Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Say Wi-Fi Virus Outbreak Possible

Zonk posted more than 6 years ago | from the batten-down-the-hatches dept.

Wireless Networking 165

alphadogg writes with a link to a NetworkWorld article about a troubling security scenario. Indiana University IT researchers are now saying that a WiFi attack intended to piggyback across unsecured access points could do serious damage in a city like Chicago or New York. By essentially brute-forcing the passwords on insecure routers, a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone. "Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique."

cancel ×

165 comments

They'll never get me! (4, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#21910028)

Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'

Re:They'll never get me! (2, Funny)

somersault (912633) | more than 6 years ago | (#21910066)

I see your new USB 'big F5' button working out well since the one on your keyboard died?

Back on topic I wonder what this new breed of virus will be called, if indeed it worked.. Weasles? WAIDs? Winfluenza? Actally Winfluenza could work on so many levels :)

Re:They'll never get me! (2, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#21910130)

WiThrax? WiVi? I hear Sony is actually pushing for Wiinfluenza for some reason.

Re:They'll never get me! (1)

noidentity (188756) | more than 6 years ago | (#21910496)

Back on topic I wonder what this new breed of virus will be called, if indeed it worked.. Weasles? WAIDs? Winfluenza?

It's called "linksys" and it's everywhere alreaedy!

Re:They'll never get me! (0)

Anonymous Coward | more than 6 years ago | (#21911718)

I say we call it Skynet

Re:They'll never get me! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21910090)

If you weren't a furry, I'd mod you up for that.

Yiff in hell, furfags.

Re:They'll never get me! (0, Offtopic)

morgan_greywolf (835522) | more than 6 years ago | (#21910184)

Wah? 'cause my name contains 'greywolf', you think I'm a furry? Get some imagination.

Re:They'll never get me! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21910352)

Mine's "blowjob" and I've never been cracked ... oh shit - Can't you other slashdotters ever keep anything between ourselves?

Re:They'll never get me! (1)

sm62704 (957197) | more than 6 years ago | (#21910780)

Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'

Ah, the classics never die, do they? My wifi password is... oh wait I don't have wifi

White Power (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21910062)

Can I get a White Power?!

White Power!

Only 36%? (1, Insightful)

Odin_Tiger (585113) | more than 6 years ago | (#21910084)

36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.

Re:Only 36%? (2, Insightful)

j.sanchez1 (1030764) | more than 6 years ago | (#21910140)

36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.

1/3 is 33 1/3%. How is that severly off of the 36% estimate?

Re:Only 36%? (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21910232)

I think grandparent is saying that he thinks that more than an additional 3% could be guessed from the list of a million commonly-used passwords. He could be right.

Re:Only 36%? (1)

smithberry (714364) | more than 6 years ago | (#21910252)

1/3 is 33 1/3%. How is that severly off of the 36% estimate?
because as well as trying the default password, they are suggesting trying a million common passwords, so that would mean the million passwords only gained 3% penetration, which hardly seems worth the bother.

Re:Only 36%? (1)

MobileTatsu-NJG (946591) | more than 6 years ago | (#21910264)

"1/3 is 33 1/3%. How is that severly off of the 36% estimate?"

I think he means that if 33% alone are default passwords, with another huge chunk (maybe 10% - 15%?) being among the common million.

On a more shocking note: Have you noticed that 40% of Slashdot posts made during the work week are done on Mondays and Fridays? :)

Re:Only 36%? (1)

peragrin (659227) | more than 6 years ago | (#21910332)

>>On a more shocking note: Have you noticed that 40% of Slashdot posts made during the work week are done on Mondays and Fridays? :)

90% of the posts I make are during work. i visit three to four times a day. Of course I rarely respond in the same day. when i check my email account in the morning I read the responses to what I said and reply back. That way i don't get into stupid flame wars, or I can shut up when i put my foot on the keyboard.

Re:Only 36%? (1)

computational super (740265) | more than 6 years ago | (#21910842)

That way i don't get into stupid flame wars

I take that as a challenge, peraDUMB! Let's see you resist a flame war with ME!

Re:Only 36%? (1)

mhall119 (1035984) | more than 6 years ago | (#21910290)

The article cites 36% as default + dictionary. GP says a full 33.3% are probably default alone, with the implication that a dictionary attack would get more than 2.7% more, so therefore a combined 36% is "lowball".

Re:Only 36%? (1)

gstoddart (321705) | more than 6 years ago | (#21911486)

"36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login."

1/3 is 33 1/3%. How is that severly off of the 36% estimate?

I think he's saying that if 1/3 of all routers have the default password, "brute forcing" those happens in O(1) time, and that if you were brute forcing the remaining 2/3 of all routers, you'd probably find more than 36% are vulnerable.

I mean, if 1/3 are using four or five distinct passwords, those are essentially freebies.

Cheers

Re:Only 36%? (1)

zbend (827907) | more than 6 years ago | (#21910762)

Would be true but new models usually don't come with a default password, you have to set one, and people like to buy new things.

Re:Only 36%? (1)

Denial93 (773403) | more than 6 years ago | (#21910814)

It probably factors in wire connection only admin interfaces, MAC filters, obscure firmwares or some other hindrances. Even routers where the user never bothered to set a password now sometimes have wireless administration disabled. Should have RTFA, but the video is slashdotted.

Re:Only 36%? (0)

Anonymous Coward | more than 6 years ago | (#21910962)

I actually thought that 36% was a high estimate only because I seem to recall that management access on WAP's is generally not allowed through the wireless interface unless you specifically enable it. People who are going in and enabling it probably also set a better password. Maybe it is only the last couple of WAP's I've put in, but I know they had access to the management of the access point via wireless off (and still do - I sure as hell am not turning it on even though I have what I think is a secure password on it).

why brute force? (1)

gEvil (beta) (945888) | more than 6 years ago | (#21910136)

Why brute force your way through when simply typing "admin" works far more often than it should?

Re:why brute force? (1)

argiedot (1035754) | more than 6 years ago | (#21910386)

Once something went wrong with my wireless router, I'd bought one for the first time a few weeks back, and I'd broken the settings. So I went up to it and hit the reset key at the back but forgot to set the password again. Then one day I came upon one of those list of passwords and I said, "Ha ha, imagine what idiots would leave the default passwords on." So I scrolled right to the bottom and there's my router (it's slightly more than a wireless modem), and there's the password and it suddenly hits me. It was on digg, that list [digg.com] .

troubling security scenario? (4, Insightful)

Facetious (710885) | more than 6 years ago | (#21910142)

Holy crap! Maybe we should deal with existing security problems before we start with the imaginary ones.

Re:troubling security scenario? (1)

stewbacca (1033764) | more than 6 years ago | (#21910380)

Well we were fighting the "existing security problems" of the Russians when the Gulf War kicked off. Perhaps had we been working on "imaginary" problems like Iraq and Saddam Hussein in 1990, we wouldn't be in this 18-year cycle of off-and-on War with Iraq?

Re:troubling security scenario? (1)

Facetious (710885) | more than 6 years ago | (#21910754)

Ah, but was the war machine built to combat the Russians not used in Iraq? The fact is that some eggheads at some university were positing what might be and it made it to /. A few moments of thought show the pragmatic problems with the scenario:

- A 'cracked' router would have to be able to run arbitrary code; this requires firmware to be flashed.
- The compromised router must then be able to act as a client AND be within range of another AP to spread Winfluenza OR
- A vulnerable host (Windows) would have to be within range of another AP
- The compromised router or host would then have to use the dictionary attack. How much storage is on a router again?
- Such an attack would undoubtedly break the usefulness of the router causing the end user to unplug/replug, repeat, return to Best Buy

You see what I am driving at. And by driving, I mean in a hummer across the Arabian desert (man, I love the closure of analogy re-use).

Re:troubling security scenario? (1)

nosfucious (157958) | more than 6 years ago | (#21911108)

Doesn't need a lot of storage.

Just enough intelligence to fetch a few words at a time from a central site, or all the words from a web page the user visited.

Fetch -- try -- refetch. Only a few k of memory, if that.

If it's stealthy enough, keeping a low profile, programmed well enough, it might have a very long time to attempt to brute force other routers.

How many different firmware images does it need access to? Probably not that many. 10 leading brands, 10 ~ 20 main models each? Once the type of the victim is detected and cracked, fetch an infected firmware from either a central site or a broadcasting infected router. Bingo, no local storage necessary.

Damn, this is sounding nasty.

A hardware switch that must be set to 'on' to flash a device suddenly sounds a good idea.

Re:troubling security scenario? (1)

pilgrim23 (716938) | more than 6 years ago | (#21910458)


Oh no! Imaginary problems are best dealt with by imaginary solutions, You hold a Press Conference and weave imagery to the media. Then they write it up. imagining they have it right. Face it, they lack the imagination on their own. Imagine that...

- I craftily set my D-Link SSID to "Linksys"

Re:troubling security scenario? (1)

networkBoy (774728) | more than 6 years ago | (#21910698)

You know that's likely more secure than you would think.
The vast majority of the "hackers" out there likely simply try the default admin password (and assuming that the Dlink is different) would give up and move on.
-nB

1 million passwords? (0)

Anonymous Coward | more than 6 years ago | (#21910162)

How many routers have enough firmware memory to hold a dictionary like that?

Re:1 million passwords? (4, Insightful)

crow (16139) | more than 6 years ago | (#21910274)

They don't need to hold the dictionary. Anything that doesn't fit can be downloaded on demand. Most access points have access to the Internet, and residential access points are almost always outside of any firewall (they're usually the firewall themselves).

Varying router models and revisions (5, Insightful)

Dan East (318230) | more than 6 years ago | (#21910174)

How many router models and hardware revisions would the worm need to support to make this effective? It would take a great deal of resources to produce custom firmware for that many devices and hardware revisions, especially considering that people have been trying to produce custom firmware for specific devices for a long time without any success at all.

On another note, configuring the router for administrative access only via ethernet would completely stop the problem.

Dan East

Re:Varying router models and revisions (1)

$RANDOMLUSER (804576) | more than 6 years ago | (#21910282)

On another note, configuring the router for administrative access only via ethernet would completely stop the problem.
Making any changes to the out-of-box condition would severely curtail the problem. Unfortunately, far too many are just that - out-of-box and plugged in.

Re:Varying router models and revisions (1)

j.sanchez1 (1030764) | more than 6 years ago | (#21910438)

Unfortunately, far too many are just that - out-of-box and plugged in.

I wonder if it is too much to expect that when the routers are first set up, the default password should expire on the first log-in and should require a different password. Are there any routers out there that do this? How come this isn't default behavior?

Re:Varying router models and revisions (1)

schnikies79 (788746) | more than 6 years ago | (#21910544)

How many people do you think buy a router, plug it in, then never login to it?

I'm betting most of these default name/password routers around have never been logged into even once by the owner.

Re:Varying router models and revisions (1)

$RANDOMLUSER (804576) | more than 6 years ago | (#21910608)

Yup. Too many people don't even know that their router has an administrative interface.

Re:Varying router models and revisions (1)

Jim_Maryland (718224) | more than 6 years ago | (#21910688)

Would covering the router ports with a note that indicates a required login to set it up be out of the question here? A little paper insert as part of the quick setup notes would go a long way to getting users to setup some basic configuration. A setup wizard at the minimum should require users to select a new password and allow them to walk through an informative configuration sequence.

Re:Varying router models and revisions (3, Insightful)

David_W (35680) | more than 6 years ago | (#21911026)

Would covering the router ports with a note that indicates a required login to set it up be out of the question here?

They are getting there. A Linksys I recently picked up had a label over the ports reminding you to RUN CD FIRST. I'm assuming their CD will do things like change passwords and turn on encryption (wouldn't know since I prefer to do that manually).

Re:Varying router models and revisions (1)

zippthorne (748122) | more than 6 years ago | (#21911460)

A physical note would be stupid. It'd get torn off and tossed and forgotten about.

They should just do what the wireless servers at a lot of hotels do: redirect all http requests to an internal page server. Only instead of going to a billing page, if no password is set, the first page is the setup page.

ASIDE: Come to think of it, why is only the wireless bit encrypted? Shouldn't the wired links also be encrypted? It's not like that's compute expensive anymore.

Of course, then they'd have to remember set the password on their laptops...

Maybe some kind of "pairing," like in bluetooth, would be a better answer.

Re:Varying router models and revisions (1)

1u3hr (530656) | more than 6 years ago | (#21911756)

ASIDE: Come to think of it, why is only the wireless bit encrypted? Shouldn't the wired links also be encrypted? It's not like that's compute expensive anymore.

Why would you want to do that? What possible use would it be? I can SEE exactly what is wired into my router.

How about encrypting the link between your keyboard and PC? Your monitor? ... Looks like you've just invented Palladium.

Re:Varying router models and revisions (2, Interesting)

kebes (861706) | more than 6 years ago | (#21910428)

How many router models and hardware revisions would the worm need to support to make this effective?
Since wireless routers are (usually) connected to the Internet, the worm could "phone home" to some central repository in order to get the code it needs to attack different models. What I mean is that the virus wouldn't need to carry code for all makes/models. Instead, an infected access point would scan nearby access points (or computers) for open or crackable connections, and then access a central store for the exact methodology/code/virus needed to spread to those new access points. This also means that the virus author could add new makes/models to the "central store" (which would probably be running in a botnet or compromised webserver somewhere) thereby augmenting the virus as it spreads, making it more virulent with time.

Of course you're right that this does indeed require the virus author to design code for a wide variety of routers and access points.

On another note, configuring the router for administrative access only via ethernet would completely stop the problem.
That should really be the default. Routers are typically less secure from the wireless end than from the wired end (hacking someone's router from the internet is harder than just accessing it wirelessly, since many people don't even secure the wireless end with a password). So it may be viable to create a "bot-mesh" of wireless access points, which gives you all kinds of dangerous abilities (e.g. you can convincingly spoof websites for anyone on the affected LAN as part of a phishing attack).

