Skip to Content

Security Issues of Hong Kong Home Routers


Security Issues of Hong Kong Home Routers

Date : 30 Jul 2015

Organisation : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

Writer : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

 

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) analyzed home router security issues in Hong Kong using the Shodan Internet services search engine and found that a large number of home routers can be discovered by scanning, 30% with the secure shell service opened, 8% with the file transfer service opened. These opened services provided opportunities to the hackers and deserved our attention.

Background of the study

With the rapid development of the Internet Devices, each home is equipped with one or more such devices. Hackers are well aware of this development, and have already been targeting these devices. Their objective is to control the device to either steal sensitive information of the device owner, or to use the device to launch attacks against other targets. Some studies have shown the majority of internet devices have serious security issues. Security teams worldwide expressed concern about this issue.

HKCERT conducted a study of Internet devices in Hong Kong. Through the study, we hope to remind manufacturers and the public to strengthen the security of Internet derives.

Some home routers in Hong Kong prone to security issues

More internet devices are usually powered on around the clock and left unattended. They are used to connect the service provider network, such as customer premise equipment and network modems provided by Internet service providers, set-top box, TV box and user owned broadband routers. Home wireless routers are now the most popular devices. They are found everywhere at home, in small offices, coffee shop, convenience stores, shopping centers and telephone booth to provide Wi-Fi Internet service.

The study was conducted on 18 May 2015, with three analysis:

1. Commonly used Home Routers in Hong Kong that can be discovered by scanning

In the study we chose ten Hong Kong common home routers brands and one open source firmware, DD-WRT. The following result was obtained:

Brand

Number of routers found

Linksys 7,826
Asus 6,103
DD-WRT 2,935
TP-Link 1,817
Buffalo 1,320
LevelOne 778
D-Link 532
Netgear 502
TOTOLink 224
ZyXEL 201
Tenda 23
Total 22,261

From the Shodan database, we could find 22,261 routers within Hong Kong that can be mapped out via scanning. Most of them are Linksys (7,826) and Asus (6,103) router. Routers with open source DD-WRT firmware accounted for 2,935. These routers had a variety of services that could be fingerprinted. Hackers might attempt to exploit the security vulnerabilities of these routers using the brand and model information.

2. Discovered Home Routers with remote management service opened

It was found that some routers had TCP 22 (SSH) port opened (SSH is usually used for remote management) amongst the 22,261 routers.

SSH service

Number

Percentage

Open 6,612 30%
Closed 15,649 70%
Total number of router 22,261 100%

Because SSH requires only username and password to login, hackers can use brute-force attack to attempt to get an administrator account access. Once successful, he can modify the settings of and install additional tools on the router. Then he can use the router to launch network attacks or steal personal information.

In fact, the official firmware of most home routers does not provide SSH service. Why were there a lot of SSH services discovered? We supposed that these routers probably have the firmware replaced by open source DD-WRT. Some DD-WRT firmware versions might have TCP 23 (Telnet) or TCP 22 (SSH) open by default.

3. Discovered Home Routers with file transfer service opened

It was found that some routers had TCP 21 (FTP) port opened (FTP is usually used for file transfer service) amongst the 22,261 routers.

FTP service

Number

Percentage

Open 1,821 8%
Closed 20,440 92%
Total number of router 22,261 100%

Because FTP requires only username and password to login, hackers can use brute-force password attack on the router. If successful, the hacker can place any files in the router, including malware and botnets configure file.

So of these services might be still using the out-of-box passwords, so hackers could hack it without much efforts.

Recommendations for general public

Security of home routers is often overlooked. Majority of the users leave them turned on after first installation without ongoing management. Over time, the problem might appear. HKCERT advises home user to pay attention to the following points:

  • Change the router default password and factory settings to a more secure one.
  • Please check the manufacturer for firmware update and update router regularly.
  • Unless it is definitely required, do not expose the management page or any remote management services to the Internet.
  • Turn off all seldom used or unnecessary services (such as file transfer, virtual private networks, web server, etc.).
  • If the manufacturer has stopped support for the router model, you should consider replacing with models that has continuous support.
  • Please do not convert to open source firmware, unless you possess the knowledge to manage it.
  • Back to Top