Check Point researchers warned customers that the ISP servers used to manage their routers are easily accessible online. This and other gateway devices can be easily attacked and hacked by third parties.
Shahar Tal, a Check Point Software Technologies security researcher, said that access to these servers could allow intelligence or hackers to compromise not just thousands but millions of routers. Worse, they could also do the same to the home networks servers serve.
The problem is rooted from the use of customer-premises equipment wide area network management protocol (CWMP) or popularly known as TR-069. Many ISPs technical support departments have this as leverage to remotely troubleshoot router problems such as configuration problems.
Tal said the custom firmware that runs on ISPs often hides the setting page of TR-069. This makes customers unaware that their routers are accessible and can be controlled by their ISPs. These servers operate Auto Configuration Servers (ACS) to which the TR-069 devices can be connected. Third-party companies developed specialized software for ACS that runs on ISPs. The software is then used to monitor customers for malicious activity and faults, re-configure their devices, upgrade firmware, and run diagnostics.
If the ACS is compromised, the attacker could gain access to information such as hardware MAC address, VoIP credentials, administration usernames, passwords, and wireless network names. This is alarming as the 2011 statistics revealed that there are 147 million devices online that are connected with TR-069. More alarming is 70% of these devices are under residential gateways.
Tal further found out that the encryption and authentication required by the protocol does not prevent attackers from controlling routers. He and his colleagues found out that ISPs with ACS have remote code execution vulnerabilities, which the attackers could use to manage servers. One example they tested is GenieACS.
As of now, there is no concrete solution for this. One way to address the issue is to restrict access to ISPs auto-configuration servers. This can be done by running them on a separate network segment.