router, Vulnerability

rouge-router-firmware                             200 K Online Home Routers Affected Worldwide (approximately)

There are more than 3 Billion internet users worldwide. With the growth of internet users, home router sales also have increased. But sadly the security risk in home routers has been raised rapidly.

There is an ongoing war between Red Team and Black team. They both are trying to find the security issues of the home router. Previously, different security issues have been identified in home router by security researchers and nobody seems to be concerned about these issues. Default credentials in online devices already are playground for ‘crackers’.

Before revealing our research, let’s see how this security issue can be used by an attacker.


The picture Above IS the typical home router Attack Scenario where an attacker CAN hack the router and CAN Hijack the DNS session. So if A home router IS hacked then the PC’s or Devices Connected to the router Could BE compromised Easily. Our Security Researcher Nabin KC  ( AttoN_Cnew ) HAS published his white paper Regarding this Issue . Here IS A demonstration That How A hacked router CAN BE USED to compromised PCs inside NAT.

The Story of a Discovery

Let’s begin with Our Story of discovery. It WAS A usual Day in Our Office and my COLLEAGUE Nabackdoorbin KC WAS busy with his Research. But he HAD problems to Connect to Internet. One of the routers That we USED for lab purpose WAS A home router and was giving severe pain for us. Every time we use nmap for scanning purpose, that router faced a bottleneck issue.

So Nabin with Motive to Eliminate the Issue, he tried to upload Another Open source router firmware but he failed. And he Thought of an idea to reverse ENGINEER the router firmware USED in Our lab. But Surprisingly he Discovered A hard-coded backdoor username and password and it’s ” super

Hard-coded Backdoor

After getting this backdoor information, we got mixed feelings. Either we might have been pwned or there was something wrong with the firmware. The latter was highly likely in this case. So I started my research and tried to find the root cause. I never I found the answer that how this firmware came to existence but discovered many hidden things revolving around this firmware.

During our research, we tried to find the similar security issues in another model. And surprisingly what we found was that the same firmware have been implemented by the other routers vendors, too. More than 10 major router vendors have been using this same backdoor affected firmware.


. We also found several unregistered and unknown router vendors that have been using this same firmware Here is the list of affected router vendor and their router model name:


Alpha Network


Planet Networks





Blue Link

We also found many forged routers that have been using the same affected firmware.

digicom1-265x300 digicom-2-298x300 digicom-1-300x295 realtek-1-300x225 realtek-300x240

So after three months of extensive research, we found out that more 200,000 home routers (online) have been affected by this same router firmware all over the world. So from this calculation we can say approximately half a million devices (combining offline and online) It is affected.

Moral of the Story

Every user need to know Their Devices and vendor before Purchasing.
Creating A hard time for an attacker IS Always A win win situation. Use as much defense as you CAN.
As an end user, the best way to BE Protect your home router IS to disable the Remote Web Management console if you do not need it. There’s no way you can change the backdoor-ed username and passoword.

And the last options is to use Open Source firmware if your device supports (eg. OpenWrt)

Public Disclosure

Above the Research Have Been recently Presented in International Conference on Cyber Security and Cyber Law 2015 (Feb 21) by Nabin KC and Bijay Limbu Senihang Held at Hotel Yak and Yeti, Kathmandu Nepal. Please View the Slide here .

PS Router Vendors Have Been informed about this Issue. Only TREDNET HAS replied till Date.