Saturday, 16 February 2013

Security of embedded devices - saved config

Many routers offer the ability to save a configuration file, to restore to the router later. This can serve as a backup. However, it also exposes the config of your router to anyone who might have access to your computer. There are much easier attack vectors for routers, but this is definitely one of them. I have tested with two routers, the Belkin F5D7230-4 and the Apple AirPort Extreme 802.11g.
The Belkin revealed the WPA password, network name, DHCP leases, everything really apart from the admin password to the router itself, all in cleartext. Anyone who might gain access to your computer essentially has your router's config. This is what I expect from Belkin which don't make the best quality routers.
The AirPort offered the ability to encrypt the file however it wasn't selected by default, and even if I did, all that was encrypted was the actual password to the router and the WPA2 password. All the other info was available, and changeable. For example, if you had access, you could change values in the config file and reset the router, causing the person to re-upload their config file which had your settings changes in it (or alternatively, you could just use AirPort Utility as it saves your password).
The unencrypted file revealed the WiFi password however didn't reveal the base station password.
Overall, this isn't a major attack vector however I would encrypt these files if you can and also take care when allowing physical access to devices as once you have physical access, you can gain access to the system.

No comments:

Post a Comment