It’s not just the end-points (servers, client PCs, tablets and phones) on your network that can be hacked. Intermediary devices such as routers and WAPs can also be targeted by attackers. The latest example is an exploit that takes aim at a security vulnerability in routers made by a number of popular vendors, including D-Link, ZTE and TP-Link.
The network and computer security space is full of talk about software vulnerabilities. We’re used to hearing that a coding error in Windows or Adobe Flash or the Linux kernel or iOS has left a hole through which a clever attacker can shut down or infiltrate our networks and/or individual machines.
Then there’s hardware – the physical device on which software runs. We think of the hardware as something that’s vulnerable only to failure from physical wear and tear, damage or mechanical defect. What we often forget about when discussing security is that component that lies in between the hardware and the software: the firmware.
Firmware is actually a form of software, but unlike the operating systems and applications we so frequently deal with, it’s intimately tied to the hardware. As with other software, firmware consists of a set of programmed instructions that control what a computer does. However, whereas software can generally be installed on or removed from a device by users, firmware is usually embedded into the device where it’s not removable by the user – although today’s firmware may be modified or upgraded.
Early firmware was stored in ROM – read only memory – and could not be changed. More recently, it became common to store firmware instructions in EEPROM, electronically eraseable programmable read only memory. Despite the “read only” in the name, EEPROM data can be erased and re-written.
Like more traditional software, the firmware code that’s stored in a device can also, unfortunately, be subject to security vulnerabilities. ZynOS is a firmware operating system that is used by many manufacturers of routers that are used by small businesses and home users. These routers can be configured over the Internet through a web interface. In January, a security researcher named Todor Donev with Ethical Hacker, discovered a vulnerability in ZynOS that can be exploited through this web-based interface.
The bad news is that this means an attacker can take advantage of a router that is set up to allow for remote administration and change the DNS server settings so as to capture the traffic going through the router. The worse news is that the attacker doesn’t even need to know the admin credentials to do this. And it gets even worse than that: if you try to make the router more secure by limiting access to the local network only, a determined and skilled attacker can still gain access by using cross-site request forgery (CSRF).
CSRF attacks depend on users to visit a web site that’s malicious or has been compromised. The site performs a “drive-by download” of malicious code that sends requests to the default IP addresses of popular routers.
D-Link has patched firmware vulnerabilities in its routers a number of times in the past. Currently this particular vulnerability is classified as a zero day vulnerability and Donev has published a proof-of-concept exploit for the vulnerability that works against the DSL-2740R router, but he said additional devices that run their firmware on ZynOS might also be affected. Those using such networking equipment need to be aware of the risk.
GFI LanGuard 2015 enables sysadmins to patch firmware vulnerabilities on a wide range of devices, including D-Link . If you would like more information about GFI LanGuard and how important patching of both hardware and software is for your organization visit our website or trial the software free for 30-days.