Is your router secure? Technical analysis of security on popular routers

Wi-Fi (wireless) routers are the gateway to and from computers and smart devices to the Internet. As in homes, it is very important to ensure that the entrance and exit doors are always properly locked, preventing the action of intruders. The same care should be taken with our Wi-Fi routers.

With the objective of identifying possible vulnerabilities, researchers analyzed the routers of the TP-LINK models: TL-WR849N v6, TL-WR940N v5, D-LINK DIR-819 A3, Intelbras NCLOUD and Tenda F3. The equipment was connected to a DHCP server through the WAN port (external access), using the Nmap tool to perform scans on each of the 65535 possible ports to detect possible exposed services.

The same tests were carried out on the LAN port of each device to detect possible vulnerabilities in the local network. LAN (internal access) network analysis is important when malicious software manages to penetrate your local network through malicious emails, malicious web pages and software downloaded from unreliable sources.

To avoid false alarms, all tested models had their firmware versions updated to the latest version made available by the manufacturer.

The first analysis carried out was in relation to external attacks against the router, that is, attacks that any hacker on the Internet could carry out without having to enter the local network first. Using the Nmap tool and consulting databases of security vulnerabilities such as VulDB and ExploitDB, the following results were obtained by analyzing the equipment's WAN port:

Result Model

TP-LINK TL-WR849N v6 – No vulnerability detected

TP-LINK TL-WR940N v5 – No vulnerability detected

D-LINK DIR-819 A3 – No vulnerability detected

Intelbras NCLOUD NCLOUD – Ports 53, 6352 and 7777 open. 2 vulnerabilities detected.

tent F3 – No vulnerability detected

Vulnerabilities were identified in the Intelbras NCLOUD router that presents DNS and uPnP services open to the Internet. After checking the Intelbras support web page, looking for a more updated version of the firmware for this equipment, no correction was found. The safe alternative for users of this model is to insert Firewall rules for each of these ports, blocking external access.

This type of attack can happen through e-mails with suspicious content, web pages infected with malicious content and also through programs downloaded from unreliable sources (pirate programs, for example). Through a computer connected to the LAN port of each of these devices, the same scan was carried out using the Nmap tool, in addition to consulting databases of security vulnerabilities such as VulDB and ExploitDB. The following results were obtained:

Result Model

TP-LINK TL-WR849N v6 – No vulnerability detected

TP-LINK TL-WR940N v5 – Port 22 (SSH): 5 vulnerabilities

D-LINK DIR-819 A3 – Port 22 (SSH): 3 Vulnerabilities

Port 34938 (uPnP): 6 Vulnerabilities

Intelbras NCLOUD – Port 53 (DNS): 10 Vulnerabilities

Port 80 (HTTP): 4 Vulnerabilities

Port 6352 (uPnP): 1 Vulnerability

Port 7777 (uPnP): 1 Vulnerability

tent F3 – Port 80 (HTTP): 5 Vulnerabilities

In this analysis, it is important to note that the SSH service is something specific for specialized access and should not be available for common use on the local network. HTTP and uPnP services are, in the vast majority of routers, available for the local network. Attention must be paid, however, to the large number of vulnerabilities detected. The programs responsible for offering these services on the router are often extremely outdated, favoring the detection and exploitation of security vulnerabilities.

Through the Nmap tool, we were also able to obtain the version of some services installed on the routers. These services are responsible for providing common router functionality, such as DNS and uPnP. Old and outdated versions are dangerous as they are heavily exploited by hackers and have a greater number of security vulnerabilities exposed on the Internet. See, for example, the version and publication date of the services of some of the routers we evaluated.

Model – Service, version and release date

TP-LINK TL-WR849N v6 – uPnP service: 1.6.19. Released on 5/9/2012

TP-LINK TL-WR940N v5 – SSH service: 2012.55. Released on 02/24/2012

D-LINK DIR-819 A3 – SSH service: 0.51. Released on 3/27/2008

– HTTP Service: 1.19. Released on 12/19/2003

– uPnP service: 1.0. Released on 01/28/2008

Intelbras NCLOUD – DNS Service: 2.40. Released on 8/29/2007

– uPnP service: 1.6. Released on 8/4/2011

It is worth remembering that all evaluated models began to be sold in Brazil after 2016. Therefore, some services have more than 10 years of lag in relation to the current version. Updated versions are always important as they have more security vulnerability fixes.

Keeping your router up to date is essential for preventing security vulnerabilities. However, many times the manufacturer itself does not update the firmware of its routers, leaving known vulnerabilities exposed in the open network (Internet) as well as in its local network.