There has been a huge debate between whether a router is an IoT device or not. According to me, they are because all the data is relayed through a router. An attacker who has complete access to the device can easily gain access to internal network and can cause severe damage.
I have been randomly choosing routers to perform hardware security analysis. In this one, it is iBATON WRB302n and I swear none of their *other models run on similar firmware*. 🙂
I want to keep it short and quick and here are the vulnerabilities
Affected Version: iB-WRB302N20122017
Vulnerability Name: Using weak encoding for login password and cookie
Vulnerability details: It was identified on intercepting the login request that the password is sent as base64. It was identified that the same base64 encoded password is used as a cookie for all the sessions. An attacker can easily dump the connection and retrieve any request to reuse the cookie.
Vulnerability Name: Information Leakage from Hardware Debug Port
Vulnerability details: It was identified in analyzing the PCB, that the UART (hardware debug port) is open and it gives access to the debug console of the router. The configuration file can be accessed from this console, which contains WiFi (plain text) and Admin credentials (base64). An attacker with physical access can gain complete access to the network. The user password (base64) is displayed in the same console on logging in inside the Web panel.
CVE ID Assigned: CVE-2018-20008
Vulnerability Name: Unencrypted Configuration File
Vulnerability details: It was identified that the configuration file that can be downloaded from the web panel is not encrypted and contains all credentials in plain text. An attacker can forge a malicious configuration file and take over the network.
These vulnerabilities has been reported to the vendor and they responded that the product is EOL.
Reported the vulnerability: Nov 28, 2018
Followup Email: Dec 4, 2018
Response: Dec 4, 2018
With the below response.
I bought a couple of new routers from the same vendor and found the exact same vulnerability and vendor failed to respond to any further emails.
Public Disclosure: May 7, 2019
I wish companies take responsible disclosures more seriously and make it easier for us. This is just one small example and more blogs are coming up.