CSRF attacks: Home DSL routers are vulnerable
A well-known attack that’s normally reserved for Web sites has found new life in subverting consumer networking devices. Nathan Hamiel, founder of Hexagon Security Group, stumbled onto a Cross-Site Request Forgery (CSRF, pronounced sea surf) exploit that works on most consumer-grade DSL routers.
CSRF isn’t new; it’s been around since 1988 when Norm Hardy first explained an application-trust issue he named “confused deputy.” CSRF and Clickjacking are examples of the confused-deputy attack that specifically target Web browsers.
What is CSRF?
The more popular CSRF exploits work by having malicious code or a link on a Web page that gives the attacker access to a Web application that the user has already been authenticated to use. If the session is enabled in the browser (different tab), the attacker then has control of that particular Web application.
A real-world example of this is the ability of attackers to commandeer certain Web-based e-mail accounts. The required steps to gain ownership are shown in the following example:
I log into a Web-based e-mail account.
I want to surf the Internet while waiting for an important e-mail, so I open a new tab in the browser.
The Web site I surfed to contains hidden code. My surfing activates the code and sends a HTML request to my e-mail Web server. It just so happens that this request is to delete all my e-mail. Oops.
I realize my example is a bit simplistic, but still it points out the power and covertness of CSRF. Remember, a single HTML request is all that’s required to accomplish the e-mail deletion in the above example. The GNUCitizen Web site has an article “CSRF Demystified” that explains the attack vector in detail. The following are some points that I found to be of particular interest:
If a Web application is open, any other Web page can send requests to the Web application with the user’s privileges.
The risk level increases the longer the Web application is available.
Social bookmarkings are a great way for attackers to get people to Web sites that are set up for CSRF exploits.
CSRF exploit for DSL routers
Hamiel uses the CSRF exploit in a similar manner to gain control of vulnerable DSL routers. It just so happens he’s working with the Motorola/Netopia 2210 DSL modem. So if you have one, please pay particular attention. The steps used to subvert a DSL router are similar to my first example, so I’ll be the victim once again:
I finally got my new DSL router. I’m excited to get on the Internet, so I quickly configure it.
I make sure to shut off remote management from the WAN interface, because I certainly don’t need any surprise visitors.
I’m the only one using the DSL, so there’s no need to worry about a password on the administrator account, since remote management is disabled.
My friend is knowledgeable in HTML and networking (hint). He also knows I just got a new DSL router. He sends me an e-mail to check out his new Web site.
I go to the Web site, and guess what, my friend now owns my DSL router.
Basically it’s the same CSRF exploit. I managed to activate a HTML request on his Web site, which sent the following commands to my Web browser:
Initiate a connection to the new DSL router.
Turn on remote management.
Add a password to the Admin user account.
My friend has effectively locked me out of my DSL router.
Just hit the reset, no big deal
Resetting the router is an easy enough fix. The problem is my router is working fine. So, I’d be oblivious to the hack until there was a problem or I wanted to change the router configuration. I also bet that many readers know people who don’t even touch their DSL routers. Just plug them in and they work, albeit in default mode.
What are the consequences?
With the perimeter device compromised, there are any number of things the attacker can do. Hamiel goes into the possibilities in his blog “CSRF Vulns on Local Network Devices” on the Neohaxor.org Web site:
“Remember that attacker has remote admin on your routing device. So, even if you have a network inside with private IP addresses, the attacker has access to your logs. It is trivial at that point to identify internal IP addresses and configure pass-through to these machines so they can attack them directly. Basically the machines on your local network can be compromised.”
Prevention is simple
I bet everyone has heard this before. All that’s required to prevent a CSRF exploit is to change all the default settings on any networking device, especially Internet facing equipment like a DSL router. Even more importantly, change the default admin account password to a formidable one. It’s that simple.
I personally also recommend having an additional router/firewall after any perimeter (DSL router for example) device. It adds another layer of security and prevents ISPs from getting any further into the network than their device.
Final thoughts
The router CSRF attack is relatively effective, simply because the DSL router is not normally considered when troubleshooting malware problems. Thus the avenue for infiltration is not closed after the computer malware problems have been solved. That’s why I felt it important to present this information, especially since the cure isn’t difficult.