Users of Asus RT-N and RT-AC series routers should install the latest firmware updates released for their models because they address vulnerabilities that could allow attackers to hijack router settings.
The flaws were discovered by researchers from security consultancy outfit Nightwatch Cybersecurity and leave many Asus router models exposed to cross-site request forgery (CSRF) attacks.
CSRF is an attack technique that involves hijacking a user’s browser when visiting a specially crafted website and forcing it to send unauthorized requests to a different website — or in this case, the router web-based administration interface accessible over the local area network (LAN).
The login page for the web interface of most Asus routers running the company’s unified AsusWRT firmware doesn’t have any type of CSRF protection, according to the Nightwatch researchers. This allows malicious websites to send login requests to Asus routers through users’ browsers without their knowledge.
In order to pull off such an attack, hackers need to know the LAN IP address of the targeted router and the password for its admin account. In many cases this information is easy to obtain.
There are ways for web pages to scan a visitor’s local network for devices. There is even an open-source JavaScript framework called Sonar.js that contains “fingerprints” for different routers.
However, such advanced techniques are not even needed in most cases, because users rarely change their router’s default IP address — 192.168.1.1 in the case of Asus routers.
Many users also don’t change their router’s default and publicly documented username and password combination — admin/admin for Asus routers. Some users don’t change these credentials because they don’t know how, while others don’t do it out of convenience and based on the false belief that their router cannot be attacked because its web interface is not exposed to the internet.
Unfortunately, this thinking doesn’t take into account CSRF and other LAN-based attacks. Large-scale CSRF campaigns that hijacked routers’ settings have been observed in the wild over the past few years, and security vendors recently found computer and mobile malware programs designed to compromise routers over the local area network.
Once authenticated on the router via CSRF, an attacker would have no problem changing a setting, the Nightwatch researchers said in an advisory this week. That’s because the page that saves any configuration modifications also lacks CSRF protection, they said.
A common attack against routers is to change their DNS (Domain Name System) server settings, forcing them to use a DNS server controlled by attackers. Since DNS is used to translate domain names into IP addresses, attackers can use their control over DNS responses to direct users who connect through a compromised router to fake web pages.
This enables powerful phishing attacks because the browser address bar would continue to display the correct domain name for the legitimate website the user tried to access, but the loaded page would be provided by attackers.
In addition to the CSRF issues, Nightwatch Cybersecurity also found three information leak vulnerabilities that could be exploited from remote websites or mobile applications on the same LAN to expose details about a router’s configuration, including its wireless network password.
Asus doesn’t consider all of these issues as security vulnerabilities. The company released firmware updates to fix the CSRF issues and some of the info leaks for many of the affected models in March and April. However, there are user reports that at least one model, the 4G-AC55U, is also vulnerable and has no patch.
A common problem with routers is that even when firmware updates become available, very few users go to the trouble of downloading and installing them on their devices. The firmware update process is not exactly straightforward on routers, but vendors are often not clear about what these updates contain or why they’re needed.
For example, the release notes for the new Asus router firmware updates mention that the following security issues have been fixed: CVE-2017-5891, CVE-2017-5892, CVE-2017-6547, CVE-2017-6549, and CVE-2017-6548.
To understand what those vulnerabilities are about, users would have to search the internet on their own and even then, they might find no useful information. For example, if a user would have searched for CVE-2017-5891 and CVE-2017-5892 in March or April, they would have found no details. If they search now, they’ll likely come across the third-party Nightwatch Cybersecurity advisory published Tuesday.
Since details about these vulnerabilities are now publicly available, Asus router owners should install the firmware updates for their models as soon as possible. There are also other actions that can be taken to reduce the likelihood routers being compromised in general.