Abstract
Consumer grade broadband routers are integral to accessing the Internet and are primarily responsible for the reliable routing of data between networks. Despite the importance of broadband routers, security has never been at the forefront of their evolution. Consumers are often in possession of broadband routers that are rich in consumer-orientated features yet riddled with vulnerabilities that make the routers susceptible to exploitation. This amalgamation of theoretical research examines consumer grade broadband routers from the perspective of how they evolved, what makes them vulnerable, how they are targeted and the challenges concerning the application of security. The research further explores the Australian roll out of a joint ISP; consumer extended public Wi-Fi network (Air), in which routers play crucial roles. The security of these networks is considered and questions are explored regarding consumer legal risks, particularly for consumers who opt-in to extend this service. This research paper concludes with recommendations for the development and introduction of Australian router security deployment standards.
References
Acuna, V., Kumbhar, A., Vattapparamban, E., Rajabli, F., Guvenc, I. (2017). Localization of WiFi Devices Using Probe Requests Captured at Unmanned Aerial Vehicles. Paper presented at the 2017 IEEE Wireless Communications and Networking Conference (WCNC), San Francisco, CA, USA
Antonakakis, M., April, T., Bailey, M., Bursztein, E., Cochran, J., Durumeric, Z., . . . Sullivan, N. (2017). Understanding the Mirai Botnet. Paper presented at the 26th USENIX Security Symposium, Vancouver, BC, Canada.
Armasu, L. (2015, March 20). ‘Directory Traversal’ Flaw Exposes Over 700,000 Routers To Remote Hacking. Retrieved 9 October 2016, from http://www.tomshardware.com/news/directory- traversal-flaw-router-hacking,28795.html
Carey, P. (2001, January 12). A start-up’s true tale (12/01/2001). Retrieved 8 October 2016, from http://pdp10.nocrew.org/docs/cisco.html
Charan, S. (2012, November 7). HACK TRACK: DLNA (DIGITAL LIVING NETWORK ALLIANCE): Retrieved from http://hacktrack-2012.blogspot.com.au/2012/11/dlna-digital- living-network-alliance.html
Charfoos, D. G. P.-A. D., Feld, J. S., & Kadish, J. K. (2016, March). ASUS Settlement: FTC Continues to Focus on Privacy and Data Security Enforcement | Lexology. Retrieved 16 October 2016, from http://www.lexology.com/library/detail.aspx?g=882dd152-54e2-4bd3-9c83-1f042aa60005
CISCO. (2016, February 15). Understanding SQL Injection. Retrieved 9 October 2016, from http://www.cisco.com/c/en/us/about/security-center/sql-injection.html
Constantin, L. (2014). Many home routers supplied by ISPs can be compromised en masse, researchers say. Retrieved 23 October 2016, from http://www.pcworld.idg.com.au/article/552058/many_home_routers_supplied_by_isps_can_c ompromised_en_masse_researchers_say/
Csaszar, A., Enyedi, G., Hidell, M., Retvari, G., & Sjodin, P. (2012). evolution_of_router_architectures_and_ip_networks.pdf. Retrieved 11 August 2016, from https://www.ericsson.com/res/thecompany/docs/journal_conference_papers/packet_technolog ies/evolution_of_router_architectures_and_ip_networks.pdf
Cutlip, Z. (2012). SQL Injection to MIPS Overflows. Retrieved from https://media.blackhat.com/bh-us-12/Briefings/Cutlip/BH_US_12_Cutlip_SQL_Exploitation_WP.pdf
CVE-2013-5945. (2013). CVE-2013-5945 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5945
CVE-2015-5999. (2015). CVE-2015-5999 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5999
CVE-2016-5681. (2016). CVE-2016-5681 Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5681
CVE-2017-5633. (2017). CVE-2017-5633 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5633
