Slashdot Mirror
Linksys WiFi Gateway Remote Attack Risk Discovered
Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
Seems like a rather obvious issue, I'm suprised nobody noticed this before.
What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.
Recent articles show that this little thing is pretty powerful. What stops someone from flashing a box, running an open relay, ftp server, web server, or anything else of the sort (besides a strong, non-default password)? Just what we need is spambots on these damn Linksys routers..
Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.
Seastead this.
Well, I just loaded my neighbors admin page on their linksys. Logged onto their non-wep wifi, loaded 192.168.1.1, and entered "admin" as the password. Bingo. Now I could screw with it if I wanted to, but that would just screw with my ability to use their network when I'm downloading pron on mine. It was all to easy. No scripting, no hacking, just obvious. I'll bet most (wi-fi) will be just like this. There are 3 wifi networks avaiilable from neighbors (homes) and none of them use wep or mac addresses.
does anyone know if these are the access points they use at all those starbucks?
Evolution or ID?
this always interests me how people from other countries talk of how WEP is never turned on. I'm from Australia and every ADSL wireless router or whatever that i have seen has WEP on by default and it comes with its own setup stuff on the cd that configures WEP without joe user even realising it. so what is the case with routers where you come from? do they just come with installation software that sets everything up automagically but for some insane reason doesn't configure WEP? or is joe user actually expected to set it all up himself and that's why WEP never gets done?
This was followed up by multiple people saying it doesn't work. The most likely explination comes from Jason Munro who says:
> Testing this issue with a recently purchased WRT54G here showed that while
> I can access the web interface on the WAN IP from the LAN behind the
> linksys, I can not access it from another location on the WAN side.
Also, there were other replies saying that you could fix this by forwarding these ports to non-existant IP's if you were able to reproduce the issue.
Anyone know of another WiFi gateway company that would be good to buy stock in? They might suddenly be getting a massive number of orders.
One line blog. I hear that they're called Twitters now.
I have one, as do several of my friends.
Pretty much the first thing I did when I took mine out of the box was to try to access port 80 and 443. No go.
After seeing this, we tried again. None of us can access the box from the WAN port, only the LAN side.
I wonder if this guy got a refurb or one that had been returned to a store after a user screwed with it?
Ah, great solution, "sue". Guess you must be American.
As soon as folk start suing, FOSS goes out the window - remember the kernel this Linksys box runs is GPL'd and it's for that reason folk have been doing so many great things with it.
Now you want every programmer, every kid who wants to release an application to take out public indemnity insurance. Why, because a user couldn't be bothered to RTFM and set a password. The user is at fault by not following the supplied instructions, but for some reason the programmer should be sued?
One day someone will be killed because of such complacency.
If anyone is running a life critical system using a linksys wireless gateway then the system designer is certainly at fault. They're using a product in a situation it's not designed for. If, on the other hand, you're suggesting that every piece of software should be designed to the standards of life-critical appliances then I think you've been skipping your medication.
Bugs in software are inevitable... its a fact of life.
The only chance of having a bug free system is one organization having control of the entire system from hardware design, to the firmware, to the OS, the support libraries, and the application software. In the current IT world, where your hardware consists of generic components from half a dozen manufacturers, your OS from someone else, and application software and support libraries from other companies, none of which have influence over each other and have minimal if any chance to look at the detailed design of the other components it has to work with... Bugs are simply unavoidable. They can be minimized, and the effects minimized further, but they simply cannot be prevented with enough reliability for liability lawsuits to be remotely fair. It simply is not possible.
Which, of course, is why computers where human life is at stake should be designed as complete units, or at the very least all parties involved should have access to all the documentation and source code of the other parties involved, so they can really dig deep and make sure they don't trip up on "noone in their right mind would EVER send that data to this function".
I live in a mill building on both sides of a river. There's 310 apartments with about 700 to 1100 people, I guess. When I moved in during May 2003, there was 7 broadcasting wireless networks. When we renewed our lease this May, we warwalked it again and there were 22. Both times, about 60% were completely wide open, and about 75% of them were linksys devices. One fellow across the river must have a booster or something because his network punches through way too many walls. He would seem to be on the interior side, facing the river, and I can get him on the opposite side of his building, as well as into my own building on the opposite side of the river. My roommate's girlfriend lives down the hallway and she can see exactly 6 wireless networks. 3 are wide open.
With people giving away USB 802.11b cards for free, the temptation to steal all that free interenet is just well, it's inevitable that it gets used.
Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I am one of millions on a cable modem with no NAT other than what my gateway provides. Glad that gateway isn't one of these.
I don't know what your experience is, but the vast majority of DSL and cable modem services I have used implement no NAT whatsoever.
But in retrospect, my friend (who's apartment I had this trouble at) was using Windows 2000 and using a netgear wireless card's app and didn't have this problem... But we attributed it to Windows XP's new behavior over 2000... (which is sort of true...)
I hadn't thought about using the linksys app... (which I had uninstalled because I didn't want all the icons cluttering up my start bar and, geez, Windows XP already provides those services anyway...)
It should, somewhat. At first I felt bad, like perhaps I *had* jumped the gun when I made my first report. Even after I went over my original notes, I still wasn't satisfied due to the fact that I was getting people who stated they could not reproduce this, while others said they could.
So I put some more $$ into it and got three new ones. Sure as shit, it didn't work OTS, nor after flashing. So I spent some serious time trying to vindicate my original findings, which are now seemingly worthless.
Because of that, I put out a follow-up as quickly as I could, detailing my experience with more recent hardware, admitting that results from the tests in March was indeed dated.
Then today I see my name and my original post blasted around, as if I had never posted the follow up to clarify the whole affair. Word travels fast, huh!
Cisco/LinkSys never got back to me to help with troubleshooting after I made the results of my testing available to them, the firmware version on the website never changed, and I had the results of two new units on which to base my report. Once I collected responses to my post, I made the effort to keep from looking like an ass, and also to try to figure out why and if this would be coming from LinkSys as-is.
What it boils down to is that some people may be able to reproduce this behavior off the shelf with v2.02.7. Others will only see this behavior after disabling the firewall. The bug certainly exists, but it doesn't seem to be entirely LinkSys's fault if that behavior makes it to the home user.