Rattling Routers
Routers are one of the most commonly used IOT devices. Hence we take a sneak peak into Router Security
Note: This is a popularly used router. The specific details hence are out of scope & is intended for education purpose only.
The firmware of the Router can be accessed like below.
Zooming into the voltage, ground, Transmission & Receiver Pins as below.
Confirming Connectivity with “sudo dmesg” shows us the connectivity logs as below.
So as to interact with the firmware it’s first important to identify the rate at which the number of signal elements or changes to the signal occurs per second when it passes through a transmission medium also known as Baud rate. This although common across range of devices or could be found in the device manuals as below; If not, the manual way is requires one to use logic & frequency analyzers to deduce the same.
Once baud rate is identified, we can connect with the firmware Terminal as below.
Vulnerability: Ideally connecting with the firmware terminal should require us to credentials but in this case, no credentials are required to access root terminal!
To connect the router with LAN as below for the post exploitation.
I) Firmware Extraction:
The firmware files defines the functionalities of the device. In this device, the firmware files can be seen as below.
The reversing & analysis of these files can’t be done within the firmware itself due to its very limited linux command support. It is hence imperative to extract or transfer these files to our system. This can be achieved by mounting an external disk upon the firmware as we see below or importing & executing netcat binaries from within the firmware.
Once firmware is extracted, we can reverse the firmware files to find vulnerabilities somewhat similar to how we did it in previous post.
II) Encrypted Traffic Interception:
Apart from finding vulnerabilities in the router firmware, the networking configurations can be altered for an MITM attack. The conventional way to do this is to replace certificate files as below. Although, depending upon the firmware this may not be the option & alternative chain of tools may be required to be leveraged.
Once MITM is set, as seen below we are able to intercept encrypted files.
III) Thirdly, we can also introduce a reverse shell like the one below.
This reverse shell however will be required to be compiled in a way that it can be executed by the ARM based firmware running a basic linux. This may require one to put efforts into the cross compilation, finding a suitable compiler. Further the execution of the compiled binary may require a tool chain so as to receive the shell from within the router like one below.
Such issues poses a significant risk in the supply chain security.