CVE-2017-6411. (2017). CVE-2017-6411 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6411
CVE-2017-7398. (2017). CVE-2017-7398 Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7398
Duffy, J. (2009, February 9). Evolution of the router. Retrieved 11 August 2016, from http://www.networkworld.com/article/2870329/lan-wan/evolution-of-the-router.html
EDB-ID: 30062.(2013). D-Link DSR Router Series - Remote Command Execution. Retrieved from https://www.exploit-db.com/exploits/30062/
Fogarty, K. (2014, February 18). Home Routers Pose Biggest Consumer Cyberthreat. Retrieved 1 October 2016, from http://insights.dice.com/2014/02/18/home-routers-pose-biggest- consumer-cyberthreat/
Folgado Rueda, Á., Rodríguez García, J. A., & Sanz de Castro, I. (2017). Revisiting SOHO Router Attacks. Magdeburger Journal zur Sicherheitsforschung, 14, 797–814. Retrieved August 10, 2017, from http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_054_Rueda_SOHORouter.pdf
Greenberg, A. (2017). Wikileaks Reveals How the CIA Could Hack Your Router. Retrieved June 15, 2017, from https://www.wired.com/story/wikileaks-cia-router-hack
Grieshaber, K. (2010, May 12). German court orders wireless passwords for all. Retrieved 22 August 2016, from http://www.nbcnews.com/id/37107291/ns/technology_and_science- security/t/german-court-orders-wireless-passwords-all/
Gustafsson, J., & Thor, D. (2007). Security Risk Evaluation of the FON Network. IEEE, Sweden. Retrieved from http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4389894
Haag, S., Cummings, M., & Rea, Jn, A. (2016). Backdoors. Retrieved 15 October 2016, from http://highered.mheducation.com/sites/0072834110/student_view0/chapter13/backdoors.html
Hampton, N., & Szewczyk, P. (2015). A survey and method for analysing SoHo router firmware currency. Paper presented at the 13Th Australian Information Security and Management Conference, Edith Cowan University, Western Australia
Hoffman, C. (2014a, March 17). Your Home Router May Also Be a Public Hotspot — Don’t Panic! Retrieved 23 August 2016, from http://www.howtogeek.com/184727/your-home-router-may- also-be-a-public-hotspot-dont-panic/
Hoffman, C. (2014b, April 21). Should You Buy a Router If Your ISP Gives You a Combined Router/Modem? Retrieved 23 August 2016, from http://www.howtogeek.com/187439/should- you-buy-a-router-if-your-isp-gives-you-a-combined-routermodem/
Horowitz, M. (2016, December 4). Firmware Updates - Router Security. Retrieved 15 October 2016, from http://routersecurity.org/firmware.updates.php
Independent Security Evaluators. (2015, April 22). SoHo_techreport.pdf. Retrieved 12 August 2016, from https://securityevaluators.com/knowledge/case_studies/routers/SoHo_techreport.pdf
Independent Security Evaluators, & Holcomb, J. (2013). Vulnerability_Catalog.pdf. Retrieved 2 October 2016, from https://securityevaluators.com/knowledge/case_studies/routers/Vulnerability_Catalog.pdf
Kidman, A. (2014, May 20). Telstra’s New Wi-Fi Network: Everything You Need To Know. Retrieved 23 August 2016, from http://www.lifehacker.com.au/2014/05/telstras-new-wi-fi- network-everything-you-need-to-know/
Kim, P. (2017). Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol. Retrieved from https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html
Laughlin, A. (n.d.). What is DLNA? - Which? Retrieved 2 October 2016, from http://www.which.co.uk/reviews/televisions/article/what-is-dlna
Land, J. (2017). Systematic Vulnerabilities in Customer-Premises Equipment (CPE) Routers. Retrieved from https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_502618.pdf
