Posted on 08/11/2014 9:36:34 PM PDT by Utilizer
Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn.
By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.
At the core of the problem is an increasingly used protocol known as TR-069 or CWMP (customer-premises equipment wide area network management protocol) that is leveraged by technical support departments at many ISPs to remotely troubleshoot configuration problems on routers provided to customers.
According to statistics from 2011, there are 147 million TR-069-enabled devices online and an estimated 70 percent of them are residential gateways, Tal said. Based on scans of the Internet Protocol version 4 address space, the 7547 port, which is associated with TR-069, is the second most frequently encountered service port after port 80 (HTTP), he said.
TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.
(Excerpt) Read more at cso.com.au ...
Does it need to be done on the router, or on every computer?
How do you block a port on a tablet or a phone?
bflr perusal
According to what I was able to glean from the article, you must have root access to the device to be able to change this setting, as the port and the TR-069 protocol are not on the end-users standard menu options.
Perhaps one of the more knowledgeable FReepers who work closely with these devices can suggest a workaround.
Drop the ISP provided router and get a real one preferably one that supports ddwrt or other aftermarket firmware. You can often put the ISP provided garbage in bridged mode where is functions as a modem only.
I dumped that crap all in one box comcast supplied and purchased a modem. It paid for itself through eliminating rental fees. I run two linksys routers that run ddwrt firmware. It’s open source and allows tons of amazing and business level functionality. It’s also easy to configure and their page has instructions. If you can follow directions, you can flash and use ddwrt.
If you are stuck with ISP equipment, ask about bridged mode. Also, don’t run default passwords for router access and always lock down wifi. Wpa2 AES is sufficient. Don’t use WEP or WPS
Thank you for chiming in. I was hoping someone more familiar with the equipment might have some advice.
I dumped the SBC/Yahoo -supplied router many years ago and got a combination DSL modem,wireless router/4-port LAN router made by Netgear. Recently I have been considering upgrading, but so far the options available have made that a daunting prospect.
Any suggestions on which way to go, now that this exploit has been discovered?
That said.. I always use my own router for my home network and just use the isp modem for the Internet gateway.. a personal home router with a stateful firewall should protect your internal network.. but your internet traffic has to route across the isp modem.. so unless you got your own cryto tunnel for all internet traffic your exposed
Spend the money and get a commercial router...
You can block whatever port you want.
Take charge of your router. Think of your router's WAN port as the wild wild internet and minimize the "attack surface" by not forwarding any ports to your LAN unless you know what you are doing. Don't enable your router's remote management interface. Do put a password on your router's LAN-facing management interface (that way, if you accidentally ingest a hack, at least, it won't be able to reprogram your router). Do look through your router's logs from time to time.
Hmmm. Just recently bought an LG-Ericsson router on sale, but the owners manual does not specify how to configure it that I can recall.
The Netgear combo unit is easy enough, since the default gateway is http accessible through any browser...
Now I have to figure out how to access the router’s firmware menu, not to mention how to do the same with some much older routers I have in the storage area. Those are from the ‘doze 98 era though, so I do not know how much I will be able to play with them even from this linux machine.
Yeah.....That’s what I did when I switched from cable to DSL with AT&T..
The service tech was of no help when I told him what I wanted to do, so after he left I got into the AT&T gateway and turned off the wireless router functions, then I simply used it as a modem and hooked it up to my Netgear router which has a server function that I needed. It also has plenty of user configurations for security.
I feel like I have more control, and since I don’t share data between the computers or devices on my network I simply use a 1TB drive hooked up to the router for sharing just as you would use a central server, I can set my security to a pretty high level for the wireless network and I have never had a problem with it.
Not sure if it’s the best way to do it, but that is what I came up with.
.
?
The Netgear combo unit is easy enough, since the default gateway is http accessible through any browser...
I have an old D-Link from 2006 (firmware revision 2007/12/05). Its HTTP interface is good enough that there is no need for a manual. It does have a couple of bugs, but I don't often encounter them, and I know how to work around them.
I acquired it when the ActionTec that Verizon had provided crapped out. I needed on the internet, like, now! So, I threw the ActionTec in the trash, tethered my phone (illegal, but I'd earlier hacked it for the fun of it), researched alternatives, and ran out to buy the D-Link at the local Best Buy.
I'm sure a similar shopping expedition today would yield superior results.
Now I have to figure out how to access the routers firmware menu, not to mention how to do the same with some much older routers I have in the storage area. Those are from the doze 98 era though, so I do not know how much I will be able to play with them even from this linux machine.
Not worth the trouble, unless you are a computer museum curator or an exceptionally bored hacker.
The work around is to go down to best buy and spend 50 bucks for your own switch. The ones the cables companies provide are crap anyway.
With verizon you don’t need their device. It’s an is address right off the fiber.
Besides blocking, you can also forward that port to an IP address that is not being used on your sub network. That way if blocking fails, any traffic for that port would be directed to a device that does not exist.
Mine is named something along those lines.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.