step in securing your home network is ensuring that a malicious hacker cannot log onto your router and change network settings. Along with setting a strong and unique password for the router administrator account, it is generally a good idea to disable access from the WAN (the Internet), so that the router can only be configured by connecting from your local network.

Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in which the administrator web interface may be open to the public Internet even if you have specifically disabled web access from the WAN (network speak for the side of your router facing the Internet Service Provider).

Specifically, these routers have two separate controls that affect access to the router web interface, and no warning that one can override the other. In order to block public access to your router, both of the following must be set:

  • Enable Web Access from WAN: No
  • Enable Firewall: Yes

If Enable Firewall is set to No, that will override the other setting, with no warning, enabling anyone that knows your IP address to access your router's administrative interface from anywhere in the world. The attacker would still have to figure out your password, but this simple design error makes it all to easy to think you have secured your router, and yet still be vulnerable.

If you use an Asus router, take a moment right now and log into your router. Click the "Firewall" tab under "Advanced Settings" on the left. Find the option that reads "Enable Firewall" and set the selector to "Yes," then click "Apply."



The Technical Background


Many routers have a setting that looks a bit like this:


By default, this router can only be managed by logging in from a computer on the local network - access to the administration interface is disabled on the WAN (public) side. Only by changing the setting to "Yes" can the router be managed from the public Internet.

Or so one would expect.

I have been exploring Shodan lately, and among other things decided to take a look at what my own network had exposed to the Internet. I fully expected to find nothing. To my surprise, my router had its SSH and HTTPS ports open to the world. Instead, I found something similar to this:


Crap.

I was certain that I had specifically turned off web access from the WAN, but to be sure, I logged into the administration web interface to check.


What is going on here?

There is another setting that turns out to be relevant. Separate from the administration web access setting, there is a Firewall tab with its own settings:


I had experimented with some firewall controls a few weeks earlier, and had forgotten to restore my router settings when I was done. I did leave WAN administrative access disabled, but had left the router firewall disabled. That turns out to be a particularly bad idea on ASUSWRT routers (i.e. anything Asus makes that begins with "RT-"). Turning off the firewall overrides the "Enable Web Access from WAN" setting without warning.

I suspect I am not the only one bitten by this design. Looking over Shodan for other devices with banners consistent with Asus routers, I see around 122,000 routers with a publicly-reachable HTTP service.

I also find another 15,000 with a publicly accessible HTTPS service - meaning the owner knew enough to restrict administrative access to an secured login. I would expect most administrators that took the time to restrict access to HTTPS, also took the time to restrict such access to only local devices. In other words, 15,000 people made an effort to secure their routers, and yet could still be pwned from an Internet attacker.

How did this happen?

Like most Unix-based devices, ASUSWRT uses iptables to manage access to and through the device. With Enable Web Access from WAN set to No, but Enable Firewall also set to No, the iptables rules look like this:


 1. -P INPUT ACCEPT
 2. -P FORWARD ACCEPT
 3. -P OUTPUT ACCEPT
 4. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 5. -A FORWARD ! -i br0 -o eth0 -j logdrop
 6. -A FORWARD -m state --state INVALID -j logdrop
 7. -A FORWARD -i br0 -o br0 -j ACCEPT
 8. -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
 9. -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
10. -A logaccept -j ACCEPT
11. -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
12. -A logdrop -j DROP


Lines 1, 2, and 3 set the default policy for each chain: unless a network packet matches a rule with a different instruction, by default every packet is allowed to proceed. This becomes important in a moment.

Line 4 allows any connections that are already established (in other words, if an internal device opens a connection, the response from the public server is allowed back in).

Line 5 prevents the router from being used in some types of spoofing attacks: any traffic going out the WAN interface that did not originate on the LAN will be dropped.

Line 6 drops any traffic if the packet state cannot be identified.

Line 7 allows any traffic from a LAN address to any other LAN address.

Line 8 allows NAT traffic. Grossly simplified, NAT or Network Address Translation is how the router converts your private local addresses (192.168.0.1) into an Internet-routable address. All of your network packets take on the single public address of the router, and the router keeps track of which internal device that connection is associated with.

With no other rules in the FORWARD chain, the default policy applies: any other traffic will be allowed. There is no rule that covers the scenario of an external access attempt to the router's own web interface.

With Enable Firewall set to Yes, an additional chain is added:


 1. -P INPUT ACCEPT
 2. -P FORWARD ACCEPT
 3. -P OUTPUT ACCEPT
 4. -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
 5. -A INPUT -m state --state INVALID -j logdrop
 6. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 7. -A INPUT -i lo -m state --state NEW -j ACCEPT
 8. -A INPUT -i br0 -m state --state NEW -j ACCEPT
 9. -A INPUT -j logdrop
10. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
11. -A FORWARD ! -i br0 -o eth0 -j logdrop
12. -A FORWARD -m state --state INVALID -j logdrop
13. -A FORWARD -i br0 -o br0 -j ACCEPT
14. -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
15. -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
16. -A logaccept -j ACCEPT
17. -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
18. -A logdrop -j DROP


Lines 4-9 define an INPUT chain, which is processed before the FORWARD chain.

Line 4 drops any attempts to "ping" the WAN interface. This is a simple way to discourage some types of opportunistic attacks - some attackers will randomly scan the Internet by sending an ICMP Echo Request (basically, "hello") to every address and seeing who replies. If you don't reply, the attacker doesn't know you are there and will go on to someone else.

Line 5 drops any invalid packets, or connections whose state the router cannot determine.

Line 6 allows any already established connections (in other words, if an internal device opens a connection, the response from the public device is allowed back in).

Lines 7 and 8 allow any new connections initiated by LAN devices (-br0) or by the router itself (-lo).

Line 9 is the key: it drops anything not already permitted by a previous rule. While not explicitly blocking external access to the router's web interface, it blocks anything not otherwise defined, so by extension blocks any external access attempts.


This is true as of the most recent firmware available, version 3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware release that fixes this situation, and expect it will be publicly released shortly. In the meantime, I recommend enabling the firewall on your router.


A few final thoughts


If you are curious what your own network exposes to the Internet, Shodan is a quick and easy way to find out. Browse to the following link, replacing "1.1.1.1" with your ISP-provided IP address (which you can check here), to see what Shodan sees on your network:


https://www.shodan.io/host/1.1.1.1


One more side note: don't rely on your router's "check for updates" button to tell you if a new firmware update is available. Asus is notoriously inconsistent at keeping their auto-update servers up to date, as I discovered and wrote about two years ago. Instead, go to www.asus.com/support, enter your router model number, and look for "Drivers & Tools" under the Support menu. Download the new firmware, unzip it, then install it on your router.