Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Millions of Home Routers Are Hackable

kdawson posted more than 4 years ago | from the pre-black-hat-frenzy dept.

Networking 179

Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.

Sorry! There are no comments related to the filter you selected.

You mean besides using default admin/password... (3, Insightful)

hawks5999 (588198) | more than 4 years ago | (#32924988)

to log in.

Re:You mean besides using default admin/password.. (5, Funny)

Anonymous Coward | more than 4 years ago | (#32925014)

The tool apparently exploits the routers through DNS rebinding. Wjhile this technique has been discussed for 15 years or more, Heffner says 'It just hasn't been put together like this before.'"

Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!

Re:You mean besides using default admin/password.. (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32925156)

That would actually probably help a lot(though not as much as a real password).

In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.

Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.

Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...

Re:You mean besides using default admin/password.. (5, Funny)

Cryacin (657549) | more than 4 years ago | (#32925280)

Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!

Wouldn't stop them if they're Swedish!

And yes, I'm an insensitive Cljod!

Re:You mean besides using default admin/password.. (0)

Anonymous Coward | more than 4 years ago | (#32926256)

Whats is this tjursbajss? Us's swedes don'ts adds extra J

Re:You mean besides using default admin/password.. (4, Interesting)

ickleberry (864871) | more than 4 years ago | (#32925090)

it seems that changing the password would render this hack fairly useless. also many routers are only accessible through a private IP, so even changing the router's IP would work unless the script tries all the addresses on the local network and then tries to brute force the router, but that would take years since I would assume its written in JavaShit

Re:You mean besides using default admin/password.. (1)

Suki I (1546431) | more than 4 years ago | (#32926336)

That is just the thing that I find so annoying with many exploit announcements. The buzz and cloud of publicity abounds, the MSM gets all panicky over what? Something that is not really a threat at all.

Re:You mean besides using default admin/password.. (0)

Anonymous Coward | more than 4 years ago | (#32926356)

If you'd have read TFA, you'd have noticed that the idea is not to change the router's IP (what would be the gain of that?) but to change the attacker's websites (pretended) IP to be the one of the router, so that scripts running from that server on the victims browser would have access to the router (i.e. circumventing the same origin policy)

Re:You mean besides using default admin/password.. (0, Offtopic)

Eudial (590661) | more than 4 years ago | (#32925250)

That's no worry, I changed mine to 12345.

Re:You mean besides using default admin/password.. (1)

jank1887 (815982) | more than 4 years ago | (#32925298)

blah blah luggage blah blah

Re:You mean besides using default admin/password.. (0)

Anonymous Coward | more than 4 years ago | (#32925336)

12345

Funny, that's what Zyxel modems by CenturyLink default to.

They also happen to have Telnet and Web Access enabled by default to the internal and external world.

THIS IS NOT A PROBLEM !! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32924990)

This is a good thing for all concerned !!

salty penis (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32925008)

put it in your ocean butt.

don't forget the lube, nigger faggots!

"List of routers affected" is just a picture (2, Interesting)

Relayman (1068986) | more than 4 years ago | (#32925056)

The "list of routers affected" at Notebooks.com is just a picture (.png) of a few rows of a spreadsheet. I would like the full list, please, even if just posted in a comment.

Re:"List of routers affected" is just a picture (5, Informative)

Slippery Pete (941650) | more than 4 years ago | (#32925078)

The Forbes article [forbes.com] has a Google spreadsheet of the routers.

Re:"List of routers affected" is just a picture (5, Informative)

Cato (8296) | more than 4 years ago | (#32925186)

Here's a direct link to the spreadsheet of routers, without the IFRAME so it's easier to read: https://spreadsheets.google.com/pub?key=0Aupu_01ythaUdGZINXQ5Vi16X3hXb3VPYkszNXM0YXc&hl=en&output=html&widget=true [google.com]

Re:"List of routers affected" is just a picture (1)

cerberusss (660701) | more than 4 years ago | (#32925758)

Wow, the Linksys WRT-54G series is in there as well. That makes for a HUGE amount of routers, because this baby is still going strong after eight years, even if it's not the complete WRT-54G series that's vulnerable.

Re:"List of routers affected" is just a picture (5, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32925252)

From the article:

"One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network."

So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.

Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.

