Linksys WiFi Gateway Remote Attack Risk Discovered

Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."

Has nobody noticed these ports being wide open?

[yebb]

Seems like a rather obvious issue, I'm suprised nobody noticed this before.

port fowarding

What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.

What if some script kiddie meshed them all?

[Baldrson]

The 32M RAM version of the WRT54G has enough capacity to run the current release of MeshAP. The problem is booting it off of the 8M of flash that is available on the WRT54G. You could overcome this by incrementally reflashing them to boot from the mesh itself. This would fix the security hole too.

Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.

Re:psst ...

[spoot]

Well, I just loaded my neighbors admin page on their linksys. Logged onto their non-wep wifi, loaded 192.168.1.1, and entered "admin" as the password. Bingo. Now I could screw with it if I wanted to, but that would just screw with my ability to use their network when I'm downloading pron on mine. It was all to easy. No scripting, no hacking, just obvious. I'll bet most (wi-fi) will be just like this. There are 3 wifi networks avaiilable from neighbors (homes) and none of them use wep or mac addresses.

does anyone know

[millahtime]

does anyone know if these are the access points they use at all those starbucks?

Re:psst ... OFFTOPIC

[digitalsushi]

I live in a mill building on both sides of a river. There's 310 apartments with about 700 to 1100 people, I guess. When I moved in during May 2003, there was 7 broadcasting wireless networks. When we renewed our lease this May, we warwalked it again and there were 22. Both times, about 60% were completely wide open, and about 75% of them were linksys devices. One fellow across the river must have a booster or something because his network punches through way too many walls. He would seem to be on the interior side, facing the river, and I can get him on the opposite side of his building, as well as into my own building on the opposite side of the river. My roommate's girlfriend lives down the hallway and she can see exactly 6 wireless networks. 3 are wide open.

With people giving away USB 802.11b cards for free, the temptation to steal all that free interenet is just well, it's inevitable that it gets used.

Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."