Anywhere that multiple computing devices share a single Internet connection there is a router. Recently routers from Linksys, Netgear, Cisco and others were found to have a huge security flaw. This is the third widespread router vulnerability in the last few years.
Back in December 2011, the WPS system was shown to have a design flaw that rendered every router using it vulnerable to attack. To this day, routers need to implement WPS to get certified. Nothing was ever done to fix the design, so routers running WPS remain vulnerable. Chances are you can disable WPS but good luck verifying it. In retrospect, we have to wonder if it really was a design flaw, or, if the design was influenced by a spy agency.
In January 2013 security firm Rapid7 warned about UPnP programming errors that left millions of routers vulnerable to attack. This followed the October 2011 warning from CERT and Daniel Garcia about routers that responded to UPnP commands over the Internet. UPnP was designed for LAN use only, so enabling it over the Internet was either a huge mistake or purposely done to enable spying.
Now we have port 32764.
In this context, a port is TCP/IP concept. TCP/IP is the group of communication protocols used both on the Internet and Local Area Networks (LANs).
Computers on a TCP/IP network function as either a client or a server. Client computers make requests that server computers respond to. You are seeing this web page because your browser acted as a client and requested it from a Computerworld server.
Desktops, laptops and tablets are almost always clients. Software firewalls are designed to prevent a client computer from accidentally acting as a server and responding to unsolicited input.
What makes a computing device a client or a server is not the hardware or the operating system, but the installed software.*
Server computers use TCP/IP ports to offer multiple services from a single machine. Each service is assigned a unique port number. TCP/IP allows for 65,535 ports.**
When you go a website with HTTP, your browser connects to port 80 on the server running the website. Visit the site securely, with HTTPS, and your browser connects to port 443 instead. When the webmaster updates the site, they may use an FTP program that connects to the same server on port 21.
When an unsolicited incoming request hits a router, it either ignores it, processes it itself or passes it along to one of the computers on the LAN. Most likely, the request is ignored.
One case where the router processes the request directly is remote (a.k.a. WAN) administration, an optional feature that lets someone login to a router over the Internet. Since this is seen as a security risk, it is typically disabled by default. Another exception is a router that lets you plug a storage device into a USB port and it makes files on the device available over the Internet.
WPS (by design) and UPnP (an apparent mistake) are other instances where the router directly responds to commands thrown at it.
Passing an unsolicited incoming request to a computer on the LAN is referred to as port forwarding. All server software requires this, as do some types of remote control software.
ShieldsUP!
Years ago, before routers and firewalls were in widespread use, Steve Gibson introduced a service on his website called ShieldsUP. Although originally designed to look for vulnerable services on Windows computers, we can now use ShieldsUP to test how ports are handled by a router.
Gibson, a good guy, does what the bad guys do; his server will send your router unsolicited connection requests on assorted ports. But rather than try to compromise your router, he merely displays the results.
With ShieldsUP ports are either open, closed or stealth. Think of it as knocking on someones front door.
An open status means the person inside opened the door. A closed status means the person inside yelled "Go away". You know someone is home, but they don't open the door. A stealthed port is the most secure, not only is it closed, but it doesn't respond at all. Maybe someone is behind the door, maybe not.
As a rule, we want the ports in our router to be stealthed (closed is probably O.K.).
Requests sent to an open port may either be processed directly by the router or forwarded to a computer on the LAN.
ShieldsUP is limited, however, in the number of ports that it tests. Most port scans are. Some ports have standardized functions (like the just mentioned 21, 80 and 443) but most do not.
ShieldsUP hits the high points. It offers a few different options that each test a different group of ports. Gibson targets the most popular and the most abused ports (be it from a decade-old Windows perspective).
There are roughly 64,000 ports that are not tested by ShieldsUP. One of them is 32764.
On a LAN, testing all 65,535 ports is a more do-able thing.
Recently Eloi Vanderbecken did just that on his home network and turned up something interesting. His Linksys WAG 200G router responded to the virtual knock on the front door for port 32,764. The port was open and the router itself (not a computer on his LAN) was processing data sent to it.
This was not the first such finding in a home router. Back in September of 2007, someone found that port 32764 was open on a Netgear router and asked on LinuxQuestions.org what the port was used for. No one knew back in 2007. Now we do.
Vanderbecken examined the Linksys firmware and figured out that he could send his router about a dozen different commands. These commands gave him full control over the router. Passwords? We don't need no stinking passwords.
Since Vanderbecken published his results, routers from other companies have been found to have the same security flaw (responding to commands sent to port 32764).
In addition, while Vanderbecken found port 32764 open on the LAN side of his router, others have reported routers with port 32764 open on the WAN/Internet side. You have to wonder how many spy agencies knew about this.
