When we began to look at the security issues with home routers, we ran right into a protocol called TR-069, also known as CWMP (customer-premises equipment wide area network management protocol). This protocol allows ISPs to remotely manage home networking devices that they provide to their subscribers. This means that they can to do things like remotely install new firmware on modems, gateways, and routers without the subscribers needing to be involved. TR-069 devices communicate with an ISP-controlled server called an ACS (Auto Configuration Server). The ACS informs the device when there are configuration changes, like new firmware, and then the device reacts without requiring any additional human interaction. On the surface this seems like a terrific idea.
On the surface, it also looks like an ideal environment for hackers to cause trouble. If only a hacker could find a vulnerability in the way that the devices worked, the way the ACS worked, or in how they worked together he could install his own malicious firmware on hundreds of thousands of devices and take advantage of them. But, we so naively assumed, that could never happen to a protocol where both sides are controlled, and communication could easily happen over an encrypted channel.
That’s what we thought….
Enter Shahar Tal, a security researcher at Check Point Software Technologies in Israel. Tal recently presented the results of his study at the recent DEFCON hacker conference in Las Vegas. Unfortunately, Tal tore down all of the commonly held beliefs about TR-069 with some hard to dispel facts.
MYTH: TR-069 works in an encrypted mode over SSL/TLS. FACT: The TR-069 specification suggests that all communication happens over an encrypted channel. Tal found that 80% of the ACS installations that he looked at transmitted their data in the clear.
MYTH: Where SSL is in fact used, the certificates are properly scrutinized for their validity by the clients. FACT: Tal found that where SSL was in use, self-signed certificates were commonly used. That’s like foregoing locking up your valuables with a silly padlock and instead using a paper clip. Bad, bad idea.
MYTH: ACS software is recognized as a piece of critical infrastructure, and secure coding practices are used for their development. After development, this software is put through rigorous security testing. FACT: LOL
MYTH: Once TR-069 is set up, you’re good to go. FACT: Far from it. Many TR-069 client installations allow things such as the modification of the URL of the ACS. That means that hackers are one small vulnerability away from having your modem download arbitrary code from hackers, and treat it like it was completely trustable.
Tal concludes his talk with the statement “There is no easy fix”. We tend to agree. This problem is quite unexpected simply because the implications are so scary. It provides a clear path to the next Hack of Mass Destruction. Let’s hope that the affected parties heed the warnings, and change how they work.