Forgot your password?
Networking Security Technology

Millions of Home Routers Are Hackable 179

Posted by kdawson
from the pre-black-hat-frenzy dept.
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" has a list of routers tested and some advice on securing vulnerable routers.
This discussion has been archived. No new comments can be posted.

Millions of Home Routers Are Hackable

Comments Filter:
  • by hawks5999 (588198) on Friday July 16, 2010 @08:50AM (#32924988)
    to log in.
  • by ergrthjuyt (1856764) on Friday July 16, 2010 @09:12AM (#32925138)
    default configs on routers are a joke. Last I checked, linksys routers still tended towards unsecured wireless networks and default passwords. While extremely convenient, most users will abruptly drop the setup process once they can connect to the internet on their laptop. What the router firmware needs to do is force the user to set up a password and a security protocol before allowing direct access to the internet.

    Before this step is taken, every other "security" exploit is a joke in comparison.
  • by fuzzyfuzzyfungus (1223518) on Friday July 16, 2010 @09:14AM (#32925156) Journal
    That would actually probably help a lot(though not as much as a real password).

    In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.

    Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.

    Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
  • by Charliemopps (1157495) on Friday July 16, 2010 @09:16AM (#32925176)
    You should see the state of commercial routers... it's almost as bad.
  • by Chrisq (894406) on Friday July 16, 2010 @09:22AM (#32925222)

    Lets see: Make sure you have a strong Admin password on your router


    and don't surf p0rn/warez sites. Thank you Captain Obvious!

    Uhm - any solution that relies on you not browsing to an infected site is not a solution.

  • by L4t3r4lu5 (1216702) on Friday July 16, 2010 @09:25AM (#32925252)
    From the article:

    "One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network."

    So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.

    Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.
  • by fuzzyfuzzyfungus (1223518) on Friday July 16, 2010 @09:26AM (#32925254) Journal
    Unfortunately, with many, if not all, of the consumer networking brands these days, the most technical guy on staff is the "chief sticker engineer", who makes sure that the right adhesives are used when rebadging OEM products, or maybe the CAD guy who modifies the OEM plastic case to have the appropriate brand name embossed in it...
  • by wowbagger (69688) on Friday July 16, 2010 @09:27AM (#32925266) Homepage Journal

    "Make sure you have a strong Admin password on your router..."

    Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?

    "...and don't surf p0rn/warez sites."

    Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.

    Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.

  • by netsavior (627338) on Friday July 16, 2010 @09:35AM (#32925322)
    This is only a problem when a geek looks at it, the average consumer doesn't really care, and they are right to not care.
  • by L4t3r4lu5 (1216702) on Friday July 16, 2010 @09:46AM (#32925452)
    It is the first step. In fact, apart from a firmware vulnerability or some REALLY shocking DMZ setup, you're going to leave this attack with nowhere to go just by changing from the default password. There might be a second exploit in the form of a dictionary attack tacked on to the end, but that's not what the article is about.

    It's not that big a deal. It's a headline of the type you're likely to find in the Daily Mail; Sensationalist and inaccurate. There might be more info in the future which justifies the grandeur of the statement, but right now (pre-Black Hat) it's just bullshit sensationalist speculation from Slashdot's specialist on the matter.

    (Yeah, i'm getting a chip on my shoulder about this guy.)
  • by lyinhart (1352173) on Friday July 16, 2010 @09:56AM (#32925548)
    Nope. According the article, OpenDNS doesn't make a difference and DD-WRT v24 was one of the router firmwares that was successfully exploited.
  • by Anonymous Coward on Friday July 16, 2010 @09:56AM (#32925552)
    Right, it's not a hack at all. It's just a method to access it...

    The idea is probably that a script on a webpage that could try to hack it can't go to it because it is not part of the same website (security settings), but with round-robin dns numbers (or subdomains?), you can make a domain that points to a website with an 'attack script' (the method of attack left open 'as an exercise for the reader', I guess?), and where the other dns entries point to the various possible ip addresses of routers ( for example), and then let the script repeatedly try to connect to the same domain until a router login page shows up...

    Whooptydoo. That's not a hack, because you're still at the login prompt. Get past the login prompt on 'millions of routers', then it's a hack. Now it's just a method to deploy a hack if they had one, but they don't.
  • by homes32 (1265404) on Friday July 16, 2010 @09:59AM (#32925586)

    Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.

    and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.

  • by anamin (796023) on Friday July 16, 2010 @10:02AM (#32925604) Homepage

    And yet DD-WRT is on the list of vulnerable firmware.

  • by DrgnDancer (137700) on Friday July 16, 2010 @10:26AM (#32925888) Homepage

    A dictionary attack using JavaScript in your own browser? Even assuming there is no lockout time for login attempts built into the router that would take fricking forever, and it would be interrupted the moment you closed your browser. This seems like it would be a vector for a firmware bug attack or for an attempt at obvious default passwords. Otherwise it would almost certainly fail.

  • by Passman (6129) on Friday July 16, 2010 @11:17AM (#32926522) Homepage Journal

    As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.

    Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.

  • by X.25 (255792) on Friday July 16, 2010 @11:27AM (#32926642)

    I really miss the good old days, where presentations done on security seminars were revolutionary and technical.

    How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?

    Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.

  • by GooberToo (74388) on Friday July 16, 2010 @11:48AM (#32927012)

    And yet to be topical, the article is complete bullshit.

    In order to be compromised, you must first be compromised! Well, no shit! The author then goes on to explain that this is easy because most people don't change their router's password.

    So to summarize the story, if your system is easily compromised, expect to be further compromised. If your system is not compromised, then nothing has changed. In other words, people who don't lock their door in high crime areas experience higher rates of property theft. News at 11.

    I personally don't find this interesting, let alone news worthy.

  • by mzs (595629) on Friday July 16, 2010 @12:38PM (#32927704)
    img src=""
  • by BrokenHalo (565198) on Friday July 16, 2010 @12:45PM (#32927836)
    Funny, that's what Zyxel modems by CenturyLink default to. They also happen to have Telnet and Web Access enabled by default to the internal and external world.

    I've never heard of that manufacturer, but that's just plain bad, not sad. Telnet was useful back in the days when the internet was so small, many of us users actually knew each other, but I can't think of a single legitimate reason (excuse) to allow it to run now.
  • by Magic5Ball (188725) on Friday July 16, 2010 @01:22PM (#32928408)

    > in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008

    So their filter against non-profitable clients has worked as expected.

    Each time a human at Linksys touches a customer, the company incurs at least 5 euro in costs. Since Linksys relies on retail volume and not consultation for their consumer sales, it's to their financial advantage to never hear from customers once the sale has been made, and especially to their advantage not to have to respond to unending lists of complaints or questions from detail-oriented customers. That same 10,000 euro of kit sold to 200 customers who do not generally know enough to complain is much more profitable to Linksys than if it were sold to you since you have both the aptitude and time to complain, but not effectively. (If you had complained effectively, you would have received a successful resolution from Linksys and both parties would have benefitted directly.)

    Instead, they've successfully outsourced through you, and with no compensation to you, a few hundred euro of support costs to their competitors, and avoided losing their very thin margin on 10,000 euro of sales. And since you only deal in 10,000 euro of kit a year spread out over many sites and much time (and thus many purchase orders and incidents requiring human intervention), you're no big future loss either since selling one 10,000 euro pizza box to one customer is about 10 minutes of work for anyone in corporate sales, plus they would get to sell a support contract to go with it.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths