•  
  •  
 

Abstract

Consumer grade broadband routers are integral to accessing the Internet and are primarily responsible for the reliable routing of data between networks. Despite the importance of broadband routers, security has never been at the forefront of their evolution. Consumers are often in possession of broadband routers that are rich in consumer-orientated features yet riddled with vulnerabilities that make the routers susceptible to exploitation. This amalgamation of theoretical research examines consumer grade broadband routers from the perspective of how they evolved, what makes them vulnerable, how they are targeted and the challenges concerning the application of security. The research further explores the Australian roll out of a joint ISP; consumer extended public Wi-Fi network (Air), in which routers play crucial roles. The security of these networks is considered and questions are explored regarding consumer legal risks, particularly for consumers who opt-in to extend this service. This research paper concludes with recommendations for the development and introduction of Australian router security deployment standards.

References

Acuna, V., Kumbhar, A., Vattapparamban, E., Rajabli, F., Guvenc, I. (2017). Localization of WiFi Devices Using Probe Requests Captured at Unmanned Aerial Vehicles. Paper presented at the 2017 IEEE Wireless Communications and Networking Conference (WCNC), San Francisco, CA, USA

Antonakakis, M., April, T., Bailey, M., Bursztein, E., Cochran, J., Durumeric, Z., . . . Sullivan, N. (2017). Understanding the Mirai Botnet. Paper presented at the 26th USENIX Security Symposium, Vancouver, BC, Canada.

Armasu, L. (2015, March 20). ‘Directory Traversal’ Flaw Exposes Over 700,000 Routers To Remote Hacking. Retrieved 9 October 2016, from http://www.tomshardware.com/news/directory- traversal-flaw-router-hacking,28795.html

Carey, P. (2001, January 12). A start-up’s true tale (12/01/2001). Retrieved 8 October 2016, from http://pdp10.nocrew.org/docs/cisco.html

Charan, S. (2012, November 7). HACK TRACK: DLNA (DIGITAL LIVING NETWORK ALLIANCE): Retrieved from http://hacktrack-2012.blogspot.com.au/2012/11/dlna-digital- living-network-alliance.html

Charfoos, D. G. P.-A. D., Feld, J. S., & Kadish, J. K. (2016, March). ASUS Settlement: FTC Continues to Focus on Privacy and Data Security Enforcement | Lexology. Retrieved 16 October 2016, from http://www.lexology.com/library/detail.aspx?g=882dd152-54e2-4bd3-9c83-1f042aa60005

CISCO. (2016, February 15). Understanding SQL Injection. Retrieved 9 October 2016, from http://www.cisco.com/c/en/us/about/security-center/sql-injection.html

Constantin, L. (2014). Many home routers supplied by ISPs can be compromised en masse, researchers say. Retrieved 23 October 2016, from http://www.pcworld.idg.com.au/article/552058/many_home_routers_supplied_by_isps_can_c ompromised_en_masse_researchers_say/

Csaszar, A., Enyedi, G., Hidell, M., Retvari, G., & Sjodin, P. (2012). evolution_of_router_architectures_and_ip_networks.pdf. Retrieved 11 August 2016, from https://www.ericsson.com/res/thecompany/docs/journal_conference_papers/packet_technolog ies/evolution_of_router_architectures_and_ip_networks.pdf

Cutlip, Z. (2012). SQL Injection to MIPS Overflows. Retrieved from https://media.blackhat.com/bh-us-12/Briefings/Cutlip/BH_US_12_Cutlip_SQL_Exploitation_WP.pdf

CVE-2013-5945. (2013). CVE-2013-5945 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5945

CVE-2015-5999. (2015). CVE-2015-5999 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5999

CVE-2016-5681. (2016). CVE-2016-5681 Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5681

CVE-2017-5633. (2017). CVE-2017-5633 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5633

CVE-2017-6411. (2017). CVE-2017-6411 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6411

CVE-2017-7398. (2017). CVE-2017-7398 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7398

Duffy, J. (2009, February 9). Evolution of the router. Retrieved 11 August 2016, from http://www.networkworld.com/article/2870329/lan-wan/evolution-of-the-router.html

EDB-ID: 30062.(2013). D-Link DSR Router Series - Remote Command Execution. Retrieved from https://www.exploit-db.com/exploits/30062/

Fogarty, K. (2014, February 18). Home Routers Pose Biggest Consumer Cyberthreat. Retrieved 1 October 2016, from http://insights.dice.com/2014/02/18/home-routers-pose-biggest- consumer-cyberthreat/

Folgado Rueda, Á., Rodríguez García, J. A., & Sanz de Castro, I. (2017). Revisiting SOHO Router Attacks. Magdeburger Journal zur Sicherheitsforschung, 14, 797–814. Retrieved August 10, 2017, from http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_054_Rueda_SOHORouter.pdf

Greenberg, A. (2017). Wikileaks Reveals How the CIA Could Hack Your Router. Retrieved June 15, 2017, from https://www.wired.com/story/wikileaks-cia-router-hack

Grieshaber, K. (2010, May 12). German court orders wireless passwords for all. Retrieved 22 August 2016, from http://www.nbcnews.com/id/37107291/ns/technology_and_science- security/t/german-court-orders-wireless-passwords-all/

Gustafsson, J., & Thor, D. (2007). Security Risk Evaluation of the FON Network. IEEE, Sweden. Retrieved from http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4389894

Haag, S., Cummings, M., & Rea, Jn, A. (2016). Backdoors. Retrieved 15 October 2016, from http://highered.mheducation.com/sites/0072834110/student_view0/chapter13/backdoors.html

Hampton, N., & Szewczyk, P. (2015). A survey and method for analysing SoHo router firmware currency. Paper presented at the 13Th Australian Information Security and Management Conference, Edith Cowan University, Western Australia

Hoffman, C. (2014a, March 17). Your Home Router May Also Be a Public Hotspot — Don’t Panic! Retrieved 23 August 2016, from http://www.howtogeek.com/184727/your-home-router-may- also-be-a-public-hotspot-dont-panic/

Hoffman, C. (2014b, April 21). Should You Buy a Router If Your ISP Gives You a Combined Router/Modem? Retrieved 23 August 2016, from http://www.howtogeek.com/187439/should- you-buy-a-router-if-your-isp-gives-you-a-combined-routermodem/

Horowitz, M. (2016, December 4). Firmware Updates - Router Security. Retrieved 15 October 2016, from http://routersecurity.org/firmware.updates.php

Independent Security Evaluators. (2015, April 22). SoHo_techreport.pdf. Retrieved 12 August 2016, from https://securityevaluators.com/knowledge/case_studies/routers/SoHo_techreport.pdf

Independent Security Evaluators, & Holcomb, J. (2013). Vulnerability_Catalog.pdf. Retrieved 2 October 2016, from https://securityevaluators.com/knowledge/case_studies/routers/Vulnerability_Catalog.pdf

Kidman, A. (2014, May 20). Telstra’s New Wi-Fi Network: Everything You Need To Know. Retrieved 23 August 2016, from http://www.lifehacker.com.au/2014/05/telstras-new-wi-fi- network-everything-you-need-to-know/

Kim, P. (2017). Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol. Retrieved from https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

Laughlin, A. (n.d.). What is DLNA? - Which? Retrieved 2 October 2016, from http://www.which.co.uk/reviews/televisions/article/what-is-dlna

Land, J. (2017). Systematic Vulnerabilities in Customer-Premises Equipment (CPE) Routers. Retrieved from https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_502618.pdf

Netgear. (2011). ReadySHARE_Cloud_Flyer_12JULY2011.pdf. Retrieved 23 October 2016, from https://www.netgear.com/assets/landing/readyshare/ReadySHARE_Cloud_Flyer_12JULY2011.pdf

NIST. (2014). CVE-2013-3069 : Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR WNDR4700 with firmware 1.0.0.34 allow remote authenticate. Retrieved 23 October 2016, from http://www.cvedetails.com/cve/CVE-2013-3069/

Old-Computers.com. (n.d). OLD-COMPUTERS.COM Museum ~ Honeywell DDP-516. Retrieved 26 October 2016, from http://www.old-computers.com/museum/computer.asp?c=551&st=1

Out-Law.com. (2016, December 5). New law in Germany will further reduce liability of Wi-Fi providers for copyright infringement by users. Retrieved 16 October 2016, from http://www.out-law.com/en/articles/2016/may/new-law-in-germany-will-further-reduce- liability-of-wi-fi-providers-for-copyright-infringement-by-users/

Osborne, C. (2017). Researcher discloses 10 D-Link zero-day router flaws. Retrieved from http://www.zdnet.com/article/10-d-link-zero-day-router-flaws-exposed/

Raytheon. (2011, November 2). The ARPANET. Retrieved 8 October 2016, from http://www.raytheon.com/rtnwcm/groups/gallery/documents/digitalasset/rtn_224614.pdf

Rotenberg, N., Shulman, H., Waidner, M., Zeltser, B. (2017). Authentication-Bypass Vulnerabilities in SOHO Routers. Paper presented at ACM SIGCOMM 2017. UCLA Meyer & Renee Luskin Conference Center, LA

Router. (2016, August 23). UPnP. Retrieved from http://www.routercheck.com/upnp-2/

Router Check. (2016, August 23). CSRF. Retrieved from http://www.routercheck.com/csrf/

Sericon Technology. (2015, August 25). The_Real_State_of_WiFi_Security_in_the_Connected_Home.pdf. Retrieved 1 October 2016, from http://www.routercheck.com/WhitePapers/The_Real_State_of_WiFi_Security_in_the_Connected_Home.pdf

Shodan.io. (2016). Shodan. Retrieved 8 October 2016, from https://www.shodan.io/

Szewczyk, P. (2006). Individuals’ Perceptions of Wireless Security in the Home Environment. Paper presented at the 4th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia

Szewczyk, P. (2013). Usability and Security Support Offered Through ADSL Router User Manuals. Paper presented at the 11th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia

Szewczyk, P., & Valli, C. (2009). Insecurity by Obscurity: A Review of SoHo Router Literature from a Network Security Perspective. The Journal of Digital Forensics, Security and Law: JDFSL, 4(3), 5.

Telstra Corporation Limited (AU). (n.d.). Telstra Air - How it works - Telstra Wifi Network. Retrieved 23 August 2016, from https://www.telstra.com.au/broadband/telstra-air/how-it- works

Telstra Corporation Limited (AU). (2016a). Telstra - Wi-Fi Gateways & Extenders - Connected Home. Retrieved 15 October 2016, from https://www.telstra.com.au/connectedhome/enhancements/getwifi

Telstra Corporation Limited (AU). (2016b). Telstra Wifi Hotspot Network - Telstra Air. Retrieved 15 October 2016, from https://www.telstra.com.au/latest-offers/telstra-air-free-wifi-offer

US-CERT. (2011). HomeRouterSecurity2011.pdf. Retrieved 21 August 2016, from https://www.us- cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf

Watkins, C. G. (2013). Wireless Liability: Liability Concerns for Operators of Unsecured Wireless Networks. Rutgers Law Review, Forthcoming, 2013.

Yang, L. (2016, April 15). [DS15] Advanced SoHo Router Exploitation - Lyon Yang. Retrieved 24 September 2016, from https://www.youtube.com/watch?v=vhR9gcTtx0g

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.