Router manufacturers often don't care too much about the quality of their code, which is why vulnerabilities are common. Today routers are a priority target network attacks, allowing you to steal money and data bypassing local systems protection. How can I check the quality of the firmware and the adequacy of the settings myself? They will help with this free utilities, online verification services and this article.

Consumer-grade routers have always been criticized for their unreliability, but a high price does not guarantee high security. Last December, Check Point specialists discovered over 12 million routers (including top models) and DSL modems that could be hacked due to a vulnerability in the receiving mechanism. automatic settings. It is widely used for quick setup network equipment on the client side (CPE - customer premises equipment). For the last ten years, providers have been using the CWMP (CPE WAN Management Protocol) subscriber equipment management protocol for this purpose. The TR-069 specification provides the ability to send settings using it and connect services through the Auto Configuration Server (ACS - Auto Configuration Server). Check Point employees have found that many routers have an error in processing CWMP requests, and providers complicate the situation further: most of them do not encrypt the connection between ACS and client equipment and do not restrict access by IP or MAC addresses. Together, this creates the conditions for an easy man-in-the-middle attack.

Through a vulnerable implementation of CWMP, an attacker can do almost anything: set and read configuration parameters, reset settings to default values, and remotely reboot the device. The most common type of attack is spoofing DNS addresses in the router settings to servers controlled by the hacker. They filter web requests and redirect to fake pages those that contain an appeal to banking services. Fake pages were created for all popular payment systems: PayPal, Visa, MasterCard, QIWI and others.

The peculiarity of this attack is that the browser runs on a clean OS and sends a request to the correctly entered address of a real payment system. Examination network settings computer and virus scans on it do not reveal any problems. Moreover, the effect persists if you connect to payment system through a hacked router from another browser and even from another device in home network.

Since most people rarely check their router settings (or even entrust this process to the ISP’s technicians), the problem goes undetected for a long time. They usually find out about it by exclusion - after the money has been stolen from accounts and a computer check has yielded nothing.

To connect to the router via CWMP, an attacker uses one of the common vulnerabilities characteristic of network devices entry level. For example, they contain a third-party web server, RomPager, written by Allegro Software. Many years ago, a bug was discovered in it in processing cookies, which was promptly corrected, but the problem still remains. Since this web server is part of the firmware, it is not possible to update it in one fell swoop on all devices. Each manufacturer had to release a new release for hundreds of models already on sale and convince their owners to download the update as soon as possible. As practice has shown, none of the home users did this. Therefore, the account of the vulnerable devices coming by millions even ten years after the release of the corrections. Moreover, the manufacturers themselves continue to use the old vulnerable version of RomPager in their firmware to this day.

In addition to routers, the vulnerability affects VoIP phones, network cameras and other equipment that can remote configuration via CWMP. Typically, port 7547 is used for this. You can check its status on the router using free service Steve Gibson Shields Up. To do this, type its URL (grc.com), and then add /x/portprobe=7547.

The screenshot is only indicative positive result. Negative does not guarantee that there is no vulnerability. To exclude it, you will need to conduct a full penetration test - for example, using the Nexpose scanner or the Metasploit framework. Developers themselves are often not ready to say which version of RomPager is used in a particular release of their firmware and whether it is there at all. This component is definitely not present only in alternative open source firmware (we will talk about them later).

Registering a secure DNS

It’s a good idea to check your router settings more often and immediately set them manually alternative addresses DNS servers. Here are some of them available for free.

• Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
• Norton ConnectSafe: 199.85.126.10, 199.85.127.10
• Google Public DNS: 8.8.8.8, 2001:4860:4860:8888 - for IPv6
• OpenDNS: 208.67.222.222, 208.67.220.220

All of them block only infected and phishing sites, without restricting access to adult resources.

