More than 700,000 ADSL routers contain serious flaws that allow remote hackers to take control of them.
The routers, provided to customers by ISPs around the world, have a “directory traversal” flaw in a firmware component called webproc.cgi, which allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.
Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analysing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs in a dozen countries.
According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router’s DNS settings. Most of the vulnerable devices he identified are ADSL modems with router functionality that were supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. A few were also found in the US and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.