Misfortune Cookie Takes Bite Out of Internet Security

Credit: wavebreakmedia/ ShutterstockCredit: wavebreakmedia/ Shutterstock

This cookie wants to take a bite out of you: A serious security flaw called Misfortune Cookie affects more than 12 million routers, modems and other "gateway devices" — as well as all the devices connected to them, from computers, smartphones and tablets to "smart home" devices such as toasters, refrigerators, security cameras and more.

All an attacker would have to do is send a network packet containing a malicious HTTP cookie to an affected gateway device. This would corrupts the gateway device's memory, giving the attacker administrative access over it. From there, the attacker can affect just about any other device on that network.

MORE: Best PC Antivirus Software 2014

Once attackers gained control of the gateway devices, they could snoop all traffic, including browser history and personal information, passing over the network, and perform man-in-the-middle attacks on attached devices, inserting themselves between two ends of a communication.

"An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast," warns security company Check Point Software Technologies in a report on the flaw

The Misfortune Cookie flaw, as Check Point dubbed it, actually exists in an old version of Web server software called RomPager, by Boxborough, Massachusetts-based software company AllegroSoft. According to Check Point, RomPager versions 4.34 and below — software more than 10 years old — contain the flaw.

RomPager patched this flaw back in 2005. Yet hardware from major companies such as Huawei, D-Link, ZTE and others currently sell products whose firmware (the custom software on a device) contains the vulnerable versions of RomPager. As a result, 12 million vulnerable gateway devices in homes, offices and other locations exist.

"There's an incredibly complex behind-the-scenes relationship with AllegroSoft, device manufacturers and chipset manufacturers...The update propagation cycle is incredibly slow to nonexistent," Shahar Tal, a Check Point research manager, told Tom's Guide. "So even though AllegroSoft did fix [the Misfortune Cookie flaw] in 2005, the fix did not propagate to devices being sold today."

"This is a real industry problem that we think this vulnerability really highlights," Tal added.

Many affected hardware manufacturers are working with Check Point to patch their device firmware to include the secure versions of RomPager, Tal said. But even when firmware does get updated, such updates usually can't be automatically pushed out to their respective hardware. Users will have to download the new firmware and manually flash their routers, modems and other gateway devices, an often-difficult process.

Other security measures could prevent the amount of damage attackers using Misfortune Cookie could do. Devices with firewalls, for example, will be safer, even from attackers already on your network.

But while your computer may have a firewall, your connected TV, connected fridge or connected toaster probably don't. Misfortune Cookie is an excellent example of why security experts worry so much about the so-called "Internet of Things" and the attack vectors these devices create. (If you have a router that can concurrently manage two Wi-Fi networks, put computers on one network and other devices on the other.)

Tal says that Check Point has not yet observed an attack involving Misfortune Cookie in the wild, but the company is keeping an eye out. Tal added that Check Point is looking into older unresolved cases in which routers were compromised in unknown ways. 

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment