New Attack Hijacks DNS Traffic From 300,000 Routers 105
nk497 writes "Florida-based security firm Team Cymru said it was examining a widespread compromise"of 300,000 consumer and small office/home office (SOHO) routers in Europe and Asia. The DNS server settings were changed to a pair of IP addresses, which correspond to Dutch machines that are registered to a company that lists its address in central London. The attack highlights the flaws in router firmware, the researchers said. 'It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious,' Cymru's Steve Santorelli said, adding the hack could let the attackers conduct man in the middle attacks, impersonating your bank, for example."
Re: (Score:1, Funny)
No I'm not!
Impersonating a bank is easy (Score:1)
Re:Impersonating a bank is easy (Score:5, Funny)
So how to impersonate a bank ? (Score:1)
That's forming a bank, not impersonating one
Alright wiseguy, share with us details on how to impersonate a bank then ...
Re:So how to impersonate a bank ? (Score:5, Funny)
Alright wiseguy, share with us details on how to impersonate a bank then ...
https://www.mtgox.com/ [mtgox.com]
Comment removed (Score:4, Interesting)
Re:Exploit, or dumb users? (Score:5, Interesting)
And just how are these 300,000+ routers being reprogrammed to use alternate malicious DNS settings? Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?
Either is quite possible, though default password issues require that a PC on the LAN already be infected.
Newer routers, especially the router/modem combo units, seem to have a randomly generated password that's printed on the device label. They also tend to come with WPA2 turned on with another randomly generated password that's also on the label. Proof that you can make devices more secure by default.
Re: (Score:2)
Re: (Score:2)
Yes, but even then, it would be orders of magnitude more difficult to hack the modems than if the passwords were all just "Admin" A targeted attack would still be plausible but the mass hacking of hundreds of thousands of routers would be a lot more difficult.
Re: (Score:3, Insightful)
Re: (Score:2)
I'd be happy with silent automatic updates for routers, with an option in the menus to turn them off. Most users would just keep it on and be protected. Windows is like that, automatic updates on by default and more or less silent.
Re: (Score:2)
I just saw a new AT&T subscriber where its Motorola 3347 router allowed it to be managed via the WAN port. But it does have the password set to a number on the label. Most routers today are capable of TR-069 so the ISPs are more than capable enough to do this management. But do they?
Re: (Score:2)
Either is quite possible, though default password issues require that a PC on the LAN already be infected.
No. This guy mapped the entire IPv4 Internet using a bot-net running inside routers only linky link [sophos.com]. Apparently he just used the default root:root or admin:admin to build the bot-net. Point being, he never used the infrastructure behind the routers, only the routers themselves.
From there it's not hard to imagine how you would go about changing the DNS settings on the router, and you could expand the bot-net if you know the algorithm the default passwords on newer routers are created with.
Re:Exploit, or dumb users? (Score:5, Informative)
Some had the management UI accessible from the Internet, letting botnets probe routers and try common passwords directly (consumer routers have poor intrusion-reporting capabilities so the attempts are likely to go unnoticed).The majority, though, had URLs that can be accessed to change settings without requiring authentication. So the bad guys set up a site that exploits cross-site scripting bugs to cause your browser to access those URLs on the router when visiting the web site. That let them change the DNS servers without needing to crack the password, and the technique works no matter how strong a password you've set. The only way to avoid it's to avoid any router whose firmware's vulnerable. If you've got a vulnerable router that's supported by DD-WRT or OpenWRT, flashing the router with them's an option. The worst case is you brick the router and have to buy a new one, which is what you'd have to do if you didn't re-flash it.
Re: (Score:2)
Re:Exploit, or dumb users? (Score:5, Interesting)
No, as noted in the article they did not need to be logged into the router since the URLs used didn't require credentials. Yes, it's a horribly huge hole in security. Yes, it was left in undoubtably because "the only way to get to those pages is through the login page so it's secure". Yaright.
Re: (Score:2)
Re: (Score:2)
Could have been an authentication cookie set by the router's web server when you first logged in. If the router accepted that cookie as valid after the reboot, you wouldn't need to log in. I'd think a well-designed router would invalidate authentication cookies on a reboot.
Re: (Score:1)
Re: (Score:2)
You don't have to save passwords. DD-WRT uses HTTP Basic authentication, so once you've logged in once the browser will continue to send the authentication header with every request for a path that the router's said requires authentication. The router doesn't need to remember any sessions for this to work, once you've entered the credentials for a given authentication realm and path the browser will retain them until you completely close and re-open the browser or clear the active logins data or until the r
Re: (Score:2)
"The only way to avoid it's to avoid any router whose firmware's vulnerable."
Or, to never rely on a "router" that costs less than £100/$200 except as nothing more than a modem to your real setup.
I realise home guys can't necessarily set that up but, really, it's not the "only" way to avoid it. Just don't rely on some cheap piece of junk - that's designed so that Jim doesn't have to hear modem screeches - to get on the net and be your only barrier against it.
Haven't yet seen a router that doesn'
Re: (Score:2)
Please show me where I say that double-NAT adds any security whatsoever.
I'm proposing the idea that you don't even need to use DMZ and/or forwarding in order to send packets to a REAL router that can do the job better. Literally let a "proper" router have its "external" IP be picked up from the cheap-piece-of-crap "internal" DHCP range. Double-NAT, but means you have a secure internal network behind a real-router.
