Is smart router secure?

Objective

With the development of the Internet, more and more companies have introduced intelligent routers, these intelligent routers have brought many convenient functions to users, but also adopted some traditional routers do not have the security characteristics, this article in a brief analysis of these security features, for the relevant technical personnel for reference.

Overview

Traditional routers intentionally or unintentionally use a variety of unsafe features, such as the back door, the back door was originally for on-site debugging convenience, but also opened the hacker into the channel. For example, some router wps (Wi-Fi Protected Setup) pin code can be inferred from the router MAC address, which makes even if the user set up a complex WiFi password, hackers can easily crack and then penetrate. In addition, most routers do not have signature verification during firmware updates, which allows hackers to implant Trojans through firmware updates, thereby permanently controlling the user's router ... And so on. These unsafe features are accomplices in the disclosure of user privacy and property losses.

In this context, smart routers use some of the security features, particularly worthy of appreciation.

Security features

The following is a router manufacturer that introduces the security features and benefits of its security features. Only do the discussion of pure technology, does not involve other.

360 Secure routers

Field debugging interface RSA-1024 encryption and calibration

The router manufacturer, in order to get Rootshell directly when scheduling or debugging, usually has a back door reserved on the router, referring to https://github.com/elvanderb/TCP-32764/and http://www.cnvd.org.cn/ flaw/show/cnvd-2013-15013, these backdoor can be used by the manufacturer, also can be used by hackers. In particular, can remotely use the back door, hackers can remotely obtain all the permissions of routers, with other attacks can cause the loss of user property.

360 of the C301 routers do this: the public key/etc/defdata/debug_telnet.pub.key exists in the firmware of the router, and the manufacturer uses the Debug_ Telnet.pub.key the corresponding private key to encrypt the serial number of a specific U disk, and the encryption results stored in the root directory of the U disk telnet.boot file, to the C301 router USB interface inserted in the U disk, the background automatically run the following command line, that is, start Telnet server:

/usr/sbin/telnetd-l/usr/sbin/login-u 360user:alpha360-i Br0 &

See the program debug_telnet the following code:

Once the server is started, the root shell can be obtained as long as the IP address of the Telnet router is entered with a username and password (360user and alpha360).

It is easy to see that to obtain the root of the router has two conditions, one is to insert a U disk, which requires access to the router, but also to prevent remote use; The second is a U disk root directory Telnet.boot file must be the secret key to encrypt U disk serial number results, and the private key in the hands of manufacturers, hackers can not easily get.

The details of the public key are shown in the following illustration:

In a word, the C301 router uses asymmetric encryption to achieve both the root of the router and the root of the hacker, which is worth the traditional router learning, compared with the method of reserving the back door.

Firmware Update Signature Checksum

The firmware of the C301 router uses AES encryption, the decrypted firmware contains the signature of the firmware, the firmware updates the signature checksum, the checksum is considered to be tampered with, thus rejecting the firmware update.

Millet Router

Firmware Update Signature Checksum

The millet router will also perform signature verification when updating the firmware, and the file/usr/share/xiaoqiang/public.pem is its public key to verify that the signature is correct or not. Because of this, hackers if you want to do not dismantle the premise of the machine to brush into the Trojan's firmware, there are only two ways to go, one is through intrusion, social workers or cracked to get the corresponding private key, and then the modified firmware signed and then brush into the second, through the loopholes, mining new vulnerabilities or brush into the vulnerable old version of the firmware, It then uses the exploit to get the root shell and then swipe into any firmware. Generally speaking, the first path is difficult, and in order to block the second path, you can limit the demotion to achieve.

This shows that, in the premise of limiting the downgrade, the firmware update when the signature check, can effectively prevent the router was implanted Trojan.

Pole routing

Firmware Update Hash Check

The same is true for firmware upgrades for extreme routes, just do MD5 hash test, rather than using asymmetric algorithm to verify, although it downloads the firmware, with the HTTP download, can be hijacked, but the firmware of the hash information is transmitted through HTTPS, to ensure security, The firmware download verifies that the MD5 value matches and does not upgrade if it does not match. This ensures that the firmware that is being brushed is official if the upgrade server is not compromised.

The checksum for firmware upgrades is mentioned several times because it is important. Because if the router is hacked through the admin interface to the firmware of the horse being planted, then the hacker has all the permissions, so that we usually educate users to use complex passwords of the efforts will be wasted, no matter how complex the password set, how often the password to modify the hacker can be obtained through Trojans.

Configuration information Encryption Save

Extreme routes such as MAC address, FAC_UUID, etc. configuration information is encrypted with the DES algorithm nor flash on the router, in contrast to the traditional routers in direct plaintext, after the root shell has the right, you can easily get WiFi password, Web login password and other sensitive information, Encryption preservation has raised the threshold to some extent.

WPS function off

The pole route does not provide WPS functionality, which prevents hackers from using WPS's PIN code to break into a WiFi WPA password intrusion. To provide WPS function, you should also do the following two points, one is to enable WPS protection, the second is the default PIN code to be random, can not be deduced. http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/and HTTP://WWW.DEVTTYS0.COM/2015/04/ reversing-belkins-wps-pin-algorithm/

is two negative examples, because users generally do not modify the default PIN, hackers just based on the MAC address to deduce a pin, you can easily break the WiFi password, no matter how complex the password.

Summarize

Although the smart router has a lot of room for improvement in security, the security features it uses are worth learning from traditional router manufacturers.

Safety design

In order to protect the user's security and prevent the user from the hacker invasion caused by the loss, the author believes that the router manufacturers can refer to the following security design specifications.

Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join