Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Networking Hardware

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft 48

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.
This discussion has been archived. No new comments can be posted.

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft

Comments Filter:
  • good news (Score:5, Funny)

    by Anonymous Coward on Tuesday September 01, 2015 @01:39PM (#50438463)

    Good news: an upgrade is available. Bad news: it is a hardware upgrade.

    • Bugs? In a Belkin product? Say it ain't so!

    • Just upgrade to DD-WRT or OpenWRT. Who still uses manufacturer-provided router firmware anyway?

      • Re:good news (Score:5, Informative)

        by mr_jrt ( 676485 ) on Tuesday September 01, 2015 @02:51PM (#50438961) Homepage

        (Potentionally) Not for long... [hackaday.com]

      • by Bert64 ( 520050 )

        I don't understand why manufacturers insist on bundling their own crappy firmware anyway...

        It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
        They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribut

        • by tlhIngan ( 30335 )

          I don't understand why manufacturers insist on bundling their own crappy firmware anyway...

          It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
          They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribut

          • You're forgetting about Buffalo. They have a whole line of routers running DD-WRT from the factory.

        • I've long considered starting my own company manufacturing and selling routers, and simply using OpenWRT for the default firmware. Ideally employ a programmer to maintain a branch for my hardware, but of course contributing everything to the open source project and keeping nothing proprietary. The problem is that there isn't really a market for it - the vast majority of people simply don't care.
    • Unfortunately you appear to be correct [openwrt.org].

      I don't get why manufactures don't just don't put effort into getting OpenWRT, or DDWRT on their routers since it seems like it would be less effort than maintaining their own shit pile of code. For those few consumers who care it would make their lives easier while the vast number of general user wouldn't know the difference.
  • If you care enough to compromise the upstream WAN the router is fucked anyway.

  • Turn off all automatic upgrades. Do it manually, verifying the source in the process.

  • There was just a vulnerability reported not long ago on Slashdot and another one was just a few weeks before that as I recall. Is there an uptick in crappy code or is there just more eyeballs on routers now than there used to be?

  • is a firewall for the firewall.

    I just don't understand how people who design commodity networking gear can be so bad at network security.

    I am by no means a network expert, but it seems as though some of these things are just common sense....

    - Don't have ports open to the Internet ("stealth" or otherwise) by default
    - Don't use unencrypted protocols... period
    - Don't enable wireless by default

    Seems like just doing those things our routers would be a lot safer than they are now.

    • I just don't understand how people who design commodity networking gear can be so bad at network security.

      Really? Pick any of the following:

      Lazy, incompetent, cheap, unaccountable, indifferent, greedy

      Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.

      At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy,

      • Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.

        At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.

        It's a company's **job** to be greedy. Their sole purpose is to make money, so anything that detracts from that is by definition a bad thing.

        T

        • But surely if the product starts to function in a degraded manor because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...

          • But surely if the product starts to function in a degraded manor [sic] because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...

            That's not a problem for two reasons:

            1) People are stupid. They'll just buy another one, blame "the hackers", etc.

            2) Even if the company's reputation gets dragged through the mud, it won't matter because the CEO will have already left with his golden parachute. The only thing that's important is t

      • The thing is, they don't necessarily need to be that good at network security. They can write the crappiest code in the world but it doesn't take a genius to create a simple iptables rule to block all new incoming traffic. Or to use HTTPS when checking for new firmware. The little Linux distro they are probably using (because they are cheap) has this functionality. No extra coding or time required.

        It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disc

        • It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disconnect?

          Was I unclear?

          Lazy, incompetent, cheap, unaccountable, indifferent, greedy

          Choose any of the above. It really is that simple.

    • I just don't understand how people who design commodity networking gear can be so bad at network security.
      I am by no means a network expert, but it seems as though some of these things are just common sense....

      To you maybe, but not to a manager.

      - Don't have ports open to the Internet ("stealth" or otherwise) by default

      But then their back doors won't work.

      - Don't use unencrypted protocols... period

      But then some idiot customers will complain.

      - Don't enable wireless by default

      But this makes it easy for idiot c

    • is a firewall for the firewall.

      I just don't understand how people who design commodity networking gear can be so bad at network security.

      Another response to your inquiry handles the cynical/pragmatic answer, but there's another half to it: Unfortunately, 'commodity networking gear' has to work for the same type of people who install 'flashlight' apps on their phones that require access to contacts and GPS. If you and I had our druthers, SOHO routers would ship with DD-WRT or PFSense out of the box...but unfortunately, these boxes get sold at Wal-Mart...to the kinds of people who buy routers at Wal-Mart.

      I am by no means a network expert, but it seems as though some of these things are just common sense....

      Pull 100 people off the sidewalk and as

      • - Don't have ports open to the Internet ("stealth" or otherwise) by default

        Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.

        I meant this from the perspective of the router itself. All too often routers have remote management turned or ports that appear filtered to a scan but are really just waiting for a "magic packet" in order to initiate a remote console.

        - Don't use unencrypted protocols... period

        That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.

        Again, from the perspective of the router. When you go to check for new firmware, use encrypted protocols.

        - Don't enable wireless by default

        A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.

        Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion, or do as you suggest, ena

        • Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion

          A CD??? What is someone who only has iPads and iPhones supposed to do with a CD? Or what about someone whose laptop doesn't have an optical drive (which is a lot of them these days)?

          Next, you're going to suggest they ship with a floppy disk.

  • Saw this posted

    http://hackaday.com/2015/08/31... [hackaday.com]

    It is for 5GHz but if they can get away with 5Ghz why not 2.4

    So if that ever happens, I may become a criminal, flashing my own router to protect myself.

    • 1. Buy PC hardware (SuperMicro atom board of your choice off ebay + PicoPSU is a great starting point): $100-150
      2. Get PCIe > miniPCIe adapter with antennas included ~$25
      3. Get wifi card that supports AP mode: $30-100 depending on how much you want to spend.
      There, for as low as $150 you have a device that can run whatever OS you want and will have far better routing performance than a crappy home router (their CPUs are so awful that they need NAT accel hardware to NAT at line speeds). The only thing
    • That's always the first thing I think of when I hear "Belkin". I haven't bought any of their products over the last 12 years. I didn't know many people still did, I'm a little surprised they're still making things with their brand on them.

  • I attempted to report a similar issue to Belkin last October via their forums and asked if they would be providing an update. They not only deleted my post, they deleted the account that I had to set up to make the post. I took that as an emphatic 'NO', there would not be an update.

Every program is a part of some other program, and rarely fits.

Working...