The fact that growing numbers of people ARE behind double-NAT (carrier NAT and then their rou
Re: (Score:2)
You know, I tried a commercial-grade NAT-capable router, designed with two WAN ports with the ability to do routing to different networks, or failover, or load balancing, and the thing had a firmware programming error
Re: (Score:3, Funny)
Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?
FTFS: The attack highlights the flaws in router firmware
I'll admit, I'm a weirdo.
I read more than the headline before I comment.
Re: (Score:2)
Re: (Score:2)
Bank account hijacking is impossible (Score:3)
My bank is secure!!1!!!!
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
Re: Bank account hijacking is impossible (Score:1)
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
Re: (Score:2)
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
If the original form is not delivered with SSL, you can not know that the server who sent the form is authentic. The form could be a modified version that posts anywhere, and SSL will have done nothing to protect you. Remember that it is not just encryption, but also a system to establish trust.
Re: (Score:3)
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.
Re: (Score:2)
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
but that's not the point.
the point is that the page you're typing on them might actually be any friggin bozo and consequently the javascript on that page might be sending it wherever whoever MITM'd the page load wants..
Re: (Score:2)
My bank is secure!!1!!!!
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
Meanwhile I was reasonably impressed by HSBC, who fixed their website in about a day when I told them they were including HTTP objects in the HTTPS login page. That said, they still include some objects from third party servers, over HTTPS (notably, Google advertising). IMHO the browser should warn you if thre are any objects on an HTTPS page that aren't covered by the certificate displayed in the address bar.
wrong (Score:2)
Re: wrong (Score:1)
That is trivially broken.
You need out of band preshared secrets, like a physical OTP dongle, or a paper slip with OTP keys. Otherwise you are just deluding yourself.
Re: (Score:2)
By far the best security measures I have seen for banks are:
1.Devices that look like the machines you see at retailers that you use to pay with credit/debit/bank cards (but connect via USB or bluetooth to a PC or phone) and that take your card and PIN and securely encrypt it all before sending it to the bank, meaning even a compromised local PC/phone wont give an attacker any ability to steal money
and 2.A device that looks like a calculator where you input the account number and transaction amount for the t
Re: wrong (Score:5, Interesting)
The system used by most Swedish banks:
* The bank website gives you a random number as a challenge
* You input the number to a device together with your PIN (some banks also require you to insert your card into the device)
* You get a new number from the device that you input on a web page
The web pages are obviously encrypted with HTTPS using an EV-SSL certificate.
It used to be that the challenge was an account number or an amount but that is no longer the case due to the possibility of a replay attack.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Want to know what's funny? The majority of banks worldwide don't have that method of security, most don't even use or supply some form of key code challenge using a keypass generator. But, you take a look at a whole pile of MMO's out on the market, and in Blizzard's case their entire gaming front-end and you have a remote authenticator.
What does that say about the general security of banking? Not much. Especially when a company like Blizzard effectively gives their authenticators away and you pay for sh
Re: (Score:2)
Even that does not help. These mechanisms only authenticate you to the bank, not the bank to you. A spoof bank site could still request the OTP password or output from the dongle and accepr whatever response you give.
Re: (Score:1)
If by unbelievably targeted attack you mean any of the lowest common denominator of malware that is so fucking frequent it's even routinely used in corporate security....
- basic memory scanning... that'll work, used by antivirus
- setting a proxy in your browser and adding a single extra CA to the list... that'll work... used by network scanners
- dns hijacking + extra CA... that'll work (yes, your router is easy to jack the DNS of, and your computer probably is poisonable).. used by network scanners
- https s
Re: (Score:2)
Re: (Score:2)
Why mostly EU & Asia? (Score:2)
Could it be the chances of grabbing a really fast internet connection are better there than in the US?
In any case, my thanks to the OpenWrt folks!
Re: (Score:2)
Gov watching dissidents, protesters and method was repurposed by others after EU based contractors work leaked?
Or just something in the easy default telco setups in that region that made something very easy?
Or a wide spread use covers very unique actions once exposed and Asia or the EU.
It could be new or old firmware that was used that made it easy to get around hard user changed
use opendns (Score:2)
and make http://www.opendns.com/welcome/ [opendns.com] your homepage
Client settings should override router defaults
To be even safer use OpenWRT https://en.wikipedia.org/wiki/OpenWrt [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
FWIW, the also offer a way to use encryption [opendns.com] with their infrastructure
Windows, Mac & Linux clients are available
Re: (Score:2)
Re: (Score:2)
Was this attack IPv4 only or... (Score:2)
Was this attack done only on the IPv4 addresses of routers, or on the IPv6 addresses of dual stack routers as well? Just wondering whether that could have been averted that way.
Wondering whether this attack would have overlooked routers that were on IPv6-only networks
Use alternative DNS? (Score:1)
Am I right in thinking that this would be mitigated by use of openDNS, or google's 8.8.8.8 or similar?
Commercial SOHO routers scare me . . . (Score:2)
Considering the scope fo currption (Score:1)
I would say it's most likely a state agency involved in this.
What to do? (Score:2)
Is there any way to tell if your router has been compromised?
Re: (Score:2)
Check your router's and your PC's DNS settings.