Unplug and pray

There are other long-known problems that owners of network devices or (less often) their manufacturers are unwilling to fix. Two years ago, DefenseCode experts discovered a whole set of vulnerabilities in routers and other active network equipment from nine major companies. All of them are associated with incorrect software implementation of key components. In particular, the UPnP stack in firmware for Broadcom chips or using older versions of the open libupnp library. Together with Rapid7 and CERT specialists, DefenseCode employees found about seven thousand vulnerable device models. Over six months of active scanning of a random range of IPv4 addresses, over 80 million hosts were identified that responded to a standard UPnP request to a WAN port. Every fifth of them supported the SOAP (Simple Object Access Protocol) service, and 23 million allowed arbitrary code without authorization. In most cases, an attack on routers with such a hole in UPnP is carried out through a modified SOAP request, which leads to a data processing error and the rest of the code getting into the arbitrary area random access memory router, where it runs with superuser rights. On home routers, it is better to disable UPnP completely and make sure that requests to port 1900 are blocked. The same service of Steve Gibson will help with this. The UPnP (Universal Plug and Play) protocol is enabled by default on most routers, network printers, IP cameras, NAS and too smart home appliances. It is enabled by default on Windows, OS X and many Linux versions. If it is possible to fine-tune its use, that’s not so bad. If the only options available are "enable" and "disable", then it is better to choose the latter. Sometimes manufacturers deliberately introduce software bookmarks into network hardware. Most likely, this happens at the behest of the intelligence services, but in the event of a scandal, official responses always mention “technical necessity” or “ branded service to improve the quality of communication." Built-in backdoors have been found in some Linksys and Netgear routers. They opened port 32764 to receive remote commands. Since this number does not correspond to any well-known service, this problem is easy to detect - for example, using an external port scanner.

INFO

Another way to perform a free home network audit is to download and run Avast antivirus. Its new versions contain the Network check wizard, which identifies known vulnerabilities and dangerous network settings.

Defaults are for the lambs

The most common problem with router security remains the factory settings. These are not only common internal IP addresses, passwords and admin login for the entire series of devices, but also included services that increase convenience at the cost of security. In addition to UPnP, the Telnet remote control protocol and the WPS (Wi-Fi) service are often enabled by default. Protected Setup). Critical errors are often found in the processing of Telnet requests. For example, D-Link routers the DIR-300 and DIR-600 series made it possible to remotely receive a shell and execute any command through the telnetd daemon without any authorization. On Linksys E1500 and E2500 routers, code injection was possible through regular ping. The ping_size parameter was not checked for them, as a result GET method the backdoor was uploaded to the router in one line. In the case of the E1500, no additional tricks were required during authorization. New Password you could simply set it without entering the current one. A similar problem was identified with the Netgear SPH200D VoIP phone. Additionally, when analyzing the firmware, it turned out that it has active hidden account service with the same password. Using Shodan, you can find a vulnerable router in a couple of minutes. They still allow you to change any settings remotely and without authorization. You can take advantage of this immediately, or you can do a good deed: find this unfortunate user on Skype (by IP or name) and send him a couple of recommendations - for example, change the firmware and read this article.

Supercluster of massive holes

Trouble rarely comes alone: ​​activating WPS automatically leads to enabling UPnP. In addition, the standard PIN or pre-authentication key used in WPS nullifies all WPA2-PSK level cryptographic protection. Due to firmware bugs, WPS often remains enabled even after it is disabled via the web interface. You can find out about this using a Wi-Fi scanner - for example, free application Wifi Analyzer for Android smartphones. If vulnerable services are used by the administrator himself, then it will not be possible to refuse them. It’s good if the router allows you to somehow secure them. For example, do not accept commands on the WAN port or set a specific IP address for Telnet use. Sometimes there is simply no option to configure or simply disable a dangerous service in the web interface and close the hole standard means impossible. The only way out in this case, look for a new or alternative firmware with an expanded set of functions.

Alternative services

The most popular open firmwares are DD-WRT, OpenWRT and its fork Gargoyle. They can only be installed on routers from the list of supported ones - that is, those for which the chipset manufacturer has disclosed full specifications. For example, Asus has a separate series of routers that were originally designed with an eye toward using DD-WRT (bit.ly/1xfIUSf). It already has twelve models from entry-level to corporate level. MikroTik routers run RouterOS, which is not inferior in flexibility to the *WRT family. This is also a full-fledged network OS on Linux kernel, which supports absolutely all services and any conceivable configuration. Alternative firmware today you can install it on many routers, but be careful and check the full name of the device. With the same model number and appearance, routers may have different revisions, which may hide completely different hardware platforms.

Security check

You can check for OpenSSL vulnerability using the free ScanNow utility from Rapid7 (bit.ly/18g9TSf) or its simplified online version (bit.ly/1xhVhrM). Online verification takes place in a few seconds. In a separate program, you can set a range of IP addresses, so the test takes longer. By the way, the registration fields of the ScanNow utility are not checked in any way.