Netgear. (2011). ReadySHARE_Cloud_Flyer_12JULY2011.pdf. Retrieved 23 October 2016, from https://www.netgear.com/assets/landing/readyshare/ReadySHARE_Cloud_Flyer_12JULY2011.pdf
NIST. (2014). CVE-2013-3069 : Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR WNDR4700 with firmware 1.0.0.34 allow remote authenticate. Retrieved 23 October 2016, from http://www.cvedetails.com/cve/CVE-2013-3069/
Old-Computers.com. (n.d). OLD-COMPUTERS.COM Museum ~ Honeywell DDP-516. Retrieved 26 October 2016, from http://www.old-computers.com/museum/computer.asp?c=551&st=1
Out-Law.com. (2016, December 5). New law in Germany will further reduce liability of Wi-Fi providers for copyright infringement by users. Retrieved 16 October 2016, from http://www.out-law.com/en/articles/2016/may/new-law-in-germany-will-further-reduce- liability-of-wi-fi-providers-for-copyright-infringement-by-users/
Osborne, C. (2017). Researcher discloses 10 D-Link zero-day router flaws. Retrieved from http://www.zdnet.com/article/10-d-link-zero-day-router-flaws-exposed/
Raytheon. (2011, November 2). The ARPANET. Retrieved 8 October 2016, from http://www.raytheon.com/rtnwcm/groups/gallery/documents/digitalasset/rtn_224614.pdf
Rotenberg, N., Shulman, H., Waidner, M., Zeltser, B. (2017). Authentication-Bypass Vulnerabilities in SOHO Routers. Paper presented at ACM SIGCOMM 2017. UCLA Meyer & Renee Luskin Conference Center, LA
Router. (2016, August 23). UPnP. Retrieved from http://www.routercheck.com/upnp-2/
Router Check. (2016, August 23). CSRF. Retrieved from http://www.routercheck.com/csrf/
Sericon Technology. (2015, August 25). The_Real_State_of_WiFi_Security_in_the_Connected_Home.pdf. Retrieved 1 October 2016, from http://www.routercheck.com/WhitePapers/The_Real_State_of_WiFi_Security_in_the_Connected_Home.pdf
Shodan.io. (2016). Shodan. Retrieved 8 October 2016, from https://www.shodan.io/
Szewczyk, P. (2006). Individuals’ Perceptions of Wireless Security in the Home Environment. Paper presented at the 4th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia
Szewczyk, P. (2013). Usability and Security Support Offered Through ADSL Router User Manuals. Paper presented at the 11th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia
Szewczyk, P., & Valli, C. (2009). Insecurity by Obscurity: A Review of SoHo Router Literature from a Network Security Perspective. The Journal of Digital Forensics, Security and Law: JDFSL, 4(3), 5.
Telstra Corporation Limited (AU). (n.d.). Telstra Air - How it works - Telstra Wifi Network. Retrieved 23 August 2016, from https://www.telstra.com.au/broadband/telstra-air/how-it- works
Telstra Corporation Limited (AU). (2016a). Telstra - Wi-Fi Gateways & Extenders - Connected Home. Retrieved 15 October 2016, from https://www.telstra.com.au/connectedhome/enhancements/getwifi
Telstra Corporation Limited (AU). (2016b). Telstra Wifi Hotspot Network - Telstra Air. Retrieved 15 October 2016, from https://www.telstra.com.au/latest-offers/telstra-air-free-wifi-offer
US-CERT. (2011). HomeRouterSecurity2011.pdf. Retrieved 21 August 2016, from https://www.us- cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf
Watkins, C. G. (2013). Wireless Liability: Liability Concerns for Operators of Unsecured Wireless Networks. Rutgers Law Review, Forthcoming, 2013.
Yang, L. (2016, April 15). [DS15] Advanced SoHo Router Exploitation - Lyon Yang. Retrieved 24 September 2016, from https://www.youtube.com/watch?v=vhR9gcTtx0g
Recommended Citation
Szewczyk, Patryk and Macdonald, Rose
(2017)
"Broadband Router Security: History, Challenges and Future Implications,"
Journal of Digital Forensics, Security and Law: Vol. 12
, Article 6.
DOI: https://doi.org/10.15394/jdfsl.2017.1444
Available at:
https://commons.erau.edu/jdfsl/vol12/iss4/6