Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linksys WiFi Gateway Remote Attack Risk Discovered

Posted by simoniker on from the over-the-ether dept.

Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."

7 of 311 comments (clear)

  1. Only 'moderately' critical ? by Space+cowboy · · Score: 5, Insightful
    Security consultants Secunia rates the flaw as "moderately critical" and urged users to configure a strong password for the administrative Web interface or restrict access to the interface altogether.


    Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!

    I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...

    Simon

    --
    Physicists get Hadrons!
  2. How is this different from normal? by Gothmolly · · Score: 5, Insightful

    Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:How is this different from normal? by ideatrack · · Score: 4, Insightful

      You could argue that, but seeing as there are decent sysadmins out there (no really) who will have turned this feature off, it's pretty severe. Admittedly if I had turned it off, then I'd check to see if that was actually the case, but it's very easy to just believe the interface. After all, they'll have checked it before shipping it, won't they? Won't they?

  3. things like this... by fabs64 · · Score: 5, Insightful
    honestly these sort of completely blatant and downright dangerous security holes in software i think should pave the way for making developers culpable for damages incurred by defects in their software.

    I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?

    1. Re:things like this... by gclef · · Score: 5, Insightful

      There's a concept called "fitness for purpose" that I think applies here. If you used bicycle tires on a car, for whatever reason (price being an obvious one), if you then got hurt in your car, you'd have no one to blame but yourself. Bike tires aren't fit for use on a car.

      By the same logic, if you used a cheap, home-user piece of crap for a life-critical operation, you deserve to be sued into oblivion, since it wasn't designed for something critical. Personal firewalls like this Linksys thing are not suited for life-critical use, and everyone who knows what the hell they're doing should realize that.

      If you use a piece of software that is sold as "fit for this purpose" (like, using windows-embedded health monitoring devices) and it fails due to a poor design, then you're right on...the vendor of that device should be sued.

  4. The reason the risk is "moderate" is... by Ath · · Score: 4, Insightful

    1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.

  5. Serial number as username and password? by Pascal+Sartoretti · · Score: 5, Insightful

    A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?