A particular model of consumer/home user broadband router/wireless access point from Belkin has been found to be vulnerable to a set of security issues that can have potentially serious consequences.
The Belkin N600 DB Wireless Dual Band N+ router model F9K1102 v2 with firmware version 2.10.17 and possibly earlier are affected.
There are 5 sets of issues (4 of which have been assigned CVEs, defined):
Use of Insufficiently Random Values – CVE-2015-5987: This issue would allow an attacker to spoof Belkin’s firmware update servers and to connect to any device (server, computer etc.) an attacker chooses.
Cleartext Transmission of Sensitive Information: This issue is somewhat related to the above issue since firmware update requests could be intercepted thus allowing an attacker to substitute a firmware update with an update of their choice or prevent firmware updates from taking place. An attacker would first have to be able to conduct a man in the middle (MITM) attack (MITM, defined) first for these malicious capabilities to become available to them.
Use of Client-Side Authentication – CVE-2015-5989: Due to the means of how the router checks if a legitimate user of the router is logged in, these values can be manually manipulated to allow an attacker to log into the administration interface (a webpage shown to the user to allow them to change the settings of the router) of the router with the same permissions as the legitimate user. The attacker would already need access to your local area network (LAN) (the network within your home) to carry out this method of attack. Carrying out this attack remotely would not be possible.
Cross-Site Request Forgery (CSRF) – CVE-2015-5990: If the owner/user of the router is logged into the administrative interface of the router and clicks on a link (within another browser tab) or accesses a website of the attacker’s choice the attacker will obtain the same permissions as the legitimate user. This is known as a Cross-Site Request Forgery (CSRF) attack (CSRF, defined here and here). If the issue mentioned below is also present (namely no password set by the user to access the admin interface) the attacker would not need for the user to be already logged in to use this attack against the legitimate user.
Credentials Management – CVE-2015-5988: If an attacker already has access to your home network they can access the admin interface of the router if the default configuration of the router has not been changed, namely if no password has been set.
Why Should These Issues Be Considered Important?
If an attacker can obtain full access to your router, they can change any setting they wish e.g. the DNS settings (as discussed in a previous post), disconnect you and other legitimate users from your own internet connection and have the possibility of installing rogue firmware onto your router.
While only one issue (Use of Insufficiently Random Values) can be exploited remotely with the remaining issues requiring access to your network or a man in the middle (MITM) connection these issues should still be considered serious since they have the potential to take control of your router away from you and denying access to your internet connection. The devices you have connected to the router may also visit websites that you didn’t intend (due to the DNS settings being changed as mentioned above).
How Can I Protect Myself From These Issues?
While Belkin has not released a firmware update to resolve these issue and may choose not to do so, I would recommend following the advice provided in this CERT advisory. Essentially not allowing untrusted users to access your home network and having strong passwords for your Wireless LAN key and password for the routers admin interface.
If you are an owner of this router or know someone who is, I hope that the above advice is useful to you in preventing any malicious user from using these issues against you or someone you know.