July 30, 2012, 11:34 AM — Security researcher Michael Coppola demonstrated how small and home office (SOHO) routers can be compromised and turned into botnet clients by updating them with backdoored versions of vendor-supplied firmware.
Coppola, who is a security consultant at Virtual Security Research (VSR), gave a crash course in router firmware backdooring -- a complicated process that requires reverse engineering skills -- at the Defcon hacker conference on Sunday.
During the talk he also released a tool called the Router Post-Exploitation Framework (rpef) that automates the firmware backdooring process for several popular router models from different vendors.
The devices supported by rpef include: Netgear WGR614, WNDR3700 and WNR1000; Linksys WRT120N; TRENDnet TEW-651BR and TEW-652BRP; D-Link DIR-601 and Belkin F5D7230-4.
Only specific versions of these routers can be backdoored with the framework and some require more testing. However, the list of supported devices will be extended in the future.
Rpef can add several payloads to the router firmware: a root bind shell, a network sniffer or a botnet client that connects to a predefined IRC (Internet Relay Chat) server where it can receive different commands from the attacker, including one to launch a denial-of-service attack.
Writing the backdoored firmware onto a device -- a process also known as flashing -- can be done through the Web-based administration interfaces of most routers and a remote attacker can abuse this feature in several ways.
One method is to scan the Internet for routers that make their Web-based administration interface accessible remotely. This is not the default setting in many routers today, but a lot of devices configured like this are available on the Internet.
Once these devices have been identified, the attacker could attempt to use the default vendor-supplied password, brute force the password or exploit authentication bypass vulnerabilities to get in. There are websites that specialize in tracking and documenting router default administrative credentials and vulnerabilities.
"I've done port scans and there are huge netblocks with thousands of IP addresses of open routers that are listening remotely to the Internet with default passwords," Coppola said.
However, even when the Web interface is not exposed to the Internet, there are ways to flash them with rogue firmware remotely.