Thanks for signing up, a member of the Global PR team will be in touch with you shortly.
The vulnerability allows an attacker to install their own firmware to the device, which would still work as before, but with back doors and other unwanted features. An attacker exploiting the flaw would be able to listen in on unencrypted traffic going through the router, not just device-to-internet, but device-to-device inside the home; as well as manipulate the victim’s browsing sessions by redirecting to malicious sites.
“By changing the firmware, the attacker can change any and all rules of the router,” says Janne Kauhanen, cyber security expert at F-Secure. “Watching video content you’re storing on another computer? So is the attacker. Updating another device through the router? Hopefully it’s not vulnerable like this, or they’ll own that too. Of course, HTTPS traffic is encrypted, so the attacker won’t see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine.”
The router type in question typically receives firmware updates from a server associated with the user’s internet service provider (ISP). But problematically, the vulnerable routers make no effort to confirm the update is valid and comes from the right place. An attacker who has already gained access to the traffic between the home router and the ISP’s update server (for example, by accessing an apartment building’s network distribution trunk) can set up his own update server. He could then apply a malicious firmware update.
Researchers say this case is just the tip of the iceberg when it comes to router security issues. And while the need for computer security is well understood, consumers are often unaware that a router is just as vulnerable.
“It’s ridiculous how insecure the devices we’re sold are,” says Kauhanen. “We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack internet traffic, steal information and spread malware.”
The flaw, while severe, is not immediately exploitable. An attacker would need to have already achieved a privileged network position between the router and the point of entry of the internet. Affected devices are Inteno EG500, FG101, DG201, and possibly others.
According to Harry Sintonen, F-Secure’s senior security consultant who found the vulnerability, there is no way for a consumer to prevent their router getting exploited, short of replacing it with a new router without this particular vulnerability, or by installing the firmware that fixes the issue once it is available.
However, he points out that replacing the router is problematic advice. “As vulnerabilities in consumer DSL equipment are extremely common, it could well be that the device switch only leads to an even worse security situation," he says.
By following the usual security best practices, however, consumers can mitigate damages should their router become a victim of attack:
The vendor and authorities have been made aware of this vulnerability well before this public disclosure.
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
Sign up for media information from F-Secure.
Browse through our news by year.
Browse through our news by category.