Millions of Home Routers Are Hackable 179
Posted
by
kdawson
from the pre-black-hat-frenzy dept.
from the pre-black-hat-frenzy dept.
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
"List of routers affected" is just a picture (Score:2, Interesting)
I can believe it... (Score:5, Interesting)
When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.
And that was with the "safe" tests.
Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...
Re:You mean besides using default admin/password.. (Score:5, Interesting)
Exactly what is the sploit? (Score:3, Interesting)
Just trying to understand this...
But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.
Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.
How does your DNS stack pick up a new IP address for a host name once it's already been resolved? I don't understand the mechanism for this part of the exploit. Anyone?
Okay, so let's say the attacker can pull this part off without a problem...
One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device's software or by simply trying the default login password. Only a tiny fraction of users actually change their router's login settings, says Heffner.
So, then the hacker has to rely no the browser running some javascript in the victim's browser that will actually break the security of the victim's gateway router?
Definitely your vulnerability goes up once an attacker can approach your gateway from the inside, but this isn't a free pass through everyone's home system. Seems like just changing your default password is a great first step to prevent any shenanigans.
Re:I can believe it... (Score:4, Interesting)
Indeed. I found a bug in a D-Link DIR-655 and was completely unable to report it to them. I couldn't even log into their support system because according to them I don't own my own router (serial already in use) and couldn't find a more technical or security contact at the company.
The product still contains the bug - it is also using the latest firmware.
Re:default configs on routers are a joke (Score:1, Interesting)
then you haven't checked in some time. Linksys routers come with pretty much everything turned off, and a setup program that makes you pick a password and gives you big scary warnings if you try to skip turning on wireless security. If you know what you're doing, you can just do all this manually through the web interface from an inside port, which is easier to fuck up, but if you do fuck it up it's your own damn fault.
a problem we're too lazy to solve (Score:3, Interesting)
The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
Only half? It's probably a lot more (Score:3, Interesting)
Odds are the good guys haven't found all the vulnerable ones.
Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.
On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.
Re:Exactly what is the sploit? (Score:3, Interesting)
no password at all? try "impossible to even set a password"
on December 19th 2008 i bought a Sweex LW300 wireless router ( http://sweex.nl/lw300 [sweex.nl] ) only to discover that the damn telnet service would not require a password AT ALL if you connected from the inside network.
Even if i set a password for the web admin interface, cycled power two or three times, it was all for nothing. The telnet service was left wide open for anyone on the internal network (including wireless). Not even the passwd command was working.
When i saw this i promptly returned the damn box and got a linksys instead (this was on December 22nd).
Unfortunately the replacement linksys router i got is another piece of crap and i was stuck with that. I found i was given the V2 of WRT160N only when i unwrapped the box at home. :(
WRT160N V2 is a piece of crap (ralink chipset => random router crashes, no ddwrt/openwrt on it) that made me avoid ever buying another Cisco/Linksys. All the routers i bought since then for our customers were other brands, in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008. You can imagine how that Christmas felt like
some system info for the Sweex LW300 with the telnet open root shell:
Linux (none) 2.6.17 #832 Tue Dec 4 15:39:35 CST 2007 armv5tejl unknown
Processor : ARM926EJ-Sid(wb) rev 5 (v5l)
BogoMIPS : 285.90
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 16384
I assoc : 4
I line length : 32
I sets : 128
D size : 16384
D assoc : 4
D line length : 32
D sets : 128
"Publish or Perish ..." (Score:3, Interesting)
Everyone knows this; and one way or another in these sicko days of ours, one simply has to make the headlines to grab attention; followed by get-rich-quick.
Fine. Let them try. I wished, though, some clever chap in Slashdot would have vetted the whole lot sufficiently, to dump it where it belongs: into the trash-bin.
Here is why: Because it actually is an attack. An attack that works for dumbos only. For people, who ought not legally be allowed to buy an access point or whatnot.
Here is the attack: assume router XYZ by default comes with username 'root' and password '12345'. The same router, as default or after reset, offers dhcp in 192.168.1.0/24, with 192.168.1.1 as gateway address. Then, following the trick, some 192.168.1.0/24-address becomes available on the outside (WAN). So when you blindly send 'root' and '12345' to 192.168.1.1 (to the box), from the outside, you're in.
As I said, yes, it is an attack. But for any sane setup it will fail miserably, because you have changed the internal network; and most of all, you changed at least the password.
I dunno, and haven't tried - because I have better things to do with my time - if any of those spoofing-filters that simply drop RFC1918-compliant addresses on the WAN-side would also fail the proposed attack, despite of default network, username and default password.
Shakespeare would probably have called this 'much ado about peanuts'. And as far as I am concerned, anyone who actually is vulnerable, should be slapped with a court order restricting him or her from touching, buying, setting up or administrating any network equipment until further notice, including home networks.
Re:You mean besides using default admin/password.. (Score:4, Interesting)
Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.
Re:You mean besides using default admin/password.. (Score:2, Interesting)
The attack relies on the attacker being able to guess the victim router's internal IP address, and to associate a host name of their choice with that internal address. Most routers will use their manufacturers' default addresses which are easy to guess. Since DNS rebinding relies on chance, forcing the attacker to make more incorrect guesses lowers the success rate of the attack. Therefore, attackers are unlikely to attempt to guess all of 10/8 or 192.168/16 etc. (tens of thousands of possibilities) when the vast majority of router addresses are at their defaults of 10.(0|8).(0|1).1 or 192.168.(0|1|123).1 etc. (around a dozen possibilities).
Re:You mean besides using default admin/password.. (Score:2, Interesting)
here is a single legitimate reason for telnet.
nethack.alt.org
you could run your own...