Saturday, December 20, 2014
Misfortune Cookie Flaw Puts 12 Million Routers at Risk
Researchers at the security software company Check Point say they’ve discovered a serious vulnerability lurking inside the routers and modems used to deliver Internet connectivity to 12 million homes and small businesses around the world, and it’s going to be a complicated matter to fix it.
Dubbed the Misfortune Cookie, the weakness is present in cable and DSL modems from well-known manufacturers like D-Link, Huawei and ZTE, and could allow a malicious hacker to hijack them and attack connected computers, phones and tablets. An attacker exploiting Misfortune Cookie could also monitor a vulnerable Internet connection, stealing passwords, business data or other information. Check Point didn’t disclose how an attack might be carried out. Spokespeople for D-Link, Huawei and ZTE had no immediate comment on the vulnerability.
In an interview with Re/code, Shahar Tal, a researcher at Israel-based Check Point, said the company traced the vulnerability to a programming error made in 2002. That error originated with Allegro Software, the Massachusetts-based developer of RomPager, which unwittingly introduced it into the widely used embedded Web server.
“It was a very simple error that seemed benign at first,” Tal said. “When we took it back to the company, they seemed surprised. The severity was not something they expected.”
The list of devices affected by Misfortune Cookie includes some 200 products from more than 20 companies. All told there are more than 12 million devices with the vulnerability in use today, including some that were manufactured as recently as this year. And yet to date, no real-world attacks using Misfortune Cookie have been detected.
Reached for comment, Allegro Software downplayed the severity of the vulnerability and its responsibility for it. “It’s a 12-year-old bug that was fixed nine years ago,” said CEO Bob Van Andel. He conceded, however, that many of Allegro’s customers haven’t bothered to install the code that protects RomPager against Misfortune Cookie — nor can the company force them to do so.
“There is no contractual obligation on the part of our customers to use the latest code,” Van Andel said. “We have more than 300 customers. Some of them keep up on the maintenance of the code we sell them, but the vast majority do not. They run their own insurance risk when they make that decision.”
So what’s to be done if you suspect your router or modem is among those affected by Misfortune Cookie? Tal suggests calling the manufacturer or the company that provided the equipment and requesting an upgrade.