Re:"List of routers affected" is just a picture (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32925552)

Right, it's not a hack at all. It's just a method to access it...

The idea is probably that a script on a webpage that could try to hack it can't go to it because it is not part of the same website (security settings), but with round-robin dns numbers (or subdomains?), you can make a domain that points to a website with an 'attack script' (the method of attack left open 'as an exercise for the reader', I guess?), and where the other dns entries point to the various possible ip addresses of routers (192.168.0.1 for example), and then let the script repeatedly try to connect to the same domain until a router login page shows up...

Whooptydoo. That's not a hack, because you're still at the login prompt. Get past the login prompt on 'millions of routers', then it's a hack. Now it's just a method to deploy a hack if they had one, but they don't.

Re:"List of routers affected" is just a picture (1)

mcgrew (92797) | more than 4 years ago | (#32925802)

My problem with it is that it was published in Greedhead Magazine, AKA "Forbes". I would rather have read an article from a tech publication.

So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited.

It's still of interest, though. This would allow you to use the router to gain access to the PC, circumventing the PC's software firewall (even though I would trust a hardware firewall before I trusted a software firewall). Sometimes it does make sense to use a belt AND suspenders.

Re:"List of routers affected" is just a picture (1)

Mr_Silver (213637) | more than 4 years ago | (#32925936)

So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.

All the routers I've seen in the past couple of years have a sticker at the bottom which displays the default password. It's usually a randomly generated set of letters and numbers - such as "rt2ey67dh6qg8".

In other words, a router left with the default admin password is pretty secure - unless of course the hacker gets direct access to the hardware.

Re:"List of routers affected" is just a picture (1, Informative)

Anonymous Coward | more than 4 years ago | (#32926346)

All the _new_ routers maybe. There are still millions of routers where the default password is static.

Re:"List of routers affected" is just a picture (1)

0123456 (636235) | more than 4 years ago | (#32926306)

So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.

Fortunately there aren't millions of routers out there with known vulnerabilities allowing you to reprogram them without a password, often just using a simple URL you can put in an image tag. Oh, hang on, there are: the router my ISP ships was exploited a year or two back in some Central American country to reprogram its DNS server to redirect banking accesses to a phishing site.

But I agree, I don't really see what this attack adds over just using an image tag going to http://router/powned [router] .

Re:"List of routers affected" is just a picture (0)

Anonymous Coward | more than 4 years ago | (#32926690)

Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.

And yet, you still made the time to read the article, go into the comments, and post a reply here whining about it.

You're an idiot.

Re:"List of routers affected" is just a picture (1)

eliphalet (1222732) | more than 4 years ago | (#32926074)

My employer blocks access to Google Docs.

Re:"List of routers affected" is just a picture (5, Informative)

JayJay.br (206867) | more than 4 years ago | (#32925224)

Here ya go:

Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES

Re:"List of routers affected" is just a picture (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32925572)

This is a list of routers that allowed their script to run within the network. You then need to actually launch an attack on the router which... they don't have.

Re:"List of routers affected" is just a picture (1)

Hatta (162192) | more than 4 years ago | (#32925704)

If you can run a script within the network, you don't need to compromise the router. There's a bunch of unprotected windows boxes inside that network you can easily compromise.

Re:"List of routers affected" is just a picture (1)

pinkushun (1467193) | more than 4 years ago | (#32925658)

So informative, thank you Sir! Do you have a list of IP's that match said routers? :-)

Thank you Captain Obvious (1, Funny)

RapidEye (322253) | more than 4 years ago | (#32925074)

Lets see:
Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites.
Thank you Captain Obvious!

Re:Thank you Captain Obvious (4, Insightful)

Chrisq (894406) | more than 4 years ago | (#32925222)

Lets see: Make sure you have a strong Admin password on your router

Check

and don't surf p0rn/warez sites. Thank you Captain Obvious!

Uhm - any solution that relies on you not browsing to an infected site is not a solution.

Re:Thank you Captain Obvious (0)

Anonymous Coward | more than 4 years ago | (#32925466)

Uhm - any solution that relies on you not browsing to an infected site is not a solution.

Technically, RapidEye is right. Realistically, however, you are _really_ correct. Telling people to avoid the darker side of the internet to stay safe is like telling teenagers to abstain from sex to avoid pregnancy and STD's. Theoretically, it works. In practice, it fails.

