Ow­ning Your Home Net­work: Rou­ter Se­cu­ri­ty Re­vi­si­ted

Mar­cus Nie­mietz, Jörg Schwenk

W2SP 2015: Web 2.0 Se­cu­ri­ty & Pri­va­cy 2015 (San Jose, Ca­li­for­nia)


Ab­stract

In this paper we in­ves­ti­ga­te the Web in­ter­faces of se­ver­al DSL home rou­ters that can be used to ma­na­ge their set­tings via a Web brow­ser. Our goal is to chan­ge these set­tings by using pri­ma­ry XSS and UI re­dres­sing at­tacks. This study eva­lua­tes rou­ters from 10 dif­fe­rent ma­nu­fac­tu­rers (TP-Link, Net­ge­ar, Hua­wei, D-Link, Link­sys, Lo­gi­Link, Bel­kin, Buf­fa­lo, Fritz!Box, and Asus). We were able to cir­cum­vent the se­cu­ri­ty of all of them. To de­mons­tra­te how all de­vices are able to be at­ta­cked, we show how to do fast fin­ger­prin­ting at­tacks. Fur­ther­mo­re, we pro­vi­de coun­ter­me­a­su­res to make ad­mi­nis­tra­ti­on in­ter­faces and the­re­fo­re the use of rou­ters more se­cu­re.

[Work­shop] [PDF]

Tags: Rou­ter