After the scan, a report will be displayed and an offer to try the more advanced Nexpose vulnerability scanner, aimed at company networks. It is available for Windows, Linux and VMware. Depending on the version, the free trial period is limited to 7 to 14 days. Limitations relate to the number of IP addresses and scan areas.

Unfortunately, installing alternative open source firmware is just a way to increase security, and complete safety he won't give it. All firmwares are built according to modular principle and combine a number of key components. When a problem is detected in them, it affects millions of devices. For example, vulnerability in open library OpenSSL also affects routers with *WRT. Her cryptographic functions used to encrypt sessions remote access via SSH, VPN organizations, management local web server and other popular tasks. Manufacturers began releasing updates quite quickly, but the problem has still not been completely eliminated.

New vulnerabilities are constantly found in routers, and some of them are exploited even before a fix is ​​released. All that the router owner can do is disable unnecessary services, change default parameters, limit remote control, check the settings and update the firmware more often.

Avast always tries to stay ahead when it comes to protecting users from new threats. More and more people are watching movies, sports and TV shows on smart TVs. They control the temperature in their homes using digital thermostats. They wear smart watches and fitness bracelets. As a result, security needs expand beyond personal computer to cover all devices on your home network.

However, home routers that are key devices home network infrastructures often have security problems and allow easy access for hackers. A recent study by Tripwire found that 80 percent of top-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular admin/admin or admin/no password, are used in 50 percent of routers worldwide. Another 25 percent of users use their address, date of birth, first or last name as router passwords. As a result, more than 75 percent of routers worldwide are vulnerable to simple password attacks, opening the door for threats to be deployed on the home network. The router security landscape today is reminiscent of the 1990s, when new vulnerabilities were discovered every day.

Home Network Security feature

The Home Network Security feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier Antivirus allows you to solve these problems by scanning your router and home network settings for potential problems. With the Avast Nitro Update, the Home Network Security tool's detection engine has been completely redesigned, adding support for multi-threaded scanning and an improved DNS hijack detector. The engine now supports scanning ARP protocol and port scanning performed at the kernel driver level, which makes scanning several times faster compared to the previous version.

Home Network Security can automatically block cross-site request forgery (CSRF) attacks on your router. CSRF exploits exploit website vulnerabilities and allow cybercriminals to send unauthorized commands to a website. The command simulates instructions from a user who is known to the site. Thus, cybercriminals can impersonate a user, for example, transfer money to the victim without his knowledge. Thanks to CSRF requests, criminals can remotely make changes to router settings in order to overwrite DNS settings and redirect traffic to fraudulent sites

The Home Network Security component allows you to scan your home network and router settings for potential security issues. The tool detects weak or standard passwords Wi-Fi, vulnerable routers, compromised Internet connections, and IPv6 enabled but not secured. Avast lists all devices on your home network so users can check that only known devices are connected. The component provides simple recommendations to eliminate detected vulnerabilities.

The tool also notifies the user when new devices join the network, network-connected TVs and other devices. Now the user can immediately detect an unknown device.

The new proactive approach underlines the overall concept of providing maximum comprehensive user protection.

Smartphones, tablets, computers - we consider them the main element of our reality. We use them for work, for play, for school, to manage bank accounts, we pay bills, we check email, let's do some shopping...

You can list this almost endlessly, but it all comes down to one thing - with their help we transmit a whole range of important data, which, if it falls into the wrong hands, can lead to a critical situation.

Losing memorable photos or copies scientific work, in this case the least of our problems. If our savings or email account through which we transmit important correspondence come under attack, then the threat takes on a more sinister character. And although Russians understand that the Internet is infested with threats, they often take no measures to properly protect themselves.

According to a study commissioned by Intel, only every fifth user uses paid, advanced protection This is despite the fact that up to 93% of us have fallen victim to a computer virus.

Even in the case of smartphones, where awareness of the danger is very high (96%), up to ⅓ of respondents had no idea whether any security package was installed on their device, given that 55% of Internet users connect to the Internet using smartphones, this seems very surprising.

The fact that we we're afraid network threats (82% of respondents), rarely results in concrete actions. There are many indications that we simply do not pay enough attention to maintaining the confidentiality of our own data... but we should. Because the list of threats is very long.

Malware is a threat to your computer

By far, malware was the most frequently mentioned of all online threats. And with good reason - after all, this is the most popular “form of action” among people who want to harm other users.

Proper protection requires constant update antivirus database program- new types malware, arise almost every day. From ordinary remote funds control equipment that transfers control of the computer to another person, and ending with countless viruses and Trojan horses. And to this should be added worms, rootkits or keyloggers, which are often impossible to detect using traditional methods.

