If you see the alert above after running a Network Inspector scan, your router contains a serious vulnerability that could allow an attacker to take control of your network. This makes all of the devices connected to your network vulnerable.
Newer versions of your router's firmware may contain a fix for this issue. Routers do not typically run updates automatically, so you need to manually download and install any available updates.
Consult the documentation for your router model for instructions on how to download and install firmware updates. If updated firmware is not available, contact the manufacturer of your router to request that they provide a firmware update as soon as possible.
The affected router is running an outdated version of the RomPager software from AllegroSoft, which is known to have an error within the HTTP cookie management mechanism. A remote attacker could exploit this vulnerability to send specially crafted HTTP cookies to the router, which are designed to corrupt the router memory, allowing the attacker to bypass your security and gain full administrator privileges. This potentially allows the attacker to perform any of the actions below:
On December 18, 2014, security researchers from Check Point Software Technologies have issued an alert about a critical vulnerability found on select residential and small business routers. An estimated 200 models and over 12 million routers are affected. Pakedge routers are not affected by this vulnerability.
Millions of small office and home (SOHO) routers are affected by a critical security bug that can be exploited by a remote attacker to hijack the devices, Check Point revealed on Thursday.
Check Point has identified a total of 12 million vulnerable routers spread out across 189 countries, but the company believes the actual number of affected devices could be even higher. In certain countries, 50% of Internet users are likely affected, researchers said. The list of vendors whose products are affected includes Huawei, Edimax, D-Link, TP-Link, ZTE, and ZyXEL.
The Misfortune Cookie is a byproduct of an error within the HTTP cookie management mechanism (hence the name) present in affected software. This vulnerability allows intruders to remotely take over WiFi routers and gateways, gain access to administrative privileges, and use it to attack home and business networks.
Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don't display identifying banners when unauthenticated users access them, and when such banners are presented, they often don't include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.
The risk stemming from the vulnerability goes well beyond attackers being able to monitor unencrypted data. It also includes attackers using a hijacked router to infect connected computers and Internet-of-things devices. Normally, routers act as a firewall that filters out such remote attacks. In the event it's affected by the Misfortune Cookie bug, they could become beachheads for attacking the rest of a local network.
One of the biggest router disclosures came last December when Check Point Software Technologies published details on a vulnerability it called Misfortune Cookie. The flaw affected more than 12 million devices running an embedded webserver called RomPager; the vulnerability could give an attacker in man-in-the-middle position access to traffic entering and leaving routers built by most manufacturers. An attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.
Then there's Misfortune Cookie, which in 2014 affected at least 12 million devices on the internet. The vulnerability is in a RomPager webserver running inside many routers to provide an admin interface. "Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state." I don't understand why the web server for the admin interface of a router has to be visible to the internet in the first place... I was unable to find out whether my modem or router are affected by this.
I consider this question as too broad for a good but small enough answer. Fortunately there is already a website out there which addresses your problem in a very extensive way and which is kept up-to-date about new problems: routersecurity.org. There you will find a security checklist for things you need to watch out for, current bugs in existing routers, and extensive introduction about the topic and lots of links to external resources for even more information. There is no need to replicate all these information here so please have a look there.
Apart from that it helps often to search for your specific router model in connection with the words "vulnerability" or "exploit" or "security". You might also just use the name of the vendor instead of the exact model for this search since some vendors have bad security record while other have a good one. If you really don't find any information about your router model online it might just be that insignificant that it is probably vulnerable but nobody cared to look (yet).
This test attempts to connect to your home router port 7547 to see if it is listening and it grabs the response from that port and analyzes it. It is quite safe and if your port 7547 is publicly available, it already receives many scans like this every day from hackers and security professionals.
Yes. It will check whatever your public IP is for your mobile connection. So if you're using your home WiFi on a mobile device, it will check your home router as intended. If you're at a coffee shop, it will check their router. If you're connected via a VPN, it will check the exit node for the VPN, not your home router. If you're at the office, it will check the public IP for your office connection and if that's a router, it will let you know if that is insecure.
Yes we think these routers were exploited by CheckPoint's misfortune cookie vulnerability. I haven't read the post you linked to yet but can see MC referenced in the link (sorry, short on time). I'd also add that there's a new port 7547 (TR-069 service) exploit doing the rounds and more will emerge. They really should block the port from public access.
I checked my router with your scan and was informed that I have an open port. I then checked with my internet provider, BT and was informed that the open port poses no threat at all and I should ignore it? So now I have conflicting information and I am not sure what to do about it. I cannot see any way to close the port in question and BT are saying that I shouldn't even bother trying as it poses no threat to anyone?
Port 7547 is the Comcast public access Wi-Fi installed in over 16 million routers worldwide. I had already contacted them regarding hacking possibilities. They say it cannot happen. Of course, I am a realist. Anything can happen. One fixes vulnerabilities and the hackers learn how to do something new. It is simply a case of staying ahead of the chase. I would humbly like to add that all users of modem/routers install very strong passwords to login, as well as, for Wi-Fi registration. Sadly, there isn't much more that I can do in this case. While logged into the modem, I did see your tool test and DHCP IP address. In sum, there is not more I can do without upsetting the gateway 'apple cart'. Thank you very much Mark. I am considering your request for part-time engineers to help Wordfence. I have also checked my website and with multiple anti-malware software, I have any changes going to my inbox, automatically. Thank you, again for a great service. Sincerely, Ed Smith 2b1af7f3a8