Education (which doesn't teach abstinence of the dirty internet) + Cheaply available protection (Spyware, Antivirus, browser and OS updates) will keep the majority of people engaging in googlular intercourse from contracting an internet transmitted virus.

With that being said, make sure you tell your kids about blocking Javascript when using unsafe sites. You know that they are going to browse whether you are involved or not; you might as well make sure that their experience is a safe one.

Re:Thank you Captain Obvious (3, Funny)

AnonymousClown (1788472) | more than 4 years ago | (#32925234)

Lets see: Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites. Thank you Captain Obvious!

I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.

Re:Thank you Captain Obvious (3, Funny)

MBGMorden (803437) | more than 4 years ago | (#32925408)

I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.

Yes but going by the "I'll know it when I see it" definition, any image of that woman in a dress qualifies as pr0n . . .

Re:Thank you Captain Obvious (1)

DrgnDancer (137700) | more than 4 years ago | (#32925724)

I believe there was an article on this very site recently about how porn sites are no more likely to infect you than "regular" sites. The fact is most infection vectors on websites are in the ads, and most most site (porn or not) have virtually no control over what advertising is plastered on their pages.

Re:Thank you Captain Obvious (4, Insightful)

wowbagger (69688) | more than 4 years ago | (#32925266)

"Make sure you have a strong Admin password on your router..."

Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?

"...and don't surf p0rn/warez sites."

Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.

Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.

Re:Thank you Captain Obvious (2, Funny)

John Hasler (414242) | more than 4 years ago | (#32925760)

> ...NEVER let your browser remember passwords.

Never let it remember important passwords. There's no harm in letting it store passwords for trivial sites such as Slashdot.

Heretic (3, Funny)

Anonymous Coward | more than 4 years ago | (#32926140)

Slashdot is *the* most important site. For you to call it "trivial" is a most wicked sin.

I can believe it... (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32925086)

At one point, just out of morbid curiosity, I cranked up a copy of OpenVAS(the OSS fork of nessus) and told it to just hit everything on my home network with all "safe" tests(the program offers the option of either including or excluding tests that are likely to crash/DOS the target, rather than simply confirm/deny the presence of a vulnerability).

When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.

And that was with the "safe" tests.

Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...

Re:I can believe it... (1)

DWMorse (1816016) | more than 4 years ago | (#32925108)

Hmm, I like the looks of OpenVAS, I'll have to try it out. Thanks for the tip!

Re:I can believe it... (2, Insightful)

Charliemopps (1157495) | more than 4 years ago | (#32925176)

You should see the state of commercial routers... it's almost as bad.

Re:I can believe it... (3, Interesting)

Manip (656104) | more than 4 years ago | (#32925196)

Indeed. I found a bug in a D-Link DIR-655 and was completely unable to report it to them. I couldn't even log into their support system because according to them I don't own my own router (serial already in use) and couldn't find a more technical or security contact at the company.

The product still contains the bug - it is also using the latest firmware.

Re:I can believe it... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32925254)

Unfortunately, with many, if not all, of the consumer networking brands these days, the most technical guy on staff is the "chief sticker engineer", who makes sure that the right adhesives are used when rebadging OEM products, or maybe the CAD guy who modifies the OEM plastic case to have the appropriate brand name embossed in it...

Re:I can believe it... (0)

Anonymous Coward | more than 4 years ago | (#32926434)

Embedded is a cut throat market and anything that will shave off even a fraction of a penny per unit is good as the profit per unit for *most* companies is single digit percentages. You get what you pay for, really you do (except for cisco).

Exactly what is the sploit? (2, Interesting)

osgeek (239988) | more than 4 years ago | (#32925114)

Just trying to understand this...

But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.

Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.

How does your DNS stack pick up a new IP address for a host name once it's already been resolved? I don't understand the mechanism for this part of the exploit. Anyone?

Okay, so let's say the attacker can pull this part off without a problem...

One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device's software or by simply trying the default login password. Only a tiny fraction of users actually change their router's login settings, says Heffner.

So, then the hacker has to rely no the browser running some javascript in the victim's browser that will actually break the security of the victim's gateway router?

