It seems like every day I read something that describes another part of the network that is vulnerable to hackers. Recently in a speech given at the DefCon security conference, Shahar Tal of Check Point Security Technologies said that a large number of residential gateways provided by ISPs are subject to hacking.
Specifically, he pointed out gateways that use the TR-069 protocol, also known as CWMP (CPE WAN Management Protocol). According to scans done by Check Point there are 147 million devices in the world using the TR-069 protocol and 70% (103 million) of them are home gateways. TR-069 is the second most common ISP gateway protocol after 80 (HTTP).
ISPs typically communicate with their customer gateways using an ACS (Auto Configuration Server) and associated software. This gives the ISP the ability to monitor the gateway, provide upgrades to the firmware and troubleshoot customer problems. This is the tool used by an ISP to reset somebody’s modem when it’s not working. Tal says that it’s possible for such software to be the point of entry into the home for the hacker since they can emulate it to gain control of the gateway.
Tal listed a number of weaknesses of the TR-069 gateways. First, the links between a server and the ACS are more often unencrypted than not, making them open for a hacker to read. Second, anybody who can emulate the ACS system can take control of the gateway. This would give the hacker to anything thing that is directly connected to the gateway including computers, smartphones, tablets, smart devices, etc.
This all matters because recently there have been a number of different kinds of attacks against home gateways. Years ago home computers were used mostly to generate spam, but the bad guys are doing far more malicious things with hijacked computers these days including:
- Hijacking the DNS so that a hacker can see bank transactions.
- Hijacking the DNS to send false hits to web sites to collect click fraud.
- Using the router and infected computers to mine for bitcoins.
- Using the home computing power to launch denial of service attacks.
If you use a gateway using this protocol there are steps you can take to make sure your customers are safe. First, you need to query your ACS Software provider about their security measures. Tal says that many of these systems have not put much emphasis on security. But as an ISP probably the most important thing you can do is to encrypt all transactions between you and your customers.
For now it appears that gateways that use TR-069 are more vulnerable than those using 80 (HTTP). This is mostly due to the fact that 80 (HTTP) has been an industry standard for a long time and thus a lot of effort was put into making connections secure. However, there are still threats on 80 (HTTP) in the world. For example, the Code Red and Nimda worm and close relatives are still being used to launch attacks on 80 (HTTP) ports.
In the end, as an ISP you are responsible to keep your customers safe from these kinds of problems. Certainly failure to do so will increase their risk of being hacked for financial losses. But you are also at risk since the various malicious uses that can come from these hacks can generate a lot of traffic on your network. So if you deploy a gateway that uses TR-069 you should ask the right questions of the manufacturer and your software vendors to see what security tools they have in place. And then you need to use them. Too many ISPs don’t fully all of the tools that come with the software and hardware they purchase.
Remember that this is one part of your network that customers rely upon you to be safe. Generally the gateway is set up such that a customer can’t even see the settings inside and it’s most typical for this to be all controlled by the ISP. So it is incumbent upon you to not be bringing hackers into your customers’ homes.