Flawed TR-069 Server Implementations at ISP-Level Give Hackers Access to Home Networks

Add Your Comments

Millions of home networks could be vulnerable to compromise through the servers ISPs manage them with, according to a presentation at DefCon over the weekend. Check Point Software Technologies security researcher Shahar Tal presented the disturbing situation at the recent security conference in Las Vegas.

Technical support departments of ISPs are increasingly using the TR-069 protocol or customer-premises equipment wide area network protocol (CWMP) to troubleshoot configuration problems on customer routers they provide.

Tal cited statistics from 2011 indicating that over 100 million residential gateways are TR-069 enabled devices. These devices connect to Auto Configuration Servers (ACS) run by ISPs to monitor and re-configure them and update their firmware.

An ACS compromised by a cyberattack could give the attacker access to the router, which could yield customer information, be reconfigured to use a rogue DNS server, or have malware or a backdoor installed.

While TR-069 connections are supposed to use HTTPS, researchers discovered about 80 percent are unencrypted, while some are susceptible to man-in-the-middle attacks which would appear to be secure. A series of tests by Check Point researchers discovered vulnerabilities in several ACS software implementations, including one which let them take over 500,000 devices.

According to IDG News, large-scale attacks against home routers have become more common in the past year.

Several US broadband ISPs are frequently provide less than their advertised speed according to a June report, and some ISPs may be slowing traffic on purpose.  Being seen as providing access to hackers could further damage some battered company reputations.

Hearing that ISPs are not keeping routers secure will also not help the nervousness some homeowners feel over the security of the Internet of Things.

Add Your Comments

  • (will not be published)