I got challenged the other day, having been given an opportunity to demonstrate some real-world hacks as part of the FRI student's Garage. The desired topic was cyber-attack surface within Small Office Home Office (SOHO) environments. In other words, if there are any threats and tips from the eyes of a security analyst, make those participating students – future engineers – aware of them.
I have to admit, home networks have become my 'comfort-zone' technology that I haven't really thought about for a while. What possibly – security wise – could go wrong there? We regularly leave it up to our ISPs to choose the sufficient and trustworthy CPEs (Customer-Premises Equipment) for our home use. But should we?
I started with demo lab preparations, focused on demonstrating an effective hack for the audience. To replicate a common scenario, I picked an old DSL router from my home collection, the one with all the neat feature sets, such as ACLs, NAT, and Wi-Fi as well as being SPI and AES ready. Leaving all those promising specs behind, it was uPNP that eventually got my attention.
In short, uPNP (Universal Plug and Play) makes it possible for home networked devices to become visible on the Internet. Obviously, this is only the case when convenient or necessary (e.g. for media services and Internet gaming). Instead of provisioning the perimeter CPE device manually, that is, in the form of port forwarding external (Internet facing) queries to internal computers, uPNP does it all for you. It is perfect technology one would argue, except for the worst-case scenario when this automation is carried out by an unauthorized human or malicious code. Oops
Soon I had the demo scenarios for the student’s workshop up and running. In a live demonstration, I showed known uPNP issues, such as exposing my home computer’s shared folders all over the Internet. With the use of “Kali Linux only” built in tools, such as python scripting, metasploit, netcat and even telnet natively. Oh, did I forget to mention this same exposed target was also my corporate laptop, the one that I use for real office work?
Students seemed fascinated observing the compromise of the demo SOHO router and the protected computer behind it. I should make it very clear here that only a few brands, particularly older firmware, remain susceptible to uPNP security flaws. The cases when home users are tolerating an unauthorized external uPNP access from the Internet are also rare. Furthermore, even holding an affected SOHO router at home, the user still needs to turn the issuing uPNP feature on (or in the worst case, leave it on its default settings).
That didn’t stop me from conducting some further analysis using passive information gathering techniques only. I used the Shodan search engine querying for known affected SOHO CPEs while narrowing those searches to SI region specifically. Surprisingly, many such devices are still being used in homes around the country, and they can be accessed through the Internet for management and some even for uPNP. I didn’t play along with my hand-made payloads, for those of you who might have wondered, keeping it ethical.
My old SOHO router was hacked, the one I haven’t touched for a while, only sitting there and waiting for such a demonstration to come. This got me thinking. How secure are the cable/DSL CPEs nowadays? Is there an attack surface that could lead my home office to external threat exposure? That was the turning point when I started (pen)testing my home router. The same one I am sitting behind comfortably at the time of writing this blog.
You're most welcome to join me in the upcoming series and follow up on my findings.
Author: Matevž Mesojednik