research-article

Open access

Exposed by Default: A Security Analysis of Home Router Default Settings

Authors:

Xavier De Carné De Carnavalet,

Mengyuan Zhang,

Wei ZhangAuthors Info & Claims

ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Pages 63 - 79

https://doi.org/10.1145/3634737.3637671

Published: 01 July 2024 Publication History

Abstract

With ubiquitous Internet connectivity, home routers have become a cornerstone of our digital lives, often deployed with minimal changes to the factory default settings. However, if left unexamined, these settings can pose risks to user security and privacy. To systematically evaluate potential risks, we developed a threat model-based framework and conducted a comprehensive analysis of 40 commercial off-the-shelf home routers, representative of recent models across 14 brands. We surveyed 81 parameters and behaviors including default and deep default settings. We identified a variety of security flaws including the exposure of IPv6 local devices due to a lack of firewall protection, vulnerable Wi-Fi security protocols, open Wi-Fi networks and trivial admin passwords for "plug-and-play" routers, and unencrypted firmware update communications. We also discovered concealed WPS PIN support --- at times associated with a trivial PIN. In total, we are reporting 30 exploitable vulnerabilities to the vendors. This paper highlights the need for heightened scrutiny of default router settings, providing valuable insights to both manufacturers and consumers for enhancing home network security. Our findings underscore the importance of meticulous device configuration, advocating for proactive measures from all stakeholders to mitigate the threats posed by insecure router default settings.

References

[1]

Wi-Fi Alliance. 2020. Wi-Fi Protected Setup Specification v2.0.8. https://www.wi-fi.org/downloads-registered-guest/Wi-Fi_Protected_Setup_Specification_v2.0.8.pdf.

[2]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In IEEE Symposium on Security and Privacy (S&P'19). 1362--1380.

[3]

Baran, Guru. 2019. New Mozi P2P Botnet Attacks Netgear, GPON, D-Link and Huawei Routers Using Weak Passwords and Some Known Exploits. https://gbhackers.com/new-mozi-botnet/.

[4]

Jan Panero Benway. 1998. Banner Blindness: The Irony of Attention Grabbing on The World Wide Web. In Human Factors and Ergonomics Society Annual Meeting (HFES), Vol. 42. 463--467.

[5]

Meriem Bettayeb, Qassim Nasir, and Manar Abu Talib. 2019. Firmware Update Attacks and Security for IoT Devices: Survey. In Annual International Conference on Arab Women in Computing (ArabWIC'19). 1--6.

Digital Library

[6]

Nancy Cam-Winget, Russ Housley, David Wagner, and Jesse Walker. 2003. Security Flaws in 802.11 Data Link Protocols. Communications of the ACM (CACM'3) 46, 5 (2003), 35--39.

[7]

Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Network and Distributed System Security Symposium (NDSS'16). 1--16.

[8]

Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. 2010. Mitmproxy: A Free and Open Source Interactive HTTPS Proxy. https://mitmproxy.org/ [Version 9.0].

[9]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-scale Analysis of the Security of Embedded Firmwares. In USENIX Security Symposium (USENIX Security). 95--110.

[10]

Ang Cui, Michael Costello, and Salvatore J Stolfo. 2013. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. In Network and Distributed System Security Symposium (NDSS'13). 1--13.

[11]

Ang Cui and Salvatore J. Stolfo. 2010. A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-area Scan. In Annual Computer Security Applications Conference (ACSAC'10). 97--106.

[12]

Joseph Davies. 2007. The Cable Guy IPv6 Autoconfiguration in Windows Vista. https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137983(v=msdn.10)?redirectedfrom=MSDN.

[13]

Danny Dolev and Andrew Yao. 1983. On the Security of Public Key Protocols. IEEE Transactions on Information Theory (TIT) 29, 2 (1983), 198--208.

Digital Library

[14]

Doaa Farouk Badawy Eldesouky. 2013. Visual Hierarchy and Mind Motion in Advertising Design. Journal of Arts and Humanities 2, 2 (2013), 148--162.

[15]

Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and ZhiqiangLin. 2020. FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. In USENIX Security Symposium (USENIX Security). 2379--2396.

[16]

Shadi Esnaashari, Ian Welch, and Peter Komisarczuk. 2013. Determining Home Users' Vulnerability to Universal Plug and Play (UPnP) Attacks. In International Conference on Advanced Information Networking and Applications Workshops (WAINA'13). 725--729.

Digital Library

[17]

Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Brendan Dolan-Gavitt, Manuel Egele, Aurélien Francillon, Long Lu, Nick Gregory, Davide Balzarotti, and William Robertson. 2021. SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In ACM Asia Conference on Computer and Communications Security (ASIACCS'21). 687--701.