Passwords saved in the browser

One of the most useful features of web browsers also poses a threat. Considering the convenience and significant time savings, almost everyone uses it, but in a situation where a phone or computer falls into the wrong hands, we have serious problems, and a thief, without any effort, can enter our Mailbox or social network account.

Does this mean it would be safer to not remember passwords at all? Of course not - It is enough to have a reliable password manager, which in itself is additional means security.

Phishing and pharming are a threat to the gullible

Phishing is an increasingly popular type of Internet fraud that attempts to obtain confidential data from users in order to then use it, for example, to gain control of a bank account.

Attempts to extract key information very often take the form of fake letters - from the Russian Post Office, a bank or another organization that most users trust. Almost 60% of users have dealt with threats of this type in their lives. Those who can't tell the difference fake messages from real (according to an Intel study, up to 15% of Russian Internet users) are very susceptible to this kind of action.

What about pharming? This, in turn, is a more advanced and often harder to detect form of phishing that uses genuine institutional addresses but redirects to fake copies of pages.

The only one completely reliable protection in this case, there will be an up-to-date virus database in your software and self-check site certification.

Spam is an information threat

In this case, much less often we're talking about about the direct threat to data on a smartphone or computer (although in some cases, of course, it exists), but more about the frustration that accompanies the use of email.

Internet mail services, of course, have basic filters, but still sometimes something ends up in the mailbox. 80% of Internet users regularly use their mailbox and none of them probably needs to be convinced how harmful spam is.

The problem disappears if we use advanced security packages and also have a license for its mobile version.

Network botnet

This is a type of danger that we are often not even aware of. His presence is practically unnoticeable, he does no harm, because he has a completely different task. It uses the computing power of infected computers, for example, to send spam or attack selected servers.

Reliable protection

The list of dangers is much longer and, what’s even worse, is constantly expanding. Each of them, however, represents a truly serious threat, which, due to the user's carelessness, can lead to a situation in which he loses access to critical data.

The most important thing, in any case, is the use of technologies and solutions that give us confidence that the data stored on disks or networks is reliably protected. Although even the most full package does not free us from the need to maintain common sense when working on the Internet.

, November 14, 2014

Your home network is vulnerable to hacker attacks

Router vulnerabilities and weak passwords make it easy for cybercriminals to gain access to your home network

This small box, which was provided to you by your Internet provider, or you purchased yourself from one of the chains of household appliances and electronics stores, is the weak link in your home internet connection.

Avast Team took care of this and developed a new one function to protect your home network Network Security . Which has been integrated into the new versionAvast 2015.Home Network Security scans your router for vulnerabilities and identifies potential security issues. Today, routers are the weakest link in home network security in many homes and small businesses, so this is a very necessary and useful feature.

But, nevertheless, here we are faced with a problem. Today in the world there is great amount different types of routers, but most users simply buy the one that is “cheaper and works”, or simply get a router from their Internet providers. This means that security is already at risk. Home Network Security was designed to protect against these threats:

Yours wireless network insecure due to lack of encryption. This way, someone in the area, such as your neighbor, can connect to yourWi-Fi,using bandwidth and access your devices (printer, network drive etc.)

Your router can be accessed via the Internet, Therefore, hackers can control and change the settings of your home network, also disconnect you from the Internet and steal personal data from your electronic device.

Your Internet connection is at risk and your router may be hacked. Your router has already been hacked (for example, some known trusted sites and hidden are redirected to false IP - address A).

Your devices can be accessed from the Internet. This happens when Internet Protocol version 6 is enabled in the router settings. (IPv6) and devices receive IPv6 addresses that are not protected. The problem lies, first of all, not in the protocol, but in the router, which is not able to provide security to the devices receiving these addresses.

Avast helps protect your home network

With Home Network Security integrated across all products Avast we can keep your devices safe.

There are many guides with step-by-step information available for free from router manufacturers. For example, . Look for the manual for your model and read it. Everything you learn will help you protect your home network.

