Critical Flaw Hits Millions of Home Routers

Written by

Security researchers are warning of a critical vulnerability in several different home router models that could put at risk the data of millions of consumers and small businesses worldwide.

Check Point’s Malware and Vulnerability Research Group uncovered Misfortune Cookie, a flaw which could allow attackers to remotely take over an affected router with admin privileges.

CVE-2014-9222 is found in popular routers made by D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others.

Specifically, it affects RomPager from AllegroSoft – web server software embedded in the firmware which comes with the above gateway devices, Check Point said.

The vendor continued:

“An attacker with administrative access to your gateway holds an alarming control over your wired and/or wireless network (local area network) infrastructure. Such control puts devices at risk of Man-in-The-Middle attacks, greatly increases the attack surface for LAN-side vulnerabilities, and gives attackers the ability to directly monitor connections and identifiers belonging to your devices.

The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes. This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

Although there have thus far been no reported incidents of attackers exploiting the flaw in the wild, there are at least 12 million such devices in 189 countries across the globe, the vendor added.

In some countries, as many as one in two used IP addresses are affected, it said.

Check Point urged the affected device makers to release updated firmware which addresses the problem – RomPager version 4.34 or higher.

It branded the threat “a wake-up call for the embedded device industry and consumers alike.”

What’s hot on Infosecurity Magazine?