Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

Last month, we discussed the possibility of a D-Link Router worm for consumer network hardware.  While there were particular problems with D-Link, there are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.  Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):

1) Change the default passwords, preferably to a strong password (at least 8 characters the include upper/lower case, numbers, special characters). Many of these devices ship with a password of "password" or "admin" and that is just asking for someone to kick over your router.

2) Disable remote administration. Administration of your router / access point should be "local only", namely, there is no reason to let people from another country access to your network hardware. If you need to make changes, you should be local to the device (i.e. physically connected, internal side of the network, etc).

3) Update the firmware. Believe it or not, consumer network hardware needs to be patched also. Check the support site of the vendor of the device when you get it and check for an update. Sign up for e-mail alerts for updates, if available, or check back on a regular basis for updates.

4) Disable unused services. Many of these devices are "feature rich" and enable these features by default even though 95% of users will never use them. Turn of SNMP, UPNP, "DMZ" features, etc. SNMP, particularly, allows someone to grab all the device settings of your device especially if the community string is "public" (and by default, 99% of the time it is). This is big and likely will lead to the largest amount of exploitation, namely, open SNMP that gives away all your settings to the world on request.

5) Change the default settings of the device. All vendors tend to use the same set of default settings for their devices, such as IP addresses of the internal network. Change these settings to something that makes sense for what you are trying to do. Changing default settings for wireless is also important, especially doing WPA2 authentication and not WEP. Hardening access points is its own topic though as well.

6) (Okay there is more than 5), Submit your logs to DShield. Here is a nice guide on how to accomplish sending your logs from these kind of devices to us. The more submitters we have, the more complete picture of what is going on and the better intelligence we have to share with you. Especially in the consumer ISP space, there is lots of action that would be helpful for us to see.

--
John Bambenek / bambenek [at] gmail {dot} com

John

239 Posts
ISC Handler


Periodically recheck settings, mine will revert to defaults after power outages. But the ISP credentials and connection settings remain intact so it successfully reconnects when the power returns, with the firewall at a much lower level of protection.

If you have enabled the embedded firewall (good for you!), find out how to allow only needed ports and resist the urge to disable the firewall to get torrents, IM, remote control, KinzChat(TM), or whatever application working.

If your device came from your ISP, they are your vendor and are another source of assistance and updates in addition to the manufacturer.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!