Thank you for using avast antivirus! and for recommendations to friends and family. ABOUT latest news, interesting events and official promotions of the company, read in

Until recently, I didn't even know that Avast router scares its users with "scary" warnings regarding their routers. As it turns out, Avast antivirus scans Wi-Fi routers. It gives results that the router is not configured correctly, the device is vulnerable to attacks, or in general that the router is infected and infected, and attackers have already intercepted DNS addresses and are successfully redirecting you to malicious sites, stealing data credit cards and in general everything is very bad. All these warnings, of course, are seasoned with a dangerous red color and confusing instructions that even a good specialist without beer will not understand. I'm not even talking about ordinary users. This is what the problems found on the D-Link DIR-615 router look like:

The device is vulnerable to attacks:

The solution is, of course, updating the router firmware. Because what else 🙂 Avast can also display a message that your router is protected by a weak password, or the router is not protected from hacking.

In some cases, you may see a message that your router is infected, and connections are redirected to the malicious server. Avast antivirus explains this by saying that your router was hacked and its DNS addresses were changed to malicious ones. And there are instructions for solving this problem for different routers: ASUS, TP-Link, ZyXEL, D-Link, Huawei, Linksys/Cisco, NETGEAR, Sagem/Sagemco.

In short, all these recommendations are aimed at checking DNS addresses and DNS-related services. Through which attackers can change the DNS on your router and redirect you to their malicious sites. There are detailed instructions on how to check everything on routers different manufacturers.

How to respond to warnings from Avast about a router vulnerability?

I think this question interests everyone. Especially if you came to this page. If you are wondering how I would react to such warnings from the antivirus, then the answer is simple - not at all. I am sure that Avast would have found holes in my router through which I could be hacked. I just have Dr.Web. He doesn't do such checks.

Maybe I'm wrong, but no antivirus except Avast checks Wi-Fi routers to which you are connected to various kinds of vulnerabilities. And this feature, called Home Network Security, appeared back in 2015. In version Avast programs 2015.

Avast scans your router for device security issues. Although, I don't fully understand how he does it. For example, how does it check the same password for entering the router settings. Does it follow the user, or is it a selection method? If you guess it, the password is bad 🙂 Okay, I’m not a programmer.

Personally, I believe that all these warnings are nothing more than simple recommendations to strengthen the security of your router. This does not mean that someone has already hacked you and is stealing your data. What Avast offers:

• Install good password and update the router firmware. They say otherwise you may be hacked. Ok, this is already clear. This doesn't have to be signaled as some kind of terrible vulnerability. Although again, I don’t understand how the antivirus determines what version software router is out of date. It seems to me that this is impossible.
• The router is not protected from connections from the Internet. Most likely, this warning appears after checking open ports. But by default, the “Access from WAN” function is disabled on all routers. I highly doubt that anyone will hack your router over the Internet.
• Well, the worst thing is the substitution of DNS addresses. If any problems with DNS are detected, Avast directly writes that “Your router is infected!” But in 99% of cases this is not the case. Again, almost always the router automatically receives DNS from the provider. And all functions and services through which attackers can somehow spoof DNS are disabled by default. It seems to me that very often the antivirus misunderstands some user settings.

Something like this. Of course, you may disagree with me. It seems to me that it is much easier to access the computer directly and infect it than to do it with the router. If we are talking about an attack via the Internet. I would be glad to see your opinion on this matter in the comments.

How to protect your router and remove the warning from Avast?

Let's try to figure out each item that Avast most likely checks and issues warnings.

• The router is protected with a weak password. No encryption. In the first case, the antivirus has a password that you must enter when entering the router settings. Typically the default password admin. Or not installed at all. And it turns out that everyone who is connected to your network can go into the router settings. Therefore, this password needs to be changed. I wrote how to do this in the article: . Concerning Wi-Fi password network, then it must also be reliable, and the WPA2 encryption type must be used. I always write about this in instructions for setting up routers.
• The router is vulnerable due to old software. This is not entirely true. But, if your router model has new firmware, then it is advisable to update it. Not only for increased safety, but also for more stable operation devices and new features. We have instructions on our website for updating software for routers from different manufacturers. You can find it through the search, or ask in the comments. Here it is for .
• DNS settings have been changed. The router is hacked. To be honest, I have never seen such cases before. As I wrote above, all services through which this can happen are disabled by default. Most often, the router receives DNS from the provider automatically. The only thing I can advise is not to manually enter DNS addresses that you are not sure about. And if you manually specify addresses, it is better to use only DNS from Google, which: . This is also recommended in Avast recommendations, which can be viewed on the official website:. There are detailed instructions for solving DNS problems for almost all routers.

That's all. I hope I was able to at least a little clarify these warnings in Avast antivirus. Ask questions in the comments, and don't forget to share useful information on this topic. Best wishes!