TEST YOUR ROUTER FROM THE OUTSIDE
Back when the UPnP flaw first made news, Steve Gibson created a dedicated test within ShieldsUP that checked for the flaw in your router (there is no direct link to his UPnP test, look for the big orange button). Now, he has done the same for the port 32764 issue. Simply go to
https://www.grc.com/x/portprobe=32764
to have Gibson test if your router responds to requests on port 32764. Everyone should run this test.
If all goes well, the status of port 32764 on your router should be "Stealth". Closed is probably OK. Open is very bad news.
TEST YOUR ROUTER FROM INSIDE
In addition to testing the WAN/Internet side of a router, we also need to test from the inside, from the LAN side.
This can be done with any web browser, but it requires the LAN side IP address of the router. Back in September, I blogged about how to Find the IP address of your home router.
IP addresses are four decimal numbers, each less than 256, separated by periods. The most common IP addresses are probably 192.168.1.1, 192.168.2.1 and 192.168.0.1.
From any computing device on the LAN, enter the routers IP address in the address bar of a web browser, followed by a colon, followed by the port number. Below is a typical example
HTTP://192.168.1.1:32764
No response, is a good response.
If port 32764 is correctly closed, different browsers will issue different error messages. In my tests, I saw
- The webpage cannot be displayed
- This web page is not available
- Unable to connect
- The connection has timed out
- The server is taking too long to respond
- Cannot open the page
You can verify the IP address of the router by omitting the colon and the port number. That is, try
HTTP://192.168.1.1
If the IP address is correct, you should be prompted to enter a userid and password.
A router that accepts commands on port 32764 will respond with text that includes "ScMM" or "MMcS". Here is a sample screen shot, thanks to Reddit.
IF YOUR ROUTER IS VULNERABLE
If your router responds on port 32764, get a new router.
I have seen suggested work-arounds, and discuss a couple below, but the Defensive Computing approach is to take the router out of service. With one exception.
The flaw is in the firmware of the router. Firmware is the router operating system. Many routers are capable of running alternative firmware. That is, rather than running Linksys developed firmware on a Linksys router, you can install open source firmware such as DD-WRT, OpenWRT or Tomato. Any given router may support zero, one or more alternate firmwares.
Like any software, alternative firmware is not necessarily perfect. If you go this route, you still need to test for WPS, UPnP and port 32764.
One suggested workaround I've seen is to setup a firewall rule to block port 32764.
This, however, gives the router conflicting instructions. Out of the box, it is programmed to respond on port 32764, while the firewall rule says not to. There is no way to know which of these conflicting rules the router will honor and which it will ignore. Plus, a new release of the router firmware may well change the way it deals with this conflict. In testing, at least one person reported that this did not work for them. Finally, the firewall only applies to the WAN/Internet side of the router, it does not protect the LAN side.
Another suggestion I've run across is to setup port forwarding and forward port 32764 to an invalid IP address.
Here again, the router is given conflicting rules for incoming connections on port 32764 and how it deals with this may change over time. And, as with the firewall suggestion, it only protects the WAN side.
Another problem with both of these suggestions is that, even if they work, the configuration change (a firewall rule or port forwarding) may get wiped out by a firmware upgrade. One person reported that their configuration tweak was lost when they power cycled their router.
Replacing the router is the safest and easiest option.
One problem however, with replacing the router, is that it may not be a stand-alone device. Many ISPs give their customers a single box that functions as both the modem and the router. From a Defensive Computing standpoint, it's preferable for the modem and the router to be separate boxes, for a number of reasons. Being able to replace just the router, and installing alternate firmware, are two of those reasons.
If you start with a single device, adding a router requires that the ISP-provided modem/router be dumbed down to function as just a modem. In my experience, the ISP called this "bridge mode" and it was something they could do from their end.
While WPS, UPnP and Port 32764 are widespread issues, many routers have their own unique bugs. If nothing else, let this particular scare be a reminder to periodically check for updated firmware for your router.
Some routers make this easy, the upgrade can be done solely within the administrative user interface. With other routers you have to manually search the manufacturers website to determine if there is a newer firmware and then hope that the upgrade procedure is correctly documented. I recall one router manufacturer that left out the fact that the downloaded firmware was compressed and needed to be uncompressed before it was uploaded to the router. Oops.
UPDATE: Jan. 29, 2014. Cisco has released updated firmware for their RVS4000, WRVS4400N, WRVS4400N and WAP4410N routers. See articles from Tripwire and Cisco.
*A given computer can function as both a client and a server, depending on the context. For example, when a Windows computer is remotely controlled with Windows Remote Desktop, the controllee machine is functioning as a server, and the controller is functioning as the client.
**Technically, there are twice this number as both TCP and UDP each have their own 65,535 ports.