More IoT insecurity: the routers that take instructions from anyone

You may not have heard of TR-069, more properly known as CWMP, short for CPE WAN management protocol.

But you may have a router at home or in your business that uses it.

CPE is internet provider jargon for customer premises equipment, and refers to the part of your network-to-ISP connection that’s at your home or work, where the ISP can’t get physical access to it unless you say so.

Historically, and understandably, that’s been a bit of a support nightmare for ISPs, because there are usually lots of innocent-looking configuration settings in the average router that can cause trouble if you fiddle with them.

As a result, some ISPs provide you with the actual CPE hardware, often for a fee that’s part of the service, and you have to run the gear they send you.

Some ISPs offer you a preconfigured router, often quite cheaply, to get you started, which you get to keep, but you can upgrade to a router of your own choice later if you like.

And other ISPs require you to buy your own router and set it up yourself, although they often only officially support devices from a short list that they’ve tested themselves, with known configurations that work.

Regardless of how you acquire your router, however, there are still hurdles that remains before you can get online properly: configuring the router with the right settings at the outset, and updating it if necessary to keep up with changes in technology or the service that’s offered.

Automatically configuring your router is where CWMP comes in.

The word WAN in CWMP, of course, is short for wide area network, and it refers to the stuff on the “outside” of your router – in a word, the internet.

So CWMP is a system that allows your ISP to configure, or to re-configure, your router over the internet so you don’t have to.

Loosely speaking, CWMP works using an HTTP-based call-home mechanism, so that your router connects outwards from your home network, just like a browser might.

Your CPE devices fetches its latest configuration instructions from what’s called an Auto Configuration Server (ACS) at your ISP.

Obviously, there are some serious security bridges to cross here, notably that:

• The connection must be confidential. Otherwise, crooks could eavesdrop on your router and find out important security secrets, including configuration settings and passwords.
• The connection must be authenticated. Otherwise, crooks could set up an imposter server somewhere between your router and the IPS’s ACS, and issue bogus instructions to your router.

HTTPS (the protocol that puts the padlock in your browser) is the solution used by CWMP, and it provides both confidentiality and authentication if done correctly.

Unfortunately, it isn’t always done correctly.

CWMP done wrongly

Finnish security researcher Harry Sintonen, who goes by Piru, recently found a serious hole in the CWMP implementation in a numerous router models from Swedish company Inteno.

According to Sintonen’s vulnerability disclosure, he tried hard to persuade Inteno to do something about the problem, but ended up (or, more precisely, Inteno’s users, whether they knew they had Inteno equipment or not, ended up) stuck between a rock and a hard place.

Sintonen writes:

The Inteno representative [said, “]The operator that sells the CPE to end users or runs their services over it should request [a] software update from Inteno. Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators’ requests.”

That’s a bit like finding a bug in Android or OS X that is a general problem for all users, documenting it clearly and reporting it to Google or Apple…

…and then being told that you need to go back to the shop where you bought it to report exactly the same information, and wait for it to percolate back that way.

Sintonen then reports:

[I] sent a request to Inteno to reconsider fixing this issue preemptively for their customers (operators and ISPs). [I] underlined the importance of the matter (end users are at risk) [and] CCed the response to CERT-FI.

You’d think that Inteno would prefer to fix this once and then tell all its customers, rather than waiting for operator after operator to report the same thing, and then fixing it in part, over and over again.

Apparently not: Sintonen’s correspondence with Inteno lasted from January 2016 to March 2016, after which he heard nothing; after six months (on Friday 02 September 2016), he went public, presumably in the hope of forcing Inteno’s hand.

The problem?

To make sure that your CPE only calls home to the right configuration server (ACS), your ISP needs to pre-configure your router (or to provide a way for you to configure it) so that it will only accept HTTPS certificates from the right servers.

Even a moderately secure implementation, then, needs to call home and then verify that the HTTPS server it’s connected to:

• Has the right name for the ISP you’re using.
• Has a digital certificate identifying that the server actually belongs to your ISP.

This is perfectly normal for any HTTPS client, because there are no real-world situations we can think of where you’d want to connect to a server that doesn’t make even the most elementary effort to identify itself correctly.

According to Sintonen, however, Inteno’s routers don’t check either of these properly, leaving them at risk of a man-in-the-middle (MiTM) attack.

If you can trick an Inteno router to connect to an imposter server, perhaps when a user in an apartment block connects through a shared network in the building to get to the outside world, you can present an HTTPS certificate that simply says it belongs to the user’s ISP…

…and the router will accept it, even though it’s not properly vouched for by any trusted certificate authority.

That’s like having a stranger knock at your front door, asking them to show ID, being shown a the piece of paper with the word POLICE witten on it in crayon, and then inviting them inside to take a look around.

What to do?

• If you have an Inteno router, check Sintonen’s instructions for preventing your router from trying to call home. That way, there is no outbound connection that can can be subverted by a MiTM crook.
• Consider writing to Inteno to ask them to reconsider the request for a general patch.
• If you are an application developer, especially for Internet of Things (IoT) devices, don’t take shortcuts when making secure connections. HTTPS certificates are there to help ensure you make authentic connections, and we can’t think of a reason why you’d want to make unauthnetic ones.

Simply put, there’s not much point in having an encrypted connection if you’re talking to a crook at the other end.