The report demonstrates that many commonly available routers are not secure and are vulnerable to cross-router data leaks, arising from malicious attacks. It is common for routers aimed at businesses and consumers to provide two or more network options. For businesses this could be one for employees and one for clients; at home, this offering is typically one for the family and another for o visitors.
While the business or family will seek to connect all of their sensitive smart home and computer devices to their setting, it remains that the router intended for visitors is designed for less sensitive data. These findings come from the Ben Gurion University (BGU) Department of Software and Information Systems Engineering.
These dual settings present vulnerabilities, and more so with the guest functionality. Discussing the concerns with Laboratory Roots, lead researcher Adar Ovadya states: “All of the routers we surveyed regardless of brand or price point were vulnerable to at least some cross-network communication once we used specially crafted network packets.”
He adds that, as a solution: “A hardware-based solution seems to be the safest approach to guaranteeing isolation between secure and non-secure network devices.”
The new research, which has examined the commercial routers, has been presented at the 13th USENIX Workshop on Offensive Technologies (WOOT), which took place in mid-August 2019. The workshop considered a range of topics pertaining to computer security. Each of the vulnerabilities has been made available to the device manufacturers, so that they can begin to initiate, should they opt to, some improvements.
The objective of the study was to address network separation and network isolation in organizations; plus, to consider how such critical components are needed for businesses to maintain their security policy.
The study also shows the existence of varying levels of cross-router covert channels which have the potential to be combined or exploited to control malicious implant or to exfiltrate and steal the data.
These are key findings in terms of how organizations manage data traffic, especially in relation to handling both sensitive data and less sensitive data.