Definitely your vulnerability goes up once an attacker can approach your gateway from the inside, but this isn't a free pass through everyone's home system. Seems like just changing your default password is a great first step to prevent any shenanigans.

Re:Exactly what is the sploit? (1)

Charliemopps (1157495) | more than 4 years ago | (#32925210)

You just need to resolve the address twice. Seems rather simple. Change their passwords? Most routers default to having NO password at all. And even if you set one up, and change it, most users have their browser remembering the login.

Re:Exactly what is the sploit? (1)

AHuxley (892839) | more than 4 years ago | (#32925490)

http://portforward.com/ [portforward.com] might help with a default list.

Re:Exactly what is the sploit? (2, Interesting)

galaad2 (847861) | more than 4 years ago | (#32925710)

no password at all? try "impossible to even set a password"

on December 19th 2008 i bought a Sweex LW300 wireless router ( http://sweex.nl/lw300 [sweex.nl] ) only to discover that the damn telnet service would not require a password AT ALL if you connected from the inside network.

Even if i set a password for the web admin interface, cycled power two or three times, it was all for nothing. The telnet service was left wide open for anyone on the internal network (including wireless). Not even the passwd command was working.

When i saw this i promptly returned the damn box and got a linksys instead (this was on December 22nd).

Unfortunately the replacement linksys router i got is another piece of crap and i was stuck with that. I found i was given the V2 of WRT160N only when i unwrapped the box at home.
WRT160N V2 is a piece of crap (ralink chipset => random router crashes, no ddwrt/openwrt on it) that made me avoid ever buying another Cisco/Linksys. All the routers i bought since then for our customers were other brands, in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008. You can imagine how that Christmas felt like :(

some system info for the Sweex LW300 with the telnet open root shell:
Linux (none) 2.6.17 #832 Tue Dec 4 15:39:35 CST 2007 armv5tejl unknown

Processor : ARM926EJ-Sid(wb) rev 5 (v5l)
BogoMIPS : 285.90
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 16384
I assoc : 4
I line length : 32
I sets : 128
D size : 16384
D assoc : 4
D line length : 32
D sets : 128

Re:Exactly what is the sploit? (3, Informative)

Zocalo (252965) | more than 4 years ago | (#32925350)

As I understand it, it generally works like this: You set a ridiculously short TTL on the server hosting the exploit. When a victim connects you grab their IP address, add it and any other likely target IPs to the list of A records for the server and reload the zone. Your attack code just needs to wait for the TTL to expire, DNS to refresh and then try and connect to the target, which now appears to come from an attack on a trusted network.

Going to be interesting to see what this talk is going to add to the mix though... Either way, now would be a really good time to change any easy to remember, alpha-numeric only device passwords, if you've got any.

Re:Exactly what is the sploit? (4, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32925452)

It is the first step. In fact, apart from a firmware vulnerability or some REALLY shocking DMZ setup, you're going to leave this attack with nowhere to go just by changing from the default password. There might be a second exploit in the form of a dictionary attack tacked on to the end, but that's not what the article is about.

It's not that big a deal. It's a headline of the type you're likely to find in the Daily Mail; Sensationalist and inaccurate. There might be more info in the future which justifies the grandeur of the statement, but right now (pre-Black Hat) it's just bullshit sensationalist speculation from Slashdot's specialist on the matter.

(Yeah, i'm getting a chip on my shoulder about this guy.)

Re:Exactly what is the sploit? (2, Insightful)

DrgnDancer (137700) | more than 4 years ago | (#32925888)

A dictionary attack using JavaScript in your own browser? Even assuming there is no lockout time for login attempts built into the router that would take fricking forever, and it would be interrupted the moment you closed your browser. This seems like it would be a vector for a firmware bug attack or for an attempt at obvious default passwords. Otherwise it would almost certainly fail.

Re:Exactly what is the sploit? (2, Funny)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32925930)

Excellent! So, I was correct in labelling this whole shitty story as another inflammatory chod-fest at the hands of Slashdot's very own version of the Daily Mail, kdawson.

Will he never cease to amaze me?!

Re:Exactly what is the sploit? (1)

Bengie (1121981) | more than 4 years ago | (#32926206)

My router didn't allow internet access until you changed the admin password. After that, you could change it back *if* you wanted, but it was just that way for the first time setup.

Same for the wireless. The AP on my router came disabled and required an AP password entered before it would enable. After enabling it with a password for the first time, you could remove the password and make it insecure/open.

Now I just need DD-WRT to stabilize for my router so I can use the IPv6 my ISP has.. :-|

Browser Issue (2, Informative)

Manip (656104) | more than 4 years ago | (#32925124)

First things first, you can block most of these attacks by setting a new router password and or changing the router's default IP. Secondly browsers could very easily solve this by disallowing mixed local (192.*, 10.*, 0.*, 127.*) and remote IP addresses from a single site. If it is a local server it won't be load balancing with something on the Internet and the reverse is equally true.

Re:Browser Issue (2, Informative)

Grandim (1390511) | more than 4 years ago | (#32925368)

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 127.0.0.0/8 You missed some privates and you had some legitimate publics listed has private.

default configs on routers are a joke (3, Insightful)

ergrthjuyt (1856764) | more than 4 years ago | (#32925138)

default configs on routers are a joke. Last I checked, linksys routers still tended towards unsecured wireless networks and default passwords. While extremely convenient, most users will abruptly drop the setup process once they can connect to the internet on their laptop. What the router firmware needs to do is force the user to set up a password and a security protocol before allowing direct access to the internet.

Before this step is taken, every other "security" exploit is a joke in comparison.

Re:default configs on routers are a joke (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32925230)

then you haven't checked in some time. Linksys routers come with pretty much everything turned off, and a setup program that makes you pick a password and gives you big scary warnings if you try to skip turning on wireless security. If you know what you're doing, you can just do all this manually through the web interface from an inside port, which is easier to fuck up, but if you do fuck it up it's your own damn fault.

OEM firmware? (0)

Anonymous Coward | more than 4 years ago | (#32925214)

I assume in most cases this applies to OEM firmware, correct? I can't believe a hole this large has not been plugged by DD-WRT and Tomato, yes?

Re:OEM firmware? (2, Informative)

natehoy (1608657) | more than 4 years ago | (#32925348)

Probably not, but you're still better off making sure you are running the latest of your choice of firmware (Tomato just released a new version a couple of weeks ago, go get it now!).

Doesn't hurt to make sure that you only allow https connections to the router's admin page (which means in Tomato that you'll get the inconvenient-but-useful "unverified certificate!" warning in Firefox that takes many ugly steps to get around, and as far as I know cannot be scripted), and setting a reasonably complex password.

And don't assume that your local network is "safe". Run software firewalls and avoid things like open network shares.

Re:OEM firmware? (1)

Hatta (162192) | more than 4 years ago | (#32925676)

There's a chart in TFA that shows ddWRT and OpenWRT successfully hacked. Tomato was not tested.

a problem we're too lazy to solve (2, Interesting)

digitalsushi (137809) | more than 4 years ago | (#32925248)

The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.

This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.

Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.

The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...

Secret (1)

lancejjj (924211) | more than 4 years ago | (#32925306)

Here's the secret fix: change the default password on your home router.

Phew! Black hats thwarted again!

Re:Secret (1)

John Hasler (414242) | more than 4 years ago | (#32926070)

> Phew! Black hats thwarted again!

By you and a few thousand other geeks. Hundreds of millions of "consumers" remain vulnerable.

This could have been prevented by the vendors taking the obvious step of making the router serial number the default password.

Only half? It's probably a lot more (3, Interesting)

davidwr (791652) | more than 4 years ago | (#32925318)

Odds are the good guys haven't found all the vulnerable ones.

Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.

On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.

Re:Only half? It's probably a lot more (1)

jizziknight (976750) | more than 4 years ago | (#32925914)

Agreed. I think 2-Wire does a lot of things right. Initial connection to a factory default router automatically initiates a setup process, which IIRC, will not give you internet access until completed. This process also forces you to change the default password, and, again IIRC, has the default wireless security set as WEP. Though, it has been a very long time since I set one up (they tend to last quite a long time, too); I may not be remembering things quite right.

They also tend to be smart enough to "notice" when you do things that the typical joe sixpack user would not do, like connect other routers up behind them, and it does some somewhat smart things in automatically configuring itself to handle those situations properly.

Of all the routers that I've used, I'd have to say that 2-Wire are currently my favorite, and Linksys are currently my most hated.

Consumers DONT CARE (2, Insightful)

netsavior (627338) | more than 4 years ago | (#32925322)

This is only a problem when a geek looks at it, the average consumer doesn't really care, and they are right to not care.

Re:Consumers DONT CARE (0)

Anonymous Coward | more than 4 years ago | (#32925436)

This is only a problem when a geek looks at it, the average consumer doesn't really care, and they are right to not care.

Right up until their credit card is used to buy $1000 worth of DVDs in Russia. Then they start caring darn quick.

Re:Consumers DONT CARE (1)

netsavior (627338) | more than 4 years ago | (#32925796)

for 2 days until their credit card company refunds the money.

Re:Consumers DONT CARE (1)

gblackwo (1087063) | more than 4 years ago | (#32925874)

As an anecdote, my chase cards work fine in Russia only when I've told chase to unlock the country- but my bank cards have been a nightmare trying to unlock. Not only do I have to have the fraud center in the U.S. unlock the card (and they will only do it for 48 hours at a time), but I have to get a notorized lawyer signed Russian translation of my passport just so that the banks here will allow me to use it in their atms. If your credit card company is letting transactions go through Russia without your expressed approval- it is time for new credit cards. Because it is not as easy as you make it seem.

Re:Consumers DONT CARE (0, Flamebait)

ElectricTurtle (1171201) | more than 4 years ago | (#32925514)

In the first place, are you retarded? What part of forwarding to phishing sites to steal your credit card numbers don't you understand?

In the second place, turn in your card and exit /. immediately.

Re:Consumers DONT CARE (1)

netsavior (627338) | more than 4 years ago | (#32925890)

*eyeroll* cause soooo many consumers are credit card hacked at their physical location, please.

Trying to get consumers to care about the SUPER SUPER remote chance that someone will wardrive hack their router is pretty stupid, especially when you can't convince them to stop giving their credit card number to any`one who happens to email them a bank-esque email.

Re:Consumers DONT CARE (1)

ElectricTurtle (1171201) | more than 4 years ago | (#32926374)

Thanks for answering my question, clearly, you are retarded. 'We can't fix problem x therefore who cares about problem y?!' Also, no professional believes in security through obscurity. As this information increasingly becomes common knowledge among script kiddies and people who already deal in stolen CC#s, per capita incidents will increase. Even regardless of numbers or rarity, it matters when it does happen. Phishing itself basically didn't exist before the current decade, not because it wasn't feasible to set up fake sites in the 90s, just that nobody bothered. As soon as the idea took hold and started making money for scammers, phishing exploded in the early 2000s. If money can be made by this vector, it will explode too. The obscurity may well soon end, just like it did for phishing emails.

Re:Consumers DONT CARE (1)

netsavior (627338) | more than 4 years ago | (#32926648)

PSA: You are a bigot, stop using the word "Retarded" as an insult when you are trying to look intelligent, it is a disservice to the disability community.

Consumers don't care because they are not responsible, and because it won't fucking happen to them.

I could leave my keys in my unlocked car, leave my router open and my passwords on a sticky note on my desk and nothing would ever happen... But even if it did, my credit cards are insured, my car is insured. A bit of paperwork and a couple of days of hassle isn't going to stop consumers from not caring, ever.

Geeks see the headline and think "holy shit", non-geeks see the headline and think "I wonder if Lindsay Lohan is out of rehab yet".

Even without this hack, millions of home routers would be hackable, because they are open and have default password. What if I ran my own DNS server, logged in to my neighbor's router and pointed it to my DNS server, which contains whatever records I want it to? No exploits necessary, all it requires is that their router have the default password (which the article's hack also requires). Sure geek measures like using a DNS server other than the one your router provides would defeat that easily, but you know what? Geeks aren't the target.

So basically this is a more complicated way to do something that has ALWAYS been possible and easy to do on an open/default router. Wow, consumers should DEMAND their FIOS router get patched, oh the humanity.

Re:Consumers DONT CARE (1)

ElectricTurtle (1171201) | more than 4 years ago | (#32926746)

I'll believe your bullshit when you start leaving your keys in your unlocked car (as you say you 'could' but probably don't) in the middle of a city of more than half a million people.

How would you test if its hackable? (1)

bigfootchick (1855082) | more than 4 years ago | (#32925328)

How would you test my router is hackable? Can you please share the tests? Thanks in advance. -geek chick

Thanks Black Hats (0)

Anonymous Coward | more than 4 years ago | (#32925394)

Nothing more responsible than a bunch of oily nerds who still call them self's "black hats" in the year 2010 giving away tools to their only fans, script kiddies

Here is a tip, grow the fuck up already

Warning! kdawson sensationalist headine alert! (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32925396)

This attack is just a redirect. It redirects an attack to inside your network to hopefully exploit a second vulnerability in your router. It relies on a second attack to actually compromise the router itself, either a firmware vulnerability or weak security settings. This isn't a single attack which will root your home networking devices by itself. It's just a way of directing an attack to run from inside your network (where security might be weaker) and doesn't allow any access in and of itself to your router. The "Millions could be affected" line comes from default passwords and configs or poor security settings by the user.

Holy sensationalist bullshit headlines, Batman!

DD-WRT+OpenDNS FTW (1)

Liquidretro (1590189) | more than 4 years ago | (#32925424)

Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.

Re:DD-WRT+OpenDNS FTW (4, Insightful)

lyinhart (1352173) | more than 4 years ago | (#32925548)

Nope. According the article, OpenDNS doesn't make a difference and DD-WRT v24 was one of the router firmwares that was successfully exploited.

Re:DD-WRT+OpenDNS FTW (4, Insightful)

homes32 (1265404) | more than 4 years ago | (#32925586)

Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.

and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.

Re:DD-WRT+OpenDNS FTW (2, Insightful)

anamin (796023) | more than 4 years ago | (#32925604)

And yet DD-WRT is on the list of vulnerable firmware.

Re:DD-WRT+OpenDNS FTW (0)

Liquidretro (1590189) | more than 4 years ago | (#32925696)

But running OpenDNS is the first step to correcting this problem. And with DD-WRT this can be fixed in the next update now that its a known problem, if you run the default Firmware of your router who knows when it will be fixed.

Re:DD-WRT+OpenDNS FTW (1)

homes32 (1265404) | more than 4 years ago | (#32926112)

if you run the default Firmware of your router who knows when it will be fixed.

and if your running open source or 3rd party firmware who knows when it will be fixed. the last stable release of ddwrt was 2 years ago and the last beta a year ago. This attack method has been around way longer than that.

30 router models info (0, Redundant)

llZENll (545605) | more than 4 years ago | (#32925448)

The important info

Heffner tested his attack against 30 router models and found that about half were vulnerable. Here's his chart of which are and aren't subject to attack. ("Successful" in the far right column means that the router was successfully hacked.)

Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES

from http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/ [forbes.com]

Re:30 router models info (1)

VGPowerlord (621254) | more than 4 years ago | (#32926246)

I actually checked if my wireless router was on here.

It is, but what concerns me the most is this:
The router I have is listed as NO, but the firmware version they tested against was released 3 years ago and the firmware has had four revisions since then, the latest released in Q4 2009.

Which makes me wonder: How many of the other firmware versions are out of date, and why haven't they been tested against the latest firmware versions?

Noscript doesn't prevent this exploit? (0)

Anonymous Coward | more than 4 years ago | (#32925476)

FTA: "Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won't prevent his exploit, Heffner adds."

Can someone explain how using NoScript doesn't prevent this exploit? How does he run code on the local machine without scripting?

Cross-Site-Request-Forgery (0)

Anonymous Coward | more than 4 years ago | (#32925600)

The article doesn't really describe the attack in detail, but as far as I can tell, this can be achieved much easier through cross site request forgery (CSRF). That is, a website tells the browser to do a malicious cross-site request, which targets some IP Address on your local network (i.e.: an image tag which causes the browser to access "http://192.168.1.1/login?u=admin&p=123"). This request could be used to login to the device using standard credentials and then activate remote administration on the WAN interface.

Using JavaScript, the attacker can even send POST requests to the target host

This has been done almost for decades and there are exploits available for hundreds of different Routers out there...

