Security Issues of Hong Kong Home Routers
Date : 30 Jul 2015
Organisation : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
Writer : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) analyzed home router security issues in Hong Kong using the Shodan Internet services search engine and found that a large number of home routers can be discovered by scanning, 30% with the secure shell service opened, 8% with the file transfer service opened. These opened services provided opportunities to the hackers and deserved our attention.
Background of the study
With the rapid development of the Internet Devices, each home is equipped with one or more such devices. Hackers are well aware of this development, and have already been targeting these devices. Their objective is to control the device to either steal sensitive information of the device owner, or to use the device to launch attacks against other targets. Some studies have shown the majority of internet devices have serious security issues. Security teams worldwide expressed concern about this issue.
HKCERT conducted a study of Internet devices in Hong Kong. Through the study, we hope to remind manufacturers and the public to strengthen the security of Internet derives.
Some home routers in Hong Kong prone to security issues
More internet devices are usually powered on around the clock and left unattended. They are used to connect the service provider network, such as customer premise equipment and network modems provided by Internet service providers, set-top box, TV box and user owned broadband routers. Home wireless routers are now the most popular devices. They are found everywhere at home, in small offices, coffee shop, convenience stores, shopping centers and telephone booth to provide Wi-Fi Internet service.
The study was conducted on 18 May 2015, with three analysis:
1. Commonly used Home Routers in Hong Kong that can be discovered by scanning
In the study we chose ten Hong Kong common home routers brands and one open source firmware, DD-WRT. The following result was obtained:
Brand |
Number of routers found |
Linksys | 7,826 |
Asus | 6,103 |
DD-WRT | 2,935 |
TP-Link | 1,817 |
Buffalo | 1,320 |
LevelOne | 778 |
D-Link | 532 |
Netgear | 502 |
TOTOLink | 224 |
ZyXEL | 201 |
Tenda | 23 |
Total | 22,261 |
From the Shodan database, we could find 22,261 routers within Hong Kong that can be mapped out via scanning. Most of them are Linksys (7,826) and Asus (6,103) router. Routers with open source DD-WRT firmware accounted for 2,935. These routers had a variety of services that could be fingerprinted. Hackers might attempt to exploit the security vulnerabilities of these routers using the brand and model information.
2. Discovered Home Routers with remote management service opened
It was found that some routers had TCP 22 (SSH) port opened (SSH is usually used for remote management) amongst the 22,261 routers.
SSH service |
Number |
Percentage |
Open | 6,612 | 30% |
Closed | 15,649 | 70% |
Total number of router | 22,261 | 100% |
Because SSH requires only username and password to login, hackers can use brute-force attack to attempt to get an administrator account access. Once successful, he can modify the settings of and install additional tools on the router. Then he can use the router to launch network attacks or steal personal information.
In fact, the official firmware of most home routers does not provide SSH service. Why were there a lot of SSH services discovered? We supposed that these routers probably have the firmware replaced by open source DD-WRT. Some DD-WRT firmware versions might have TCP 23 (Telnet) or TCP 22 (SSH) open by default.
3. Discovered Home Routers with file transfer service opened
It was found that some routers had TCP 21 (FTP) port opened (FTP is usually used for file transfer service) amongst the 22,261 routers.
FTP service |
Number |
Percentage |
Open | 1,821 | 8% |
Closed | 20,440 | 92% |
Total number of router | 22,261 | 100% |
Because FTP requires only username and password to login, hackers can use brute-force password attack on the router. If successful, the hacker can place any files in the router, including malware and botnets configure file.
So of these services might be still using the out-of-box passwords, so hackers could hack it without much efforts.
Recommendations for general public
Security of home routers is often overlooked. Majority of the users leave them turned on after first installation without ongoing management. Over time, the problem might appear. HKCERT advises home user to pay attention to the following points: