Misfortune Cookie vulnerability affects 12 million routers

A newly-discovered vulnerability puts 12 million routers at risk around the world in homes, small business, and corporate environments.

The Misfortune Cookie vulnerability allows an attacker to remotely take over a gateway device with administrative privileges, according to Tel Aviv-based network security vendor Check Point Software Technology, Inc.

The scale of the problem is unprecedented, said Shahar Tal, Check Point's malware and vulnerability research manager.

"In previous cases, there were 200,000 or 300,000 vulnerable gateways," he said. "This time, it's 12 million, and 200 different models of devices, with some very big names in there."

Those names include models from Asus and TP-Link -- but not Check Point itself, he added. The full list is posted online at mis.fortunecook.ie.

The vulnerability allows attackers to control the gateway, and to steal data from all the devices on the network.

"If you get hold of the router, you get a wide-open access to start attacking computer devices like smartphones, printers, security cameras and everything else you have on your wired or wireless network," he said.

A compromised router also makes man-in-the-middle attacks "almost trivial," he added. "That's what was typically done in previous compromises of residential gateways."

The compromised routers all use the embedded web server software RomPager from AllegroSoft, he said.

Meanwhile, he suggested that users tighten security on devices such as webcams if they had previously been relying on the router to protect them instead of blocking access with a password.

"Other than that, of course, there's good security advice that's always appropriate," he said. "Have good endpoint protections in place, a freshly updated operating system, install a firewall on your computer."

Check Point also recommends that users encrypt any folders or documents containing sensitive information, and using

And, of course, users should install a firmware update when its released by the manufacturer.

"If you are a technical user, some users might want to refresh the router with alternative firmware," he added.

However, this may void the router's warranty.

One problem, he said, is that devices such as routers rarely have an update process in place.

"With desktops and servers, we have automatic upgrades," he said. "But with embedded devices, we rarely see automatic updates."

In fact, because of the way the software is built into the supply chain itself, it might take years for a fix to make its way to the final product.

AllegroSoft, for example, actually fixed the vulnerability back in 2005.

"But they did not know what the ramifications of the bug was," he added. "We just found it out now."

According to Check Point, some countries have up to 50 percent of devices that are vulnerable to Misfortune Cookie, so named because it's based on an error in the HTTP cookie management mechanism of the old software.

To exploit the vulnerability, all a hacker needs to do is send a single packet to the user's public IP adress -- no hacking tools required, just a browser.

Users can also replace the router with a more secure one, or use the existing router as a bridge and add a second, secure router that would serve as the Internet gateway.

Join the CSO newsletter!

Error: Please check your email address.

Tags Check Point Software Technologysecuritylegalmalwarecybercrime

More about Check PointInc.TechnologyTP-Link

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts