kentoh - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Home router security vulnerability exposes 12 million devices

Check Point has uncovered a widespread home router security vulnerability, dubbed Misfortune Cookie, that could allow attackers to gain control over millions of devices.

A newly identified vulnerability could expose approximately 12 million residential network gateway devices to attack, endangering home networks and any business data that may traverse those networks.

Lior Oppenheim, a researcher for network and endpoint security vendor Check Point Software Technologies Ltd., based in Israel, was the first to uncover CVE-2014-9222. Dubbed Misfortune Cookie, the vulnerability is more than a decade old and is the result of an error in the HTTP cookie-management mechanism in affected software versions.

According to a Check Point post, the flaw is rooted in an outdated version of RomPager, one of the most popular types of embedded Web server software in the world. Affecting more than 200 models of residential gateways and SOHO routers, the Misfortune Cookie vulnerability can be exploited by sending a single packet containing a malicious HTTP cookie.

Once a gateway device is infected, Check Point said, an attacker would have administrative privileges over the affected device, allowing him or her to monitor Internet connections, steal credentials and even attack the computers, tablets and other connected devices.

What may be of note for enterprises is that more than consumer personal data is put at risk by the vulnerability, according to Check Point, as business data could also be susceptible to theft if transmitted over a compromised gateway device.

"The implications of these risks mean more than just a privacy violation -- they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes," wrote Check Point in its post. "This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive."

Home router security is posing an increasingly real problem for enterprises as more employees work remotely. Earlier this year, the SANS Institute's Internet Storm Center reported a surge in probes against TCP port 32764, believed to be attempts to exploit an alleged backdoor on Linksys routers disclosed by researcher Eloi Vanderbeken. In response to that incident, SearchSecurity network security expert Kevin Beaver, an information security consultant with Principle Logic LLC, advised enterprise security professionals to scan remote employees' IP addresses to determine if their home equipment is vulnerable, and if so, to have employees upgrade or replace affected devices.

As for how to protect against Misfortune Cookie, Check Point advised users to ensure all sensitive files and documents on home systems are protected by passwords, and to enable HTTPS encryption for all Web browser activity.

The flaw itself can only be mitigated by the affected hardware vendors, including D-Link, Huawei, Edimax, ZTE and others, via a firmware update. Technology-savvy users could also flash the devices with third-party firmware that is confirmed to be secure. Check Point confirmed that it had notified all of the manufacturers of the 200-plus residential gateway models potentially susceptible to a Misfortune Cookie attack.

Unfortunately, as industry luminary Dan Geer has noted many times in recent years, manufacturers of home router equipment are notoriously slow to issue updates, or to issue them at all. Allegro Software, the makers of RomPager, actually issued an updated version of its software to manufacturers in 2005, but Check Point said there are still devices today that are shipping with outdated, vulnerable versions.

"We believe this is a serious problem that the industry needs to solve," wrote Check Point. "Secure automatic software updates should be offered for all modern devices, if not as a default setting."

Next Steps

Resident threat expert Nick Lewis explains how to defend against brute-force router attacksfrom the Sality malware.

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is one of those aspects of security that gets very little attention in the enterprise. However, it really should given what's at stake with your mobile workforce. I'm not convinced that the sky is falling, but it would be a good idea to review this vulnerability and develop some information to share with your workforce to ensure that everyone's home networking equipment is as secure as possible.
Great article, but how about a link to a webpage that explains how to scan your own home router to see if you have the vulnerability? Security warnings that increase FUD but aren't actionable just stimulate public fears which then fade into the general background noise of free floating anxiety that keeps millions compulsively sedated.
Exactly what Mr. McRae says, where's the fix and what's the next step. If our mobile/home-based workforce is actually putting their organization and its data at risk by working from the kitchen table, then there better be steps to fix this. Even VPN on a vulnerable network COULD be a problem. For the most part, I don't think we have folks camping near enough to hack our wifi, but if the home router is vulnerable, it's a bigger issue. Not paranoid, just being careful. Yes, I have passwords on all our devices and routers. And no, I don't have access to any sensitive data. So I can only empathize with the CTO who has to track this problem down in his organization.
Also agree with Mr. McRae.

In the US/Canada at least, this is not very widespread (see graphic at ) and mostly affects ADSL gateways. The list doesn't contain vulnerable devices from most of the major mfg's either.

From a technical perspective, what I would specifically like to know is whether this vulnerabilty is exploitable only if the external web interface is enabled, or if the external web interface is disabled, merely passing the packet to the device (even to be blocked by the device) is enough to exploit the vulnerability.

I would expect MUCH more from a "seucrity" site.