A newly released report, "Exploiting SOHO Router Services", published by Independent Security Evaluators, a security firm based in Baltimore, MD, makes for very worrying reading if you're using routers built for the Small Office/Home Office market.
ISE tested ten widely available SOHO routers and concluded:
Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers ... Our research indicates that a moderately skilled adversary with LAN or [wireless] access can exploit all ten routers through their non-essential features and services.
ISE also argued "these security flaws originate from four primary categories: the misconfiguration of network services, the assumption of security on the LAN, insecure default configurations, and poor security design and implementation."
The products tested were the Linksys EA6500, Netgear WNDR4700, ASUS RT-AC66U, ASUS RT-N56U, TP LINK TL-WDR4300, TP LINK TL-1043ND, TRENDnet TEW-812DRU, Netgear WNR3500, D-LINK DIR-865L and the Belkin N900 and ISE's research found 55 previously unpublished security vulnerabilities that "demonstrate how the rich service and feature sets (e.g., SMB, NetBIOS, HTTP(S), FTP, UPnP, Telnet, etc.) implemented in these routers come at a significant cost to security."
ISE also point out that "[once] compromised, any router-SOHO or otherwise-may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router's domain" which they note includes sniffing and rerouting all network traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers.
One of the more disturbing things about the security problems ISE discovered was that many of the features that could be attacked were not "secure by default," which is to say that their security default controls were minimal, misconfigured, or even non-existent.
In the full technical report (in PDF format) ISE discusses their detailed findings and some of the exploits are surprisingly simple. For example, with the ASUS RT-AC66U, ISE demonstrated "how insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application" from "its hardened state, with or without USB storage attached."
If your organization uses these devices or similar SOHO equipment (and many large enterprises do so in remote branch offices and for telecommuters) there's a non-trivial chance that your security could be compromised. Indeed, as ISE points out "these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended."