Skip to content
Censys Search Teams: Industry-leading internet intelligence for growing security teams and organizations | Learn More

The Most Common Protocol You’ve Never Heard Of

Posted on January 29th, 2019

Surprisingly, the most common service that we find in our scans at Censys is CPE WAN Management Protocol (CWMP) — a protocol that many folks have never heard of. CWMP, also known as TR-069, runs on TCP port 7547 using HTTP as an application layer protocol, allowing Internet service providers to remotely configure customer premises equipment (CPE) like cable modems and home routers. Unsurprisingly, it’s found largely in broadband networks around the world. In total there are more than 20 million devices, though not all modems but also in some surprising places like printers, cameras, and even a single, solitary solar panel.

This isn’t new, as revealed by this SANS article from 2016, but what is surprising is the continued exposure of CWMP to the Internet despite these known problems. What we might have expected is the rising levels of ISP filtering at the network border for CWMP traffic.

As CWMP is one of most common protocol across the Internet, we started thinking about the security of the protocol and what kind of risks it poses. Moreover, are there any real risks for the corporate world or is this just a consumer technology problem?

What security risks are inherent with CWMP?

The administrative power that CWMP grants is the main reason it’s such a security risk and a sought-after target. By design, it allows the ISP to configure network settings like DNS servers, but insecure implementations can allow attackers to download and execute arbitrary software. While CWMP was designed with the assumption that only connections from trusted sources would be possible, misconfiguration at scale means that ISPs often inadvertently place their customers’ networks at risk. The Internet at large is then susceptible to denial of service attacks, spam operations, and similar tactics when attack software is installed on customers’ networks.

CWMP protocol has been used in attacks on home routers, with the help of the Mirai botnet and “The Misfortune Cookie” bug. While the attacks weren’t due to any vulnerabilities in the CWMP protocol itself, attackers were able to take advantage of CWMP configuration and implementation errors and old, deprecated versions. The original protocol uses an HTTP-based service for remote management, which is both vulnerable and inherently insecure. Unfortunately, the solution wasn’t as simple as closing the port, which could cause more problems, but users were encouraged to update their modems.

What can be done about vulnerable CWMP Protocol?

The “fix” for these issues is installing firmware updates, which most modem manufacturers have pushed out by now. TR-069 issue 2 has added “improved device security” and should become the default for home users.

Of course, the question that remains is how many consumers are aware of these weaknesses and restarting their home modems, much less installing firmware updates? [insert collective sigh]

Finding CWMP with Censys

For security professionals, we’d recommend an Internet scan to locate CWMP protocol to locate any that might be associated with your company. Most likely, these would be employees working remotely and working around your VPN, blissfully unaware that they’re on a vulnerable home modem. Hunt them down and restrict access to your corporate assets and network, then school your employee(s) on how to use the VPN and that it’s the only way to access their work apps. If you want to go the extra mile (and endure potential eye-rolling), suggest to said employee(s) that they should restart their modem and install any updates.

Interesting findings and reports for researchers

We suggest starting with Censys reports on CWMP protocol to analyze trends across the Internet. Below are a few examples:

  • Since CWMP uses HTTP for an application layer transport protocol, you can look at the server side software.A quick glance at that report shows that the open source gSOAP package version 2.7 dominates, which is particularly concerning. In July of this year, Brian Krebs wrote about a vulnerability in gSOAPthat allowed attackers to “force a vulnerable device to run malicious code, block the owner from viewing any video footage, or crash the system.” He added, “Basically, lots of stuff you don’t want your pricey security camera system to be doing.”That’s just the top result, we’ll leave it to our readers to keep exploring!
  • Top 25 countries with CWMP protocol report
  • Top 25 products using CWMP report

By the way, have we talked to you about our reports yet? The report builder can be a very powerful tool for those looking for security anomalies. With it, you can quickly pinpoint any oddities (IoT devices, etc.) and use those clues to dig deeper with our more refined search queries. To use them, click on that Report tab in the search results (see image above) page after running a query. Report builder is often a really great spot to start your searching, filter out the notable unexpected hosts, and start prioritizing what you need to tackle first.

More advice to come on interesting, potential security risks that you should look out for and secure appropriately.

Attack Surface Management Solutions
Learn more