Digital Library

[18]

FileZilla. 2023. FileZilla - The Free FTP Solution. https://filezilla-project.org/.

[19]

Jason Fitzpatrick. 2022. Use a Wi-Fi Guest Network? Check These Settings. https://www.howtogeek.com/832507/use-a-wi-fi-guest-network-check-these-settings/.

[20]

Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the Key Scheduling Algorithm of RC4. In Annual International Workshop on Selected Areas in Cryptography (SAC'1). 1--24.

[21]

Dennis Giese and Guevara Noubir. 2021. Amazon Echo Dot or the Reverberating Secrets of IoT Devices. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'21). 13--24.

Digital Library

[22]

Baptiste Gourdin, Chinmay Soman, Hristo Bojinov, and Elie Bursztein. 2011. Toward Secure Embedded Web Interfaces. In USENIX Security Symposium (USENIX Security). 17--32.

[23]

Hilt, Stephen and Merces, Fernando. 2021. VPNFilter Two Years Later: Routers Still Compromised. https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html.

[24]

Justin T. Ho, David Dearman, and Khai N. Truong. 2010. Improving Users' Security Choices on Home Wireless Networks. In Symposium on Usable Privacy and Security (SOUPS'10). 1--12.

[25]

Chris Hoffman. 2013. Wi-Fi Protected Setup (WPS) is Insecure: Here's Why You Should Disable It. https://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/.

[26]

Michael Horowitz. 2015. Linksys Smart Wi-Fi Makes A Stupid Guest Network. https://www.computerworld.com/article/2940566/linksys-smart-wi-fi-makes-a-stupid-guest-network.html.

[27]

Michael Horowitz. 2015. Router Security. https://www.routersecurity.org/checklist.php.

[28]

Amanda Hsu, Frank Li, and Paul Pearce. 2023. Fiat Lux: Illuminating IPv6 Apportionment with Different Datasets. In ACM international conference on Measurement and modeling of computer systems (SIGMETRICS'23). 1--24.

Digital Library

[29]

IEEE. 2021. IEEE Standard for Information Technology-Telecommunications and Information Exchange between Systems - Local and Metropolitan Area Networks-Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Std 802.11-2020 (Revision of IEEE Std 802.11-2016) (2021), 1--4379.

[30]

Philipp Jeitner, Haya Shulman, Lucas Teichmann, and Michael Waidner. 2022. XDRI Attacks - and - How to Enhance Resilience of Residential Routers. In USENIX Security Symposium (USENIX Security). 4473--4490.

[31]

Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d'Amorim, and Atul Prakash. 2019. Beware of the App! On the Vulnerability Surface of Smart Devices through their Companion Apps. arXiv:1901.10062 [cs.CR]

[32]

kaklakariada. 2015. UPnP PortMapper. https://github.com/kaklakariada/portmapper.

[33]

Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In Annual Computer Security Applications Conference (ACSAC'20). 733--745.

[34]

Eric Klein, Gunter Van de Velde, Ralph Droms, Tony L. Hain, and Brian E. Carpenter. 2007. Local Network Protection for IPv6. https://www.rfc-editor.org/info/rfc4864.

[35]

Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. 2019. All Things Considered: An Analysis of IoT Devices on Home Networks. In USENIX Security Symposium (USENIX Security). 1169--1185.

[36]

Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang, Jingchang Qin, Wenhai Wang, and Wenzhi Chen. 2023. How IoT Re-using Threatens Your Sensitive Data: Exploring the User-Data Disposal in Used IoT Devices. In IEEE Symposium on Security and Privacy (S&P'23). 1845--1861.

[37]

Eduardo Novella Lorente, Carlo Meijer, and Roel Verdult. 2015. Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers. In USENIX Workshop on Offensive Technologies (WOOT'15). 1--13.

[38]

Pratyusa K Manadhata and Jeannette M Wing. 2010. An Attack Surface Metric. IEEE Transactions on Software Engineering (TSE'10) 37, 3 (2010), 371--386.

Digital Library

[39]

Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In USENIX Security Symposium (USENIX Security). 1093--1110.

[40]

Philipp Markert, Theodor Schnitzler, Maximilian Golla, and Markus Dürmuth. 2022. "As soon as it's a risk, I want to require MFA": How Administrators Configure Risk-based Authentication. In Symposium on Usable Privacy and Security (SOUPS'22). 483--501.

[41]

MarketWatch. 2023. Home Wireless Router Market Size 2023-2030 | Detailed Analysis of Market Size and Growth Rate. https://www.marketwatch.com/press-release/home-wireless-router-market-size-2023-2030-detailed-analysis-of-market-size-and-growth-rate-2023-05-08.