Attack reliant on obtaining router login creds! (0)

Anonymous Coward | more than 4 years ago | (#32925762)

From pfSense's forum via here: http://forum.pfsense.org/index.php/topic,26368.0.html

Quote from: Craig Heffner
While my talk is focused on attacking routers, there is no exploit in
any router per-se, and it is not necessarily restricted to attacking
routers. The exploit is DNS rebinding, which circumvents the
same-origin policy in a client's Web browser by exploiting the trust
inherently placed in the DNS protocol. Also note that the talk summary
clearly states that this only provides access to the router's
administrative interface; an attacker would still need to exploit the
router or log in to it via default/weak credentials in order to do
anything. Given that PFSense is relatively secure, and PFSense users
are generally more advanced and security aware than the average user,
I would suspect that this attack would only realistically affect a few
PFSense users.

"Publish or Perish ..." (2, Interesting)

udippel (562132) | more than 4 years ago | (#32925788)

Everyone knows this; and one way or another in these sicko days of ours, one simply has to make the headlines to grab attention; followed by get-rich-quick.
Fine. Let them try. I wished, though, some clever chap in Slashdot would have vetted the whole lot sufficiently, to dump it where it belongs: into the trash-bin.

Here is why: Because it actually is an attack. An attack that works for dumbos only. For people, who ought not legally be allowed to buy an access point or whatnot.

Here is the attack: assume router XYZ by default comes with username 'root' and password '12345'. The same router, as default or after reset, offers dhcp in 192.168.1.0/24, with 192.168.1.1 as gateway address. Then, following the trick, some 192.168.1.0/24-address becomes available on the outside (WAN). So when you blindly send 'root' and '12345' to 192.168.1.1 (to the box), from the outside, you're in.
As I said, yes, it is an attack. But for any sane setup it will fail miserably, because you have changed the internal network; and most of all, you changed at least the password.
I dunno, and haven't tried - because I have better things to do with my time - if any of those spoofing-filters that simply drop RFC1918-compliant addresses on the WAN-side would also fail the proposed attack, despite of default network, username and default password.

Shakespeare would probably have called this 'much ado about peanuts'. And as far as I am concerned, anyone who actually is vulnerable, should be slapped with a court order restricting him or her from touching, buying, setting up or administrating any network equipment until further notice, including home networks.

Thanks ALOT!! (0)

Anonymous Coward | more than 4 years ago | (#32925908)

you idiots, you know how many fkin businesses only have a "Home" style router especially in restaurant and retail, thanks alot might as well just fkin email me ill give you my cc number save you the trouble

great troll slashdot (1)

nimbius (983462) | more than 4 years ago | (#32926006)

now a few thousand admins from around the globe have just logged into their home boxes to "double check on everything"

pfSense 2.0 has been patched (2, Informative)

sullrich (78) | more than 4 years ago | (#32926060)

We made changes to pfSense 2.0-BETAS that prevents the DNS rebinding attacks thanks to Craig's help.

What about DD-WRT firmware and Smoothwall??? (0)

Anonymous Coward | more than 4 years ago | (#32926164)

I hope the hack does not work on DD-WRT firmware for the Linksys wrt54.

Also, what about Smoothwall? IMO Smoothies are one of the best solutions out there.

Exploit used on default configurations & firmw (1)

oDDmON oUT (231200) | more than 4 years ago | (#32926320)

How about against 3rd party firmware, ala Tomato [polarcloud.com] for Buffalo / Linksys?

Didn't see any mention of it in the article.

Simple solution, don't use your router for DNS (3, Insightful)

Passman (6129) | more than 4 years ago | (#32926522)

As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.

Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.

Network advice from this article? (0)

Anonymous Coward | more than 4 years ago | (#32926540)

According to the article: An IP address is a series of four numbers ranging from 1 to 255.

So, 10.0.0.43 is not an IP address?

Which non-wireless router is best? (0)

Anonymous Coward | more than 4 years ago | (#32926546)

We've always used the Linksys BEFSR41 because we like a non-wireless router. But now I see it is on the hackable list.

Can somebody please recommend which non-wireless non-hackable router is best? Which one is closest in performance to the BEFSR41?

THANKS.

I miss the good old days (2, Insightful)

X.25 (255792) | more than 4 years ago | (#32926642)

I really miss the good old days, where presentations done on security seminars were revolutionary and technical.

How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?

Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?