“Researchers at Check Point have discovered a serious security vulnerability affecting at least 12 million leading-brand home and SME routers that appears to have gone unnoticed for over a decade,” John E. Dunn reports for Techworld.
“Dubbed the ’Misfortune Cookie’ flaw, the firm plans to give a detailed account of the issue at a forthcoming security conference but in the meantime it’s important to stress that no real-world attacks using it have yet been detected,” Dunn reports. “That said, an attacker exploiting the flaw would be able to monitor all data travelling through a gateway such as files, emails and logins and have the power to infect connected devices with malware. Man-in-the-middle attacks would also be possible, according to Check Point.”
“The precise source of the issue is not known – a chipset software development kit (SDK) is suspected – but Check Point warned that up to 200 unpatched models using the RomPager embedded web server software (which uses a remote service called TR-069) prior to version 4.34 were probably vulnerable,” Dunn reports. “Check Point estimates that at least 12 million devices are affected across the world but suggested this could be an underestimate. Given the popularity of RomPager and the list of affected brands – D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL sold mainly to home users – such pessimism is realistic.”
Read more in the full article here.
Check Point’s “Misfortune Cookie” suspected vulnerable model list is here.
Apple… unaffected.
How sweet hearing the various permutations of those two words over the year has been.
Made in China? Hmmm…..
Yeah, I love “locked down” Apple hardware!
The cost of dealing with a data breach, reinstall, upgrades in security, etc. on Windows costs one heck of a lot more than any extra hardware cost of Apple’s equipment.
But I wanted to root my Airport router and Apple won’t let me. All the cool high-tech guys root every device they own. Something about freedom of expression. Everyone says Apple runs a Fascist company where individual human rights are ignored. I want to have my devices vulnerable to attacks. I want the right to live dangerously. I must have a D-Link router and I dare some two-bit hacker to attack my network.
/s
Does anyone know if wi-fi routers that are integrated into a cable modem are affected?
My understanding is that it is entirely possible. But I have not yet seen this showing up in cable modems of which I’m aware.
One trick to use to find out what hardware you have inside is to use a utility like iStumbler (which is free to use for 5 minutes), find your WI-Fi router on the list and note what hardware “Vendor” is listed. Then compare your hardware vendor to the current list of ‘Misfortune Cookie’ bug affected hardware.
Even then, it’s not yet clear what hardware was sold patched and what was not. This will be figured out with time. For now, if your hardware vendor isn’t listed, you’re probably good to go!
Example:
I own a Motorola Wi-Fi cable modem. It incorporates Gemtek hardware for Wi-Fi. Gemtek is NOT on the hardware bug list, so I can assume I’m unaffected.
Excellent post and thanks for the information. However, does this mean that only routers with inbuilt WiFi are potentially vulnerable? Anyone using ethernet only would be safe?
If I’ve understood it right, it seems that the vulnerability is mainly via the remote access management which ISPs often set up. Would it be sufficient to simply disable this? Assuming of course that the ISP hasn’t locked it down so as to be inaccessible.
Good clarification. No one is yet saying to turn anything off. Supposedly, this is not being exploited in the wild. Instead, people are being told to contact their router manufacturer to find out if their model of device is affected or has already been patched. If it is affected, ask when the patch will be available, or where it is already available.
Excellent MDN! Thanks for the post.
The list is well worth reading. Just keep in mind that it isn’t complete. But it’s a huge start for understanding what equipment has this potentially nasty PWNing bug. The most popular routers on the list are from D-Link. Their routers seem to never catch a break and have to be the worst-in-class hardware available at this point.
I have recently purchased an Apple AE, so I have options. However I also have a Netgear gaming router, that concerns me. If you know or suspect Netgear, I would like to know, so I can put it in the trash. However since it wasn’t listed, I am going to have to do more research. I have followed the rule, to install the most current firmware on all routers. Technically they have a security lifespan. You should replace your router every two years, for the very reason of discovered vulnerabilities.
Don’t cheap out on home security.
“…but in the meantime it’s important to stress that no real-world attacks using it have yet been detected..”
okay, then.
Apple AE unaffected. Does this mean *all* AEs or just the current one? I’ve got one of the last of the square ones, so I’m assuming I’ll be safe
I DD-WRTd my home router long ago, and recommend others do the same if they have any tech knowledge worthy of the name. Much better to have something you can control every aspect of, even down to scripting functions. Of course I still have a Time Capsule hanging off the back of it to do the Wi-Fi though. Can’t argue with 800Mbps over the air transfer speeds.