Of the small-office, home-office routers evaluated, every one could be compromised with relative ease by hijacking DNS connections, exploiting HTTPS flaws, weaknesses in Universal Plug and Play services, cross-site-scripting attacks, file-traversal and source-code vulnerabilities, weaknesses in WiFi Protected Setup (WPS), buffer overflows or simply bypassing authentication requirements.
During late 2013 and early 2014, gangs of Polish hackers have robbed thousands of consumers by attacking home routers and changing DNS settings so they point at the attackers’ DNS servers rather than legitimate servers.
DNS is a big problem. Usually devices behind a SOHO router will receive their DNS info from the router via DHCP. The router has been configured by the owner using DNS settings from their ISP or they could use one of Google’s servers like 188.8.131.52. A user of their home network should expect a higher level of security unlike the open wifi people use on the road.
The simplest remedy is never allow router management access from the Internet. This is usually turned off by default. Routers should be set and forget so using the maintenance interface should be a rare occurrence. The TP-LINK outlined here requires a user to click a malicious link while in a management session according to this:
- The victim must have an active management session with the WR1043N.
- The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
Here again the user gets tricked into becoming compromised so this wouldn’t be a problem if the user simply entered the management interface of the router, made changes, and left. There’s no point lingering around in a management session.
A physical dedicated firewall sitting between the Internet and treating all routers as dumb access points makes for an added layer of security. All SOHO routers are relatively cheap embedded devices. It is impractical to even expect them to defend against all possible exploits. By virtue of being on the Internet everyone gets constantly scanned by bots. That only poses a problem if the bot sees a vulnerability and phones home listing your device as a possible target.