Linux is the most-used operating system on Internet routers, but a recent study from Fraunhofer FKIE has shown that these devices are running extremely old and potentially insecure versions of the Linux kernel.
According to the report, Linux powers more than 90% of broadband routers. However, these devices which act as our gateways to the Internet often run on Linux kernels that are more than ten years old.
Through an analysis of 127 routers from seven major vendors, the researchers found that most routers still use a very old version of the Linux kernel — Linux 2.6.
The latest version of this Linux kernel is 2.6.39, which stopped being maintained in 2011. The last long term support version of Linux 2.6 to still receive support was version 2.6.34, which was released on 16 May 2010 and stopped being maintained in February 2014. Many routers use versions of the Linux 2.6 kernel for which support was dropped much earlier than this.
In addition to looking at the Linux kernel version, the researchers attempted to answer five security questions by automatically extracting and analysing the firmware of broadband routers with their Firmware Analysis and Comparison Tool:
- When were the devices last updated?
- Which operating system versions are used and how many known critical vulnerabilities affect these operating system versions?
- Which exploit mitigation techniques do the vendors use? How often do they activate these techniques?
- Do the firmware images contain private cryptographic key material?
- Are there any hard-coded login credentials?
Fraunhofer FKIE’s analysis included broadband Internet routers sold by AVM, ASUS, Netgear, D-Link, Linksys, TP-Link, and Zyxel.
“Our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects,” Fraunhofer FKIE stated.
It said that much more effort is needed to make home routers as secure as current desktop or server systems.
Fraunhofer FKIE also found that the vendors whose devices they examined prioritise security differently.
“AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel,” the report concluded.
Insecurity of home broadband routers a major problem
The overall lack of good security practices in home routers is a well-documented problem and has lead to the founding of initiatives like the SOHOpelessly Broken hacking contest to try and find vulnerabilities and force vendors to fix them.
During the heyday of ADSL, vulnerabilities in ISP-supplied ADSL routers allowed attackers to easily gain administrative access to the device and unmask the password of your Internet service provider account.
However, the existence of these issues soon became a far greater problem than some data-starved hacker being able to get into your router and steal some of your monthly cap.
In the past, attackers have broken into Internet routers en masse to alter Domain Name System (DNS) settings. DNS is what translates human readable domain names such as mybroadband.co.za (or absa.co.za and fnb.co.za) into numeric Internet Protocol addresses that computers use to communicate over the Internet.
This DNS hijack is extremely dangerous, as it allows attackers to redirect your web requests to servers under their control. For example, you might try to visit gmail.com, or your bank’s website, and end up on a page controlled by criminals trying to steal your login credentials.
Thanks to vendor-created backdoors, poor default configurations, and other issues, attackers have been able to take over insecure devices from routers to webcams and turn them into botnets.
One infamous example is the Mirai botnet which crippled the Internet, and which experts said could have been used to knock entire countries offline.
In response to this, a hacker who goes by “Dr Cyborkian a.k.a. janit0r” took it upon themselves to launch a campaign of “Internet chemotherapy” — a series of directed but indiscriminate attacks designed to remove devices with potentially harmful security vulnerabilities from the Internet.
Between July 2017 and January 2018, Janit0r targeted routers on the Telkom network in South Africa, causing them to malfunction in the hopes that Telkom would address the security problems of the devices it supplied to customers.
Janit0r reported that Telkom, unfortunately, showed no intention of fixing or replacing the insecure routers on its network. It was only thanks to customers replacing their routers — out of frustration after having to factory reset them every day or two — that the number of insecure routers on the Telkom network decreased over the span of six months.
Responses from D-Link and Zyxel
Only D-Link and Zyxel issued statements in response to Fraunhofer FKIE’s report. Both companies suggested that the researchers were looking at old products.
“This report may reference old products that have already been listed as End of Support,” D-Link stated.
“Due to the evolution of technology, material changes in industry, or ending the partnership with certain suppliers, D-Link will, from time to time, announce the termination of support and maintenance for certain products. For products that D-Link still supports, D-Link ensures that vigorous security tests are executed on the firmware before it is released.”
Zyxel issued a similar statement, arguing that of the ten Zyxel routers explicitly listed in the Fraunhofer FKIE report, four had already reached end-of-life. These same four devices also featured prominently throughout the report as examples of insecure devices.
Ignoring the big, hackable elephant in the room
There is a key issue that no consumer and small office network equipment vendor has addressed following reports such as the one from Fraunhofer FKIE.
Even though they might regard a certain router as “end-of-life”, these devices remain widely in use long after security patches for them stop.
That’s even if end users install the patches at all since flashing firmware can be a fairly technical task.
Neither the equipment manufacturers nor the retailers and Internet service providers who carry their products inform buyers when a device will reach end-of-support, and stop receiving security updates.
Internet service providers do not offer an upgrade path for broadband routers. It is also not typical for an Internet service provider to take responsibility for ensuring that their clients’ Internet gateways are updated with the latest firmware.
This reckless laissez-faire attitude from vendors and service providers towards essential and widely distributed Internet equipment, like broadband routers, has sown fields of insecure devices that are ripe for the next Mirai to harvest.
Examining the Zyxel SBG3300 Internet gateway
As a spot-check of Fraunhofer FKIE’s findings, I was able to examine a Zyxel SBG3300 small office/home office VDSL/ADSL2+ combo router.
This device has been widely supplied by Internet service providers and retailers in South Africa and remains in use by DSL subscribers who have upgraded to fibre.
It is running version V1.01(AAZZ.1)C0 of Zyxel’s firmware for the device. There is no mechanism to automatically upgrade the firmware of the device. Non-technical users would somehow have to find the latest firmware on the Zyxel website and manually upgrade the router should they wish to ensure they have the latest security patches installed.
Firstly, when attempting to connect to the router using Secure Shell (SSH), it gives an error showing that the version of SSH on the router uses outdated encryption — already a sign that the operating system on the router is very old.
It is necessary to override more modern versions of SSH to allow insecure algorithms, as follows:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc [email protected]
Once connected to the router, it was possible to run
cat /proc/version, which shows that the Zyxel SBG3300 at my disposal ran on version 2.6.30 of the Linux kernel.
Linux 2.6.30 was originally released in June 2009 and was supported until October 2009.
The number of known vulnerabilities for Linux 2.6.30 listed in the Common Vulnerabilities and Exposures (CVE) database has increased dramatically — from 2 in 2016 to 92 in 2019.
Although most of the serious vulnerabilities for Linux versions 2.6.30 and earlier don’t involve anything more serious than allowing an attacker to crash your router, there are still a handful of vulnerabilities that could allow an attacker to take over the device, including remote code execution.
The latter is of particular concern, as there is a Metasploit implementation of CVE-2009-2692 available, which may make it easier for attackers to exploit the vulnerability in routers and other devices still running extremely old versions of the Linux kernel.