Millions of Home Routers Are Hackable 179
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
You mean besides using default admin/password... (Score:3, Insightful)
default configs on routers are a joke (Score:2, Insightful)
Before this step is taken, every other "security" exploit is a joke in comparison.
Re:You mean besides using default admin/password.. (Score:5, Insightful)
In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.
Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.
Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
Re:I can believe it... (Score:3, Insightful)
Re:Thank you Captain Obvious (Score:5, Insightful)
Lets see: Make sure you have a strong Admin password on your router
Check
and don't surf p0rn/warez sites. Thank you Captain Obvious!
Uhm - any solution that relies on you not browsing to an infected site is not a solution.
Re:"List of routers affected" is just a picture (Score:5, Insightful)
"One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network."
So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.
Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.
Re:I can believe it... (Score:5, Insightful)
Re:Thank you Captain Obvious (Score:5, Insightful)
"Make sure you have a strong Admin password on your router..."
Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?
"...and don't surf p0rn/warez sites."
Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.
Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.
Consumers DONT CARE (Score:3, Insightful)
Re:Exactly what is the sploit? (Score:5, Insightful)
It's not that big a deal. It's a headline of the type you're likely to find in the Daily Mail; Sensationalist and inaccurate. There might be more info in the future which justifies the grandeur of the statement, but right now (pre-Black Hat) it's just bullshit sensationalist speculation from Slashdot's specialist on the matter.
(Yeah, i'm getting a chip on my shoulder about this guy.)
Re:DD-WRT+OpenDNS FTW (Score:5, Insightful)
Re:"List of routers affected" is just a picture (Score:1, Insightful)
The idea is probably that a script on a webpage that could try to hack it can't go to it because it is not part of the same website (security settings), but with round-robin dns numbers (or subdomains?), you can make a domain that points to a website with an 'attack script' (the method of attack left open 'as an exercise for the reader', I guess?), and where the other dns entries point to the various possible ip addresses of routers (192.168.0.1 for example), and then let the script repeatedly try to connect to the same domain until a router login page shows up...
Whooptydoo. That's not a hack, because you're still at the login prompt. Get past the login prompt on 'millions of routers', then it's a hack. Now it's just a method to deploy a hack if they had one, but they don't.
Re:DD-WRT+OpenDNS FTW (Score:4, Insightful)
Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.
and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.
Re:DD-WRT+OpenDNS FTW (Score:2, Insightful)
And yet DD-WRT is on the list of vulnerable firmware.
Re:Thank you Captain Obvious (Score:5, Insightful)
Apparently p0rn sites are lower risk than normal sites :P [slashdot.org]
Re:Exactly what is the sploit? (Score:3, Insightful)
A dictionary attack using JavaScript in your own browser? Even assuming there is no lockout time for login attempts built into the router that would take fricking forever, and it would be interrupted the moment you closed your browser. This seems like it would be a vector for a firmware bug attack or for an attempt at obvious default passwords. Otherwise it would almost certainly fail.
Simple solution, don't use your router for DNS (Score:3, Insightful)
As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.
Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.
I miss the good old days (Score:3, Insightful)
I really miss the good old days, where presentations done on security seminars were revolutionary and technical.
How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?
Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.
Re:I can believe it... (Score:4, Insightful)
And yet to be topical, the article is complete bullshit.
In order to be compromised, you must first be compromised! Well, no shit! The author then goes on to explain that this is easy because most people don't change their router's password.
So to summarize the story, if your system is easily compromised, expect to be further compromised. If your system is not compromised, then nothing has changed. In other words, people who don't lock their door in high crime areas experience higher rates of property theft. News at 11.
I personally don't find this interesting, let alone news worthy.
Re:Noscript doesn't prevent this exploit? (Score:3, Insightful)
Re:You mean besides using default admin/password.. (Score:2, Insightful)
I've never heard of that manufacturer, but that's just plain bad, not sad. Telnet was useful back in the days when the internet was so small, many of us users actually knew each other, but I can't think of a single legitimate reason (excuse) to allow it to run now.
Re:Exactly what is the sploit? (Score:3, Insightful)
> in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008
So their filter against non-profitable clients has worked as expected.
Each time a human at Linksys touches a customer, the company incurs at least 5 euro in costs. Since Linksys relies on retail volume and not consultation for their consumer sales, it's to their financial advantage to never hear from customers once the sale has been made, and especially to their advantage not to have to respond to unending lists of complaints or questions from detail-oriented customers. That same 10,000 euro of kit sold to 200 customers who do not generally know enough to complain is much more profitable to Linksys than if it were sold to you since you have both the aptitude and time to complain, but not effectively. (If you had complained effectively, you would have received a successful resolution from Linksys and both parties would have benefitted directly.)
Instead, they've successfully outsourced through you, and with no compensation to you, a few hundred euro of support costs to their competitors, and avoided losing their very thin margin on 10,000 euro of sales. And since you only deal in 10,000 euro of kit a year spread out over many sites and much time (and thus many purchase orders and incidents requiring human intervention), you're no big future loss either since selling one 10,000 euro pizza box to one customer is about 10 minutes of work for anyone in corporate sales, plus they would get to sell a support contract to go with it.