How I discovered a security vulnerability with our router
Software Engineering Team Lead and Director of Cloudsure
(Ported from my old blog called Thinky)
We have a Huawei HG532 wireless router at home. It is permanently connected to a DSL line with a static IP address. I woke up on a Sunday morning ready to watch some Pluralsight videos but the Internet was down. I connected to the router via HTTP and diagnosed the connectivity. It was up and down so very unstable. I remotely rebooted it, hard rebooted it after a 30 second wait, checked for device interference and peeked at the logs. The fault was something outside of my control and all I could do was wait a while and then call the service provider.
I became very interested in the router simply because I didn't like the web interface and wanted to change it. I need to access its file system, find the files and change the stylesheet.
I tried to connect to the router over the Windows network in the file system but it didn't allow me. I installed Telnet and opened a connection to the internal IP address. It worked!
When I tried to log in using the non-default admin username and password it didn't work. I then tried the default password which worked. Not cool! The telnet connection gives you access to the routers ATP CLI. I closed the connection and opened a new telnet connection to the public IP and it also worked. Anyone from the outside could get access to my router.
Is started researching the ATP CLI and realised the severity of the exposure. Anyone could access the router's shell from the outside! My priorities quickly changed from a pretty UI to securing my router.
I reasoned that default passwords should be configurable somewhere. If I were a configurable password I would probably be in a configuration file somewhere. I logged into the web interface and downloaded the configuration file. It is an XML file that contains all the username and passwords in clear text. I changed the CLI password under the X_Cli node and uploaded the changed file.
I felt a bit better but was annoyed that the manual never mentioned any of this cool stuff. I
I carried on playing around in the CLI shell.
- When I was poking around the logs earlier I noticed that the system clock was a date long in the past. I updated the date and time
date -s 080911262015 - I browsed the file structure using
lsandcd,ch -(go back),cd --(back to root). - Viewed file contents of some files
cat filename.ext. - Press tab in
#lists all available commands.
If I never wanted to change the UI of the silly web interface I would never have know about this. As a software developer, curiosity is key! How well do you know your router?