Newfound router flaw lets hackers control home internet connections

Newfound router flaw lets hackers control home internet connections

The flaw would give attacker complete control over a home’s internet traffic – another example of widespread problems with weak router security.

F-Secure researchers have uncovered a critical vulnerability in some models of Inteno home routers that, if exploited, is severe enough to allow an attacker complete control over the victim device and the internet traffic travelling through it. The finding highlights the security challenges plaguing consumer routers.

The vulnerability allows an attacker to install their own firmware to the device, which would still work as before, but with back doors and other unwanted features. An attacker exploiting the flaw would be able to listen in on unencrypted traffic going through the router, not just device-to-internet, but device-to-device inside the home; as well as manipulate the victim’s browsing sessions by redirecting to malicious sites.

Janne Kauhanen, cyber security expert at F-Secure says:

“By changing the firmware, the attacker can change any and all rules of the router. Watching video content you’re storing on another computer? So is the attacker. Updating another device through the router? Hopefully it’s not vulnerable like this, or they’ll own that too. Of course, HTTPS traffic is encrypted, so the attacker won’t see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine.”

The router type in question typically receives firmware updates from a server associated with the user’s internet service provider (ISP). But problematically, the vulnerable routers make no effort to confirm the update is valid and comes from the right place. An attacker who has already gained access to the traffic between the home router and the ISP’s update server (for example, by accessing an apartment building’s network distribution trunk) can set up his own update server. He could then apply a malicious firmware update.

Researchers say this case is just the tip of the iceberg when it comes to router security issues. And while the need for computer security is well understood, consumers are often unaware that a router is just as vulnerable.

“It’s ridiculous how insecure the devices we’re sold are,” says Kauhanen. “We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack internet traffic, steal information and spread malware.”

The flaw, while severe, is not immediately exploitable. An attacker would need to have already achieved a privileged network position between the router and the point of entry of the internet. Affected devices are Inteno EG500, FG101, DG201, and possibly others.

According to Harry Sintonen, F-Secure’s senior security consultant who found the vulnerability, there is no way for a consumer to prevent their router getting exploited, short of replacing it with a new router without this particular vulnerability, or by installing the firmware that fixes the issue once it is available.

However, he points out that replacing the router is problematic advice.

“As vulnerabilities in consumer DSL equipment are extremely common, it could well be that the device switch only leads to an even worse security situation,” he says.

By following the usual security best practices, however, consumers can mitigate damages should their router become a victim of attack:

• Keep browsers and other software updated to prevent hackers exploiting security flaws in old software.
• Use reliable internet security software such as F-Secure SAFE that stays constantly updated, to prevent a hacker from dropping malware.
• Use a VPN such as F-Secure Freedome to encrypt internet traffic – even if the router was hacked, encryption would prevent an attacker from spying.

The vendor and authorities have been made aware of this vulnerability well before this public disclosure.

[su_button url=”https://www.f-secure.com/en_GB/welcome” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]Click here to find out more about F-Secure[/su_button]

Georgina Turner image

Georgina Turner

Sales Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Graphic displaying a lockdown solution

Netgenium debuts next gen display and touchscreen technologies

Power-over-Ethernet (PoE) solutions specialist Netgenium will be showcasing its new range of IP…

ICT® Launches New TSL Access Reader Series

Integrated Control Technology (ICT®), a leading manufacturer of intelligent access control and…
Image Provided by Paxton

Paxton Partners with Skills for Security

The security technology manufacturer Paxton is proud to announce a partnership with Skills for Security…
Image Provided by ICT

ICT and Ingram Micro sign distribution agreement MEA

Integrated Control Technology (ICT), award-winning global manufacturer of intelligent electronic access control and security solutions..
Image Provided by Toshiba

Toshiba launches new HDD Innovation Lab

Toshiba Electronics Europe GmbH (Toshiba) has inaugurated a new HDD Innovation Laboratory (HDD Innovation Lab) at its site in Düsseldorf..
Image Provided by Verkada

Verkada Doubles Down on the Channel with Strategic New Hire

Verkada, a leader in cloud-based physical security, today announced the appointment of Micah Deriso as Head of Global Channel…
Image Provided by IPSA

IPSA Appoint Frontline Hero as Ambassador

Abdullah, the courageous security officer praised for foiling a horrific knife attack at Leicester Square, has been appointed as…
Image Provided by Codelocks

New Surface Latch from Codelocks

Codelocks is expanding its Gate Solutions by Codelocks range with the introduction of the new Codelocks’ Surface Latch…
Image provided by Genetec

Nicholas Smith to Lead Genetec UK and Ireland Operations

Genetec, provider of enterprise physical security software, announced the appointment of Nicholas Smith as its new Regional Sales Director…

News Desk

View all the latest, product, project and people news

News Desk

Click Here

Technology News

Keep up-to-date with the latest product innovation

Technology News

Click Here

Industry Sectors

Discover technology in action in all applications

Industry Sectors

Click Here

Enter The Awards

Showcase personal or organisation excellence

Advertise With Us

Reach decision makers and amplify your marketing

Advertise With Us

Click Here
Scroll to Top