[42]

Arunesh Mathur, Mihir Kshirsagar, and Jonathan Mayer. 2021. What Makes a Dark Pattern... Dark? Design Attributes, Normative Considerations, and Measurement Methods. In Conference on Human Factors in Computing Systems (CHI'21). 1--18.

Digital Library

[43]

B.A. Miller, T. Nixon, C. Tai, and M.D. Wood. 2001. Home Networking with Universal Plug and Play. IEEE Communications Magazine (IEEE COMMUN MAG) 39, 12 (2001), 104--109.

Digital Library

[44]

Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson. 2017. Target Generation for Internet-wide IPv6 Scanning. In Internet Measurement Conference (IMC'17). 242--253.

Digital Library

[45]

David Murphy. 2020. You Need to Lock Down Your Router's Remote Management Options. https://lifehacker.com/you-need-to-lock-down-your-routers-remote-management-op-1842525275.

[46]

Arvind Narayanan, Arunesh Mathur, Marshini Chetty, and Mihir Kshirsagar. 2020. Dark Patterns: Past, Present, and Future: The Evolution of Tricky User Interfaces. Queue 18, 2 (2020), 67--92.

Digital Library

[47]

Dr. Thomas Narten, Richard P. Draves, and Suresh Krishnan. 2007. Privacy Extensions for Stateless Address Autoconfiguration in IPv6. https://www.rfc-editor.org/info/rfc4941.

[48]

Marcus Niemietz and Joerg Schwenk. 2015. Owning Your Home Network: Router Security Revisited. arXiv:1506.04112 [cs.CR]

[49]

Nmap. 2023. Nmap: the Network Mapper - Free Security Scanner. https://nmap.org/.

[50]

Norbert Nthala and Ivan Flechais. 2018. Rethinking Home Network Security. In European Workshop on Usable Security (EuroUSEC'18). 1--11.

[51]

Timo Ojala, Vassilis Kostakos, Hannu Kukka, Tommi Heikkinen, Tomas Linden, Marko Jurmu, Simo Hosio, Fabio Kruger, and Daniele Zanni. 2012. Multipurpose Interactive Public Displays in the Wild: Three Years Later. Computer 45, 5 (2012), 42--49.

Digital Library

[52]

James O'Flaherty. 2012. Hierarchy - What Do You Want People to See? Where Do You Want Them to Go? https://www.datadial.net/blog/hierarchy-what-do-you-want-people-to-see-where-do-you-want-them-to-go/.

[53]

Petrosyan, Ani. 2023. Number of Internet and Social Media Users Worldwide as of April 2023. https://www.statista.com/statistics/617136/digital-population-worldwide/.

[54]

Sarah Prange, Niklas Thiem, Michael Fröhlich, and Florian Alt. 2022. "Secure Settings Are Quick and Easy!" - Motivating End-Users to Choose Secure Smart Home Configurations. In International Conference on Advanced Visual Interfaces (AVI'22). 1--9.

Digital Library

[55]

Z. Cliffe Schreuders and Adil M. Bhat. 2013. Not all ISPs equally secure home users: An empirical study comparing Wi-Fi security provided by UK ISPs. In International Conference on Security and Cryptography (SECRYPT'13). 1--6.

[56]

Ax Sharma. 2020. D-Link Blunder: Firmware Encryption Key Exposed in Unencrypted Image. https://www.bleepingcomputer.com/news/security/d-link-blunder-firmware-encryption-key-exposed-in-unencrypted-image/.

[57]

Shodan. 2023. Shodan. https://www.shodan.io/.

[58]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Network and Distributed System Security Symposium (NDSS'15). 1--15.

[59]

Chris McMahon Stone, Tom Chothia, and Joeri de Ruiter. 2018. Extending Automated Protocol State Learning for the 802.11 4-Way Handshake. In European Symposium on Research in Computer Security (ESORICS'18). 325--345.

Digital Library

[60]

Patryk Szewczyk and Rose Macdonald. 2017. Broadband Router Security: History, Challenges and Future Implications. Journal of Digital Forensics, Security and Law (JDFSL'17) 12, 4 (2017), 55--74.

[61]

t6x. 2015. reaver-wps-fork-t6x. https://github.com/t6x/reaver-wps-fork-t6x.

[62]

Taylor, Petroc. 2023. Households with Internet Access Worldwide 2019, by Region. https://www.statista.com/statistics/249830/households-with-internet-access-worldwide-by-region/.

[63]

Erik Tews and Martin Beck. 2009. Practical attacks against WEP and WPA. In ACM conference on Wireless network security (WiSec'09). 79--86.

Digital Library

[64]

Mathy Vanhoef. 2021. Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. In USENIX Security Symposium (USENIX Security). 161--178.

