By T Roy, IoT Defense Inc.
One of the most common questions we get from potential customers, at least from the more technically minded ones is – I don’t have any open ports on my home router, do I still need the protection offered by a smart firewall? This question is based on the assumption that if a home Wi-Fi router does not have any open ports, no unsolicited traffic from the internet can access the router and hence it cannot be compromised by malicious actors on the internet.
In this article, we will describe some of the functionality provided by home routers, understand the security implications of such functionality, provide some context around the above assumption and arrive at some interesting conclusions.
LAN and WAN Sides
A typical home router, whether standalone or integrated with a broadband modem, has 2 sides – a LAN side and a WAN side. The WAN side typically receives a public IP address from the Internet Service Provider (ISP), whereas the LAN side, which includes the home Wi-Fi network, uses a private IP address like 192.168.1.1 and hands out similar private IP addresses to connected devices on the home network.
Home routers implement Network Address Translation (NAT) functionality. NAT enables multiple devices on the home network to share the internet connection through the router. NAT also ensures that unsolicited inbound traffic from the WAN side is unable to find its way to the LAN side of the router, keeping the home network safe.
Routers run services, and lots of them like Dynamic Host Configuration Protocol (DHCP) servers, Universal Plug and Play (UPnP) servers, router management interface etc. The majority of the services are offered to devices connected to the LAN side of the router and a small number of them are offered on the WAN side.
Although most routers provide means to disable services on the WAN through the router management UI, every single service which is offered on the WAN side is not user configurable. Exacerbating the problem is the fact that router vendors leave WAN services turned on by default and most users never bother to turn them off.
To understand the scope of the problem, consider the following results obtained by scanning public IP address blocks in the US that are assigned to residential broadband customers served by major ISPs like Verizon, FiOS, Cox, Comcast, Spectrum etc.
As the above table shows, there are too many home routers that have well known services being offered on the WAN side primarily for management purposes. These services are reachable by anybody anywhere in the world with an internet connection, leaving them wide open to attacks.
All home routers are essentially small little computers running software. We have gotten accustomed to not think of them that way because our home routers have no monitors, keyboard, mice etc., things we typically associate with computing devices, attached to them. We don’t interact with our home routers on daily basis, they just sit in the corner of our room or stay hidden in a closet in the basement, just doing their thing and providing us with internet connectivity.
The software running on home routers, as with any other software, has flaws or vulnerabilities which can be exploited to compromise the router. Known vulnerabilities in any software, have IDs associated with them called Common Vulnerabilities and Exposures (CVE) IDs. There are websites like cve.mitre.org, www.kb.cert.org/vuls etc. that catalog vulnerabilities in software provided by various vendors. Then there are sites like shodan.io and censys.io that maintain an index of public IP addresses of people’s homes that have routers running software containing these vulnerabilities. And then there are sites like exploit-db.com that provide readymade exploit source code for anybody to just download and execute on any vulnerable router on the internet. Considering that there is an entire “ecosystem” around router vulnerabilities, anybody with intent, from a teenager in a basement, to a financial crime network, to a nation state certainly has the means to execute attacks on a massive scale against home routers.
A majority of the vulnerabilities listed in the CVE database, can only be exploited when an attacker obtains access to the LAN side of the router. To successfully execute such an attack, the attacker has to either get on your home Wi-Fi network by being in close proximity of your home or be able to target your home router through a web browser running of one of your connected devices, using attacks known as Cross Site Scripting (XSS). Since most home routers can be reached via well-known private IP addresses like 192.168.1.1, targeting the router through a web browser is not as hard as it seems, although there are some obstacles that have to be overcome first.
WAN facing service vulnerabilities
For this discussion, we are not too keen on vulnerabilities which can be exploited via the LAN side, instead we are focus on those vulnerabilities that can be exploited remotely via the internet, i.e. vulnerabilities in services offered on the WAN side.
Combing through the CVE database yields vulnerabilities in routers from most major vendors in services that are exposed to the WAN side. The router’s NAT does absolutely nothing to protect these services since they are listening for incoming connections directly from the internet. The following table lists known vulnerabilities from the CVE database in services that are exposed on the WAN side of the router.
This above list is by no means comprehensive but just a small sample from within the hundreds of known home router vulnerabilities. Simply because a vendor’s name is not in the list does not mean their products are secure. In fact, it is quite the opposite – no vendors’ products are free from vulnerabilities. Vendors move in packs – they use the same chipsets, run the same open source software and often license and integrate software from the same third-party companies into their products.
What makes the problem much worse is that most home routers lack the capability to update themselves even after the router’s vendor releases a new firmware (packaged image containing the software that runs on the router) that addresses a critical vulnerability. The onus is on the user to check the router vendor’s website for updates, download the firmware and apply it to the device. Not surprisingly, most home routers keep running the same software that was installed on them at the time of purchase.
Considering the points espoused above, we note that the following:
- Once a vulnerability is discovered in one brand of home routers, chances are that products from other vendors are also found to have the same or similar vulnerabilities.
- The NAT functionality in routers does offer some security, it is by no means adequate to keep the bad guys out, because NAT has no bearing on services offered by the router itself on the WAN side.
- Due to the lack of automatic updates, these vulnerabilities never get addressed or patched.
Protecting your home network
The unfortunate, but undeniably true fact about security is that while defenses have to be right 100% of the times, the attacks have to be right only once to be able to compromise a device. So as an owner of a home router the odds are quite strongly stacked against you, i.e. the defender. Consequently, you have to cover all your bases to protect yourself.
The following are some of the steps can you take to mitigate this situation and improve the overall security posture of your home network:
- Log into your router and change the default password set by the router vendor.
- Regularly check your router vendor’s website for critical firmware updates, download them and apply them to the router.
- Configure your router such that WAN remote management is completely disabled.
- Configure your router such that protocols like UPnP are never exposed on the WAN side.
In addition to all of the above steps, putting our home router behind a smart firewall is an effective defense-in-depth approach that protects your router against attacks from the internet.
A smart firewall like RATtrap does not depend on user configuration. Instead, it uses real-time threat intelligence data and seamless automatic updates to block malicious sites from scanning and sending traffic to your router. RATtrap is the only smart firewall in the market today that sits in front of the router and actively blocks malicious traffic from reaching it. RATtrap prevents your router from being discovered so indexing and cataloging sites on the internet never learn about its’ presence or about any of the services it offers, let alone exploit it, giving you complete protection.
In this article, we have looked at how services running on your home router make it vulnerable to attacks originating from the internet and some of the steps you can take to keep your home network safe from such attacks.
T Roy is the CEO IoT Defense Inc.