Re:Varying router models and revisions (1)

Idiot with a gun (1081749) | more than 6 years ago | (#21910634)

That means it would leave traces back to a central server, or botnet, that security officials could attack and possibly trace to the author. Granted, there are measures the writer could use, but it would still be risky for him/her to have something so traceable.

Not that hard (2, Interesting)

seanadams.com (463190) | more than 6 years ago | (#21910796)

Sveasoft has firmware for most of the ARM/Linux based routers, which covers all the common Linksys/Netgear models. All you'd need to do is make a hacked version of each one and put them on a server (or botnet).

Then all a worm would need to is gain access to the router, and then notify the server that it has been cracked. The server takes it from there... it would connect to the router, identify its model number from the status page, and upload the appropriate firmware.

With a little ingenuity it would not be hard to do this in a way that is transparent to the user - i.e. most users have a plain vanilla setup and it would be easy enough to snarf the configuration and apply that to the new upgrade too.

Re:Varying router models and revisions (1)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21910834)

And this is why I did not buy my wireless router from at&t. The models you can buy form them are pretty common and a survey of my neighborhood reveals that a number of them are out there, and they have the default network id identifying them as att wireless routers. Roughly 1/10 of the routers I found.

Re:Varying router models and revisions (1)

Lumpy (12016) | more than 6 years ago | (#21911072)

I can see it now for current Linksys routers....

WEP virus wants to infect your router... can you please hold down reset for 6 seconds and start a TFTP server so the virus can infect your router??

I call wishful doom. Getting DD-WRT on most of these things is a PITA enough, a Virus that will silently install it's self on everything?? yeah right. there has not been a router made that did not require special tasks to flash the firmware to something else other than a blessed version from the maker for over 3 years now.

Simple Solution (2, Funny)

dotpavan (829804) | more than 6 years ago | (#21910186)

They believe that 36 percent of passwords can be guessed using this technique.

Solution: Use any of the 64 percent of the pwds

Retarded (0)

Anonymous Coward | more than 6 years ago | (#21910200)

This is retarded, someones trolling for hits here. Even if a worm could guess guess wep/wpa keys in oder to "piggyback" to another unsecure AP it would still have to either:

A) exploit a computer inside the network to have it scan for more APs.

B) somehow crack the firmware on every brand of router it hits and have it do it.

If you have a remote exploit for XP (which is what you would need), why would you bother writing some stupid wi-fi hopping worm.

 

Re:Retarded (1)

fmobus (831767) | more than 6 years ago | (#21910414)

Wrong!

You only need one computer to begin the process.

  1. This computer would scan for open routers, associating to each open router it finds.
  2. Then, it would try to access the administrative interface (usually done over http).
  3. If there is one, try the admin interface's default password.
  4. If it works (most of the times), attempt to overwrite the firmware
  5. If it works, the new firmware would propagate the worm, serving as the "computer" on step 1

It can be done. To avoid it, you should change your admin interface password and use WEP/WPA (prefereably WPA)

Re:Retarded (1)

SirTalon42 (751509) | more than 6 years ago | (#21910744)

If it works (most of the times), attempt to overwrite the firmware
And here you hit his point A. The worm would have be incredibly complex to run on a wide variety of architectures and operating systems, and INCLUDE all those operating systems in the firmware image it uploads to the router...

Re:Retarded (1)

fmobus (831767) | more than 6 years ago | (#21910978)

Well, you could have it download the firmware image from the Internet (IRC or p2p) according to the device you are attacking. The worm itself would be just a little "hack" in the firmware image. And you don't have to bother with all brands and models: start with the most popular ones (Linksys' W54GL, and the like). Some of those already have open source versions of their firmware, meaning you don't really have to reverse-engineer everything.

My point is: it is not impossible. Wifi router will meet all the requisites in most cases: rewritable firmware, open-sourced os/firmware, unsecured APs, default password in administrative interfaces, a quite capable processing unit and an wifi antenna. Diversity may slow things a little but, although I lack data, I believe that the domestic and soho wifi router market (the best target - least security-minded) is dominated by few models.

If this hasn't been done yet (at least not that we knew), maybe the would-be-attackers haven't found a suitable, big, with lots of routers within range of each other. It could be already happening in a "silent" mode somewhere. It only becomes detectable if you use the full capacity of processor power and wifi output of the router, hindering the legitimate connections.

Re:Retarded (1)

Simulant (528590) | more than 6 years ago | (#21910900)

Yeah it could be done in theory but it's highly impractical/improbable.
Let's not get our panties in a bunch.

According to the "5 best hacks of 2007" article of a few days ago, it's getting hard to find an open AP these days and
even if you find one, most manufacturers are now shipping APs with admin access disabled on the WAN interface by default.