[65]

Mathy Vanhoef and Frank Piessens. 2017. Key reinstallation attacks: Forcing nonce Reuse in WPA2. In ACM SIGSAC Conference on Computer and Communications Security (CCS'17). 1313--1328.

Digital Library

[66]

Mathy Vanhoef and Frank Piessens. 2018. Release The Kraken: New Kracks in the 802.11 Standard. In ACM SIGSAC Conference on Computer and Communications Security (CCS'18). 299--314.

Digital Library

[67]

Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In IEEE Symposium on Security and Privacy (S&P'20). 517--533.

[68]

Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2022. A Large-scale Analysis of Wi-Fi Passwords. Journal of Information Security and Applications (JISA'22) 67 (2022), 103190.

[69]

Stefan Viehböck. 2011. Brute Forcing Wi-Fi Protected Setup. https://www.cs.cmu.edu/~rdriley/330/papers/viehboeck_wps.pdf.

[70]

Vasaka Visoottiviseth, Pongnapat Jutadhammakorn, Natthamon Pongchanchai, and Pongjarun Kosolyudhthasarn. 2018. Firmaster: Analysis Tool for Home Router Firmware. In International Joint Conference on Computer Science and Software Engineering (JCSSE'18). 1--6.

[71]

Dingding Wang, Muhui Jiang, Rui Chang, Yajin Zhou, Baolei Hou, Xiapu Luo, Lei Wu, and Kui Ren. 2021. A Measurement Study on the (In)security of End-of-Life (EoL) Embedded Devices. arXiv:2105.14298 [cs.CR]

[72]

Sean Whalen, Sophie Engle, and Dominic Romeo. 2001. An Introduction to ARP Spoofing. https://api.semanticscholar.org/CorpusID:59638215.

[73]

James Woodyatt. 2011. Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. https://www.rfc-editor.org/info/rfc6092.

[74]

Yu Zhang, Wei Huo, Kunpeng Jian, Ji Shi, Longquan Liu, Yanyan Zou, Chao Zhang, and Baoxu Liu. 2019. SRFuzzer: An Automatic Fuzzing Framework for Physical SOHO Router Devices to Discover Multi-Type Vulnerabilities. In Annual Computer Security Applications Conference (ACSAC'19). 544--556.

Digital Library

[75]

Binbin Zhao, Shouling Ji, Wei-Han Lee, Changting Lin, Haiqin Weng, Jingzheng Wu, Pan Zhou, Liming Fang, and Raheem Beyah. 2022. A Large-Scale Empirical Study on the Vulnerability of Deployed IoT Devices. IEEE Transactions on Dependable and Secure Computing (TDSC'22) 19, 3 (2022), 1826--1840.

[76]

ZOL. 2023. 2023 Wireless Router Brand Rankings. (in Chinese) https://top.zol.com.cn/compositor/227/manu_attention.html.

[77]

Zoomeye. 2023. Zoomeye. https://zoomeye.org/.

Cited By

Ye Jde Carné de Carnavalet XZhao LZhang MWu LZhang W(2025)Exposed by Default: A Security Analysis of Home Router Default Settings and BeyondIEEE Internet of Things Journal10.1109/JIOT.2024.350240512:2(1182-1199)Online publication date: 15-Jan-2025
https://doi.org/10.1109/JIOT.2024.3502405

Index Terms

Exposed by Default: A Security Analysis of Home Router Default Settings
1. Security and privacy
  1. Network security
  2. Security in hardware
    1. Embedded systems security

Recommendations

Tractable default reasoning
RFC 4191: Default Router Preferences and More-Specific Routes
Regular disjunction-free default theories
Abstract
In this paper, the class of regular disjunction-free default theories is introduced and investigated. A transformation from regular default theories to normal default theories is established. The initial theory and the transformed theory have the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

July 2024

1987 pages

ISBN:9798400704826

DOI:10.1145/3634737

Chair:
Jianying Zhou,
Co-chair:
Tony Q. S. Quek,
Program Chairs:
Debin Gao,
Alvaro Cardenas
University of California, Santa Cruz, USA

Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2024

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '24

Sponsor:

SIGSAC

ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security

July 1 - 5, 2024

Singapore, Singapore

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
1,207
Total Downloads

Downloads (Last 12 months)1,207
Downloads (Last 6 weeks)208

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ye Jde Carné de Carnavalet XZhao LZhang MWu LZhang W(2025)Exposed by Default: A Security Analysis of Home Router Default Settings and BeyondIEEE Internet of Things Journal10.1109/JIOT.2024.350240512:2(1182-1199)Online publication date: 15-Jan-2025
https://doi.org/10.1109/JIOT.2024.3502405

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten