Security experts have discovered a critical new router vulnerability in some models of Inteno home routers that could allow remote malicious hackers to hijack the device and monitor all the internet traffic passing through it. According to F-Secure researchers, the flaw allows an attacker to install their own firmware to the device with back doors and other features to take complete control over the device.
If exploited, the remote hacker would potentially be "able to listen in on unencrypted traffic going through the router, not just device-to-internet, but device-to-device inside the home; as well as manipulate the victim's browsing sessions by redirecting to malicious sites," the researchers said.
While a router device usually receives firmware updates from the server associated with the user's internet service provider (ISP), the vulnerable Inteno router models in this case do not validate the Auto Configuration Server (ACS) certificate (CWE-295).
After accessing the traffic between the victim's router and the ISP's update server, a remote hacker can then set up his own update server and apply a malicious firmware update to gain full administrative access to the device and monitor a victim's internet traffic.
"By changing the firmware, the attacker can change any and all rules of the router," Janne Kauhanen, a cyber security expert at F-Secure, said in a statement. "Watching video content you're storing on another computer? So is the attacker. Updating another device through the router? Hopefully it's not vulnerable like this, or they'll own that too.
"Of course, HTTPS traffic is encrypted, so the attacker won't see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine."
While the flaw is considered severe, the Helsiniki-based researchers said it is "not immediately exploitable." To launch such an attack, a hacker would need to achieve a "privileged network position between the router and the point of entry of the internet."
Although F-Secure researchers claim that affected devices include Inteno EG500, FG101, DG201, they do note in an advisory that more models could be affected as well. However, they are unable to provide a full list of affected devices due to the "vendor's unwillingness to cooperate."
After discovering the flaw in January, F-Secure claimed to have contacted Inteno about the flaw. The vendor replied two months later saying software issues are handled by the "operators" that sell the equipment.
"Operator that sells the CPE to end users or run their services over it should request software update from Inteno," an Inteno representative said at the time. "Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests."
Apart from replacing the vulnerable router entirely with a new one that does not include the vulnerability or installing the firmware that fixes the issue, once it is available, users have no way of preventing their router from getting compromised.
"It's ridiculous how insecure the devices we're sold are," Kauhanen said. "We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware."
The security firm urged users to make sure their browsers, software and internet security software are constantly updated to prevent hackers from exploiting the vulnerability.
"It is always difficult when vendors are not willing to work with researchers," Tripwire security researcher Craig Young told IBTimes UK. "Unfortunately this is the world we live in and as a result, there are hundreds of thousands of easily exploited routers indexed on Shodan with publicly available exploits. Routers are in control of so much data and expose a great deal of attack surface yet they are one of the most overlooked elements in home security."