Then again, the same article said that running a packet sniffer on a open AP and grabbing cookies ("sidejacking") was one of the top 5 hacks. If our security professionals only figured this out in 2007, we've already been pwned.

Re:Retarded (1)

rindeee (530084) | more than 6 years ago | (#21911302)

Bingo. Add to your "should do" list; "Disable admin access over wireless and WAN making it only available from directly connected Ethernet LAN".

Say Wi-Fi Virus Outbreak Possible (1)

plarsen (579155) | more than 6 years ago | (#21910208)

I can also say that a Wi-Fi Virus Outbreak is Possible. I am not a researchers, I better reconsider a career in the research buisness, it sounds suitable to me.

Not that likely... (1)

crymeph0 (682581) | more than 6 years ago | (#21910218)

Even though a lot of people are idiots and leave the password at the default, there are still at least 3 or 4 different types of hardware (think Belkin, D-Link, NetGear, etc., and all the different models they each have available) that are in common use. This means that to be fully effective, a virus would need to contain several different firmware images of itself, and would have to store it all in the limited space available in the flash memory of the infected unit.

Of course, you could choose to infect one or two types of common consumer wireless router, but I think that would greatly limit the probability of a full-bore chain reaction spreading across the greater metropolitan area.

Re:Not that likely... (1)

zappepcs (820751) | more than 6 years ago | (#21910376)

IANA Virus Writer, but if my program had access to the Internet as well as another AP, I'd just download the required image for the next infection on the fly?

Re:Not that likely... (1)

Deadstick (535032) | more than 6 years ago | (#21910786)

Don't remember what the OEM firmware does, but with the DD-WRT firmware on my WRT54GL, you're not permitted to enable remote router access with the default password in effect.

rj

Really? (3, Interesting)

MyDixieWrecked (548719) | more than 6 years ago | (#21910250)

I'm not so familiar with Belkin, Netgear and all no-name wireless routers out there, but the newer (last year or two) Linksys WRT54G routers don't allow administrative access over the WLAN by default. You simply get an access denied page when attempting to access it. I'm kind of surprised that linksys doesn't just deny wireless connections to the administrator pages.

Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network and it requires me to plug in when I need to make changes on my own networks.

Of course, you should disable access to the administrator pages over the WLAN (or restrict it to a maintenance port if your router has one), change your administrator password (and username, if possible) and make sure you've got strong encryption with a strong password/key.

When I was living in manhattan (2004-2005), there were over 20 visible wireless access points from my apartment. Running kismet and walking from the front to the back of my apartment with my powerbook, I could pick up closer to 30 networks and about 3/4 of them were password protected; mostly with WEP. Nowadays, living in brooklyn, I can pick up around 15 wireless networks and all but 2 are password protected and most are using WPA or WPA2.

Re:Really? (1)

peragrin (659227) | more than 6 years ago | (#21910382)

WPA is the security choice as it is harder to crack but not impossible.

The trick is all you have to do is lock the front door. That prevents most random theives. though if your sharing music via P2P unlock your router. that way you can blame others.

Re:Really? (2, Insightful)

schnikies79 (788746) | more than 6 years ago | (#21910500)

Even if that is true, if remote management is not enabled, it doesn't matter if you have the password.

I know it was that way on my linksys.

Re:Really? (1)

geminidomino (614729) | more than 6 years ago | (#21910638)

The problem with WPA is that certain manufacturers of certain non-computer wifi-devices decided not to support anything other than WEP...

Damn stupid if you ask me.

Re:Really? (1)

MyDixieWrecked (548719) | more than 6 years ago | (#21910822)

The problem with WPA is that certain manufacturers of certain non-computer wifi-devices decided not to support anything other than WEP


Yeah, like my Nintendo DS. Although my Wii gets onto our network without issue.

And I'm not sure if this is still the case, but I've had significant issues getting XP machines to log into WPA2 protected wireless networks. There was supposedly a separate update which fixed that and gave you the ability to connect to such a network, but I was unable to get it installed/working at my roommate's sister's place.

I have gotten it to work on other machines, though. I'm not sure exactly what I did differently.

Re:Really? (1)

Danse (1026) | more than 6 years ago | (#21911174)

The problem with WPA is that certain manufacturers of certain non-computer wifi-devices decided not to support anything other than WEP...

Damn stupid if you ask me.
This is the problem that I have. I needed to get my living room devices connected to my wireless router in my office, but the access points that are available either aren't compatible with my router, or only support WEP when used as a wireless bridge. There's probably a solution, but I'm not a networking genius, so I don't know what it is, and with all the various devices out there, it's hard to tell what will work and what won't without actually trying them in my specific setup. That would get expensive.

Re:Really? (1)

Have Blue (616) | more than 6 years ago | (#21910708)

Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network

Unfortunately? You were taking advantage of a security flaw that has now been fixed.

Video Presentation of Paper (2, Informative)

Afromelonhead (730368) | more than 6 years ago | (#21910260)

I attended a talk that Steve Meyer (one of the presenters of the paper) gave at Purdue as part of the CERIAS Security Seminar Series. Link to the video is here [purdue.edu] . It's definitely worth a watch.

Wifi router on router action (1)

zsbyd (1037486) | more than 6 years ago | (#21910262)

So are they saying once a router is compromised, it utilizes its resources to attack outer Wifi routers in range? "Hey you were my friendly network neighbor, and now you want to control ME?" I say we form a coalition of routers who want to remain under their own control and enforce it with high-strength, nearly non-brute force-able passwords. What a novel idea.

Re:Wifi router on router action (2, Funny)

noidentity (188756) | more than 6 years ago | (#21910676)

Skynet couldn't be far behind...

Common Sense Should Prevent This (2, Insightful)

j.sanchez1 (1030764) | more than 6 years ago | (#21910540)

I have a Linksys WRT54GL flashed with DD-WRT firmware. I use a MAC filter that only allows computers I SPECIFICALLY tell it to, I have disabled administrative access to the router wirelessly and changed the default login AND password, and I password protect my wireless access on top of all that. It took me about an hour (if I recall correctly) to set the router up, including flashing the DD-WRT firmware on it. But once it is done, I don't have to bother changing any more settings, aside from rotating the admin password and updated the MAC filter as needed.

Just my take on it.

Re:Common Sense Should Prevent This (1)

Henry V .009 (518000) | more than 6 years ago | (#21910620)

As a side point, MAC address filtering is tremendously ineffective.

Re:Common Sense Should Prevent This (1)

j.sanchez1 (1030764) | more than 6 years ago | (#21910648)

As a side point, MAC address filtering is tremendously ineffective.

Why is it ineffective? Is there some way to spoof a MAC Address? If so, how could someone get the MAC address of another computer they do not have physical access to?

Re:Common Sense Should Prevent This (0)

Anonymous Coward | more than 6 years ago | (#21910712)

If so, how could someone get the MAC address of another computer they do not have physical access to?
The same way that the router gets it for the purposes of excluding/including it in the network. Once somebody has broken your encryption, MAC filters become totally useless. It is trivial to obtain valid MAC addresses (provided a valid computer is currently engaged to the network), and it is trivial to spoof them. Haven't you ever seen the routers/wireless-bridges that have a MAC address field that you can fill in yourself?

Re:Common Sense Should Prevent This (1)

SirTalon42 (751509) | more than 6 years ago | (#21910758)

Why is it ineffective? Is there some way to spoof a MAC Address?
Yes, lots of hardware (especially routers) set their MAC Address in software.

If so, how could someone get the MAC address of another computer they do not have physical access to?
MAC Addresses are constantly being broadcast, it'd be trivial to catch one.

Re:Common Sense Should Prevent This (1)

jargon82 (996613) | more than 6 years ago | (#21910802)

Yes, it is possible to spoof a mac. Also, Mac addresses tend to be floating around in the air on wireless... alot ;) If you can associate with the access point, you (easily) can catch quite a few active MACs.

Re:Common Sense Should Prevent This (1)

Henry V .009 (518000) | more than 6 years ago | (#21910826)

Yes, there is some way to spoof a MAC address. In Linux you can do it with a simple ifconfig command. In Windows you have to edit the registry.

In order to find out the MAC address of another computer across wireless, you just have to snoop on the packets (use wireshark). The MAC address is right there (otherwise how would the router find it out?)

Now if everything is encrypted with a scheme that isn't broken (WPA not WEP), then snooping becomes impossible. But if you are using WPA already, MAC filtering simply adds an unneccessary layer of (false) security.

Re:Common Sense Should Prevent This (1)

GiMP (10923) | more than 6 years ago | (#21911154)

While MAC address filtering will not block even a non-determined attacker, it may be enough to block some automated attacks. This is especially true of those originating from limited-size firmwares, eg... worms in other nearby routers.

All else aside, MAC address filtering does no damage other than increased administrative burden... it makes wireless security no worse, even if its benefits are only marginal.

Re:Common Sense Should Prevent This (1)

shrikel (535309) | more than 6 years ago | (#21911002)

I have a Linksys WRT54G flashed with DD-WRT firmware. I terminated all the patch cables from it onto a cinder block, unplugged the power adapter, put the whole thing in a grounded lead-coated copper box riveted AND welded shut, encased the whole box in six cubic feet of concrete, and buried it 4 feet under my well-watered garden. Oh, and I have a dog guarding my yard. A REALLY BIG dog with a laser strapped to its head. The whole process took about 1.5 hours. I guess I could have saved 30 minutes and just done what you did, but ... I think mine is more secure.

Just my take on it. ;)

Re:Common Sense Should Prevent This (1)

j.sanchez1 (1030764) | more than 6 years ago | (#21911090)

Oh, and I have a dog guarding my yard. A REALLY BIG dog with a laser strapped to its head.

If only you had a SHARK with a laser strapped to its head. Then your router would truly be secure.

Re:Common Sense Should Prevent This (1)

paxgaea (219419) | more than 6 years ago | (#21911608)

This is a much better /sarcasm post than the lazy post I was going to make...

Was gonna say something to the effect of 'and I welded the lock on my chastity belt and gave the key to '

Mod parent up, please...

And with respect to the grandparent, all sarcasm aside, I give you credit for the effort, even if doesn't prevent a sufficiently motivated individual from getting all up in yer network and stealin yer dirty pix of yerself. More effort than most would bother with, even if they know they should, hence the potential effectiveness of the theoretical hack.

Re:Common Sense Should Prevent This (1)

paxgaea (219419) | more than 6 years ago | (#21911708)

aha, caught by the laziness of not previewing....

line was supposed to be:

Was gonna say something to the effect of 'and I welded the lock on my chastity belt and gave the key to {insert any right wing evangelical nutjob here}'

got caught by the html code brackets...it just loses the magic of the moment when you have to explain it and clarify

sheesh

Re:Common Sense Should Prevent This (1)

ledow (319597) | more than 6 years ago | (#21911024)

Fantastic, but if you'd use WEP instead of WPA, none of that really matters now, does it? I'd be on your local network and could boucne via ANYTHING there to configure/reflash the router. Once someone's in, that's the end of it.

And MAC filtering takes exactly zero time to bypass once you know it's in place - some tools constantly read all connected MAC's of all nearby radios and "change" to take over their MAC with a single click. You have to TRANSMIT your MAC for any sort of networking to work, and it's trivial to change a MAC on anything - network card, wireless etc. A MAC is not security (despite the meaning of it's acronym), it's a tiny piece of broadcast information.

I work for schools in the UK and I have tried and tried to explain this to them - their engineers only EVER use WEP on their access point because "WPA is difficult to set up" (yes, I know, its rubbish!). I even did the Whoppix/Whax thing and showed them their WEP key remotely without any hints in under five minutes but their answer is "nobody would bother to do that".

And that's where the problems lie - if you have even 10% of AP's using WEP or insecure passwords, then you can use them to bounce a million attacks off to find some more of that 10% and so on and so on. It's a numbers problem - each point is another radio listening on your behalf without anyone knowing.

It's too difficult to use strong passwords (2, Informative)

gr8scot (1172435) | more than 6 years ago | (#21910550)

Re:It's too difficult to use strong passwords (1)

sproot (1029676) | more than 6 years ago | (#21910756)

http://keepass.info/ [keepass.info]

Church of Wifi already did this (4, Informative)

CounterZer0 (199086) | more than 6 years ago | (#21910574)

Church of Wifi has a hacked firmware-based worm that runs around and replaces firmware on APs, and then looks for other AP's to attack, and propagates itself.
The key to this kind of attack, is that it could be potentially undetectable - how do you know if the linksys firmware was replaced or slightly modified or not?
Another great use, would be to drop TOR endpoints on every single box infected :)

Re:Church of Wifi already did this (1)

gr8scot (1172435) | more than 6 years ago | (#21910646)

URL?

Default passwords are part of the problem (1)

_14k4 (5085) | more than 6 years ago | (#21910630)

Why not make the password something like a printed number on the router itself? I know it's encoded in firmware, especially with the factory reset button, but it's not too hard to say read the ID and print up corresponding stickers. They already do it for the MAC address information.

Re:Default passwords are part of the problem (1)

Tmack (593755) | more than 6 years ago | (#21911042)

Why not make the password something like a printed number on the router itself? I know it's encoded in firmware, especially with the factory reset button, but it's not too hard to say read the ID and print up corresponding stickers. They already do it for the MAC address information.

That would require either 1. compiling a new firmware for EVERY unit, or 2. storing the password in a separate chip, which increases parts, cost, and everything else. They might be able to bypass the drawbacks of #2 by using the LAN side MAC tho, since that shouldnt be accessible via wifi for most wifi "routers" (tho a simple AP might be.. not as familiar with those), unlike the wifi MAC thats transmitted to all.

tm

Good to know we could be safe (0)

Anonymous Coward | more than 6 years ago | (#21910702)

a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone.

Great to know that it might be impossible to introduce a worm-like firmware agent into any networks in New York City.

It is also possible that one day /. will post stories that have actual content, instead of meaningless noise.

"X may Y" is semantically equivalent to "X may not Y", and the only kinds of statements that can be negated without changing their meaning are meaningless ones. In contrast, "There is a 0.1% chance that X will Y" is meaningful.

This is not news (0)

Anonymous Coward | more than 6 years ago | (#21910836)

Not to distract from the interesting nature of the article but people really should do
some related work background research:
http://www.usenix.org/events/sec07/tech/akritidis.html [usenix.org]

These guys showed this (and other privacy related attacks) last year at Usenix Security.

Huh? (1)

sm62704 (957197) | more than 6 years ago | (#21910896)

a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone.
"Although the researchers did not develop any attack code


"Scenario?" With a "worm-like software agent?" Wake me up when (a) such a firmware worm is written or (b) when someone from the security community can be a little more specific as to how such a worm could work. I remain skeptical.

After all, they've been telling us about Linux and Mac viruses for years, but I have yet to hear of anyone actually getting infected by one.

in other words, WOLF!!!!!!

Capital Punishment! (0)

Anonymous Coward | more than 6 years ago | (#21910920)

This has gone far enough. We need our laws changed so that anyone engineering such a brutal virus should be PUT TO DEATH by Federal authorities!! Just think of the impact these attacks are having on our economy!? And, how scared it must make some people?

OOPS read this wrong! (0)

Anonymous Coward | more than 6 years ago | (#21911070)

hahaha I thought there was an actual ATTACK, not just a warning that our networks are vulnerable... but GEEZ this article is A BAD IDEA, why would you want to give people ideas?? That's all we need!! I bet someone is already engineering an attack as we speak!

Who Cares? (1)

DarthVain (724186) | more than 6 years ago | (#21910924)

Other than possibly create a few more zombies (and I am sure there are easier ways to do that) who cares?

Folks with real and/or sensitive data will have a password, and likely even more security.

Those that don't likely have little to offer any hacker or anybody else. A hacker may desire your cycles for zombified attacks, and the RIAA might like to look at your MP3 list. Maybe someone might go through the trouble of trying to data mine for identity theft, but again there are much easier ways to accomplish this goal.

If someone wants to brute force my password a million times, be my guest, you will probably find it not worth the time.
Those that don't change their default passwords, well, ye get what ye deserve. Call it a stupid tax.

Virus Marketing (0)

Anonymous Coward | more than 6 years ago | (#21910964)

Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write...

Sooo.... This virus is vaporware?

Exponential backoff? (1)

aegl (1041528) | more than 6 years ago | (#21910968)

There is a very simple (and very old) technique to stop someone from trying a million passwords in any reasonable timeframe ... just add a delay every time an incorrect password is entered (resetting the delay to zero if the correct password is entered to prevent this becoming a denial of service). If wireless routers used this, then the worm would only spread to devices whose password was in the first few dozen of the dictionary attack list.

Question... (1)

kc2keo (694222) | more than 6 years ago | (#21911046)

If you disable SSID broadcasting and enable a trusted only MAC list and deny all other MAC addresses are you pretty much secured from brute force scan attacks? The attacker would have the program scanning for SSIDs. The scanner would not see it. I set my networks up so you have to manually add the SSID. I don't have encryption enabled though. I just make sure that when I go to websites like my banking site or email I use the SSL address. I also use long passwords with capitals, lowercase, numbers, and symbols. One of the networks I manage I do the same as I mentioned before plus I disable DHCP on the router and set everything static.

Should I do anything extra?

Lets Think for a Sec !!! (0)

Anonymous Coward | more than 6 years ago | (#21911080)

Why not take out the default setup page from the router installation and force user to enter admin password before they could use their routers. Thus takeing out the above security issue from the picture ;)
Agree that some will just enter dumb passwords, none the less something would be better then "admin" or "default".
-R12297

Brute forcing WiFi Passwords (1)

Dunbal (464142) | more than 6 years ago | (#21911082)

Oh great, so they get access to the machine. Just as if it was plugged into a DSL/cable modem line. AND???

Cracking the password and getting network access isn't the same as getting past the firewalls, installing yourself on the machine and getting something to run you. Someone is fear mongering, or has failed to think this through.

Re:Brute forcing WiFi Passwords (0)

Anonymous Coward | more than 6 years ago | (#21911198)

That someone is the cable/DSL companies that don't want neighbors sharing their internet connection with non-paying people.

Just think of the positive effects (1)

Casandro (751346) | more than 6 years ago | (#21911540)

Just think of the positive effects. If you had software beeing able to spread from access point to access point automatically, you could easily build up a meshed network of routers. Those routers would then build a gigantic network which you can use to communicate without the FBI listening into it. You could simply install that software, reconfigure your router and patch the hole.

The problem is that for that you'd need a monoculture of routers. It might work with Windows PC at one time in the future, but even there it's hard.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...