Slashdot Mirror
Linksys WiFi Gateway Remote Attack Risk Discovered
Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!
I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...
Simon
Physicists get Hadrons!
I am grabbing my laptop right now and going to my newfound open access point!
don't tell to my neighbour...
All your gateways are belong to us
"No matter where you go, there you are." -- Buckaroo Banzai
Seems like a rather obvious issue, I'm suprised nobody noticed this before.
Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.
I want to delete my account but Slashdot doesn't allow it.
I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?
1) 90% of the people that buy these are your basic at home user. They don't ever change the default settings. It's just a setup and go. There are 5 such ones in my apartment alone in range of my apartment
2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.
The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.
Evolution or ID?
What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.
How does changing the default password help if you don't turn on WEP? Can't someone get on the network using the default SSID(linksys) and sniff for passwords?
1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.
Recent articles show that this little thing is pretty powerful. What stops someone from flashing a box, running an open relay, ftp server, web server, or anything else of the sort (besides a strong, non-default password)? Just what we need is spambots on these damn Linksys routers..
Manufacturer: LinkSys (a division of Cisco)
Product: Wireless-G Broadband Router
Model: WRT54G
Product Page:
http://www.linksys.com/products/product.as
Firmware tested: v2.02.7
In a recent client installation I discovered that even if the remote
administration function is turned off, the WRT54G provides the
administration web page to ports 80 and 443 on the WAN. The implications
are obvious: out of the box the unit gives full access to its administration
from the WAN using the default or, if the user even bothered to change it,
an easily guessed password.
I reported this to LinkSys (along with a number of other non-security
related issues) on April 28. I received no reponse addressing this, and no
updated firmware has yet appeared on their firmware page
http://www.linksys.com/download/firmware.as
To work around this, you can use the port forwarding (irritatingly renamed
to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
that forwarding the ports to any hosts -- inluding listening ones if you are
actually running servers -- will override the default behavior.
On a personal note, there are a number of reasons for which I am thoroughly
disappointed with LinkSys since the acquisition by Cisco. For the sake of
what was once a rock-solid product and great brand name, I hope things
change soon.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2@rateliff.net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
-Tolerate my intolerance
...anyone dumb enough to leave the router with the default password deserves to be h4x0red. I assume that by now pretty much anyone that owns a computer knows the need to create their own password not only for their PC but other devices/peripherals.
Although, I tried changing mine to "penis" and it returned a message saying: "Password is too small."
Go figure...
Rican
Want a free iPod?
Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.
Seastead this.
I have one such router(HW revision 1.0, firmware 2.02.7) so I gave it a guick check (again ... I tested it when I bought it) and I can't get the remote administration page on the WAN. Currently, I only forward port 22 and I disabled the DMZ.
Thoughts on tech, Software Engineering, and stuff
Isn't it safe to say that if someone finds the "remote administration feature" and turns it off, they're also going to change the default password while they're in there? Or do people think oh, since you can't remotely administer this thing from outside, it doesn't matter? Sounds sketchy to me, I don't think it's going to be a big deal.
It has been my experience that if you use a combination of wireless and wired technology (ie, a carrier pigeon tied to a really long string so you can pull it back really fast--the cats really love to chase the carcass, but you'll get your data back without incident).
So whats the big deal here? If you change the password etc then the problem is solved right? Ohhh thats right you're talking about people not READING the damn manual telling them what they need to do!
Well tell you what, tough. You didn't read, you didn't listen, then pay the consequences. It TELLS you that you need to change the password etc and what you should do. If you choose not to do it, then face the consequences.
See a Red Light means stop, if you choose not to obey that and get in an accident and get hurt, well sorry but you pay the consequences of your actions.
I hate being so negative sometimes but damn, there comes a time when even the Big red letters not the widespread panic across the news won't help.
Yes, I agree, the companies should make these things where you have to create a new password and username etc, but there's only so much they can do. B/c we all know that most people would leave the password field blank. I know this all to well as the CEO of my company has a blank password on his personal email addy.
does anyone know if these are the access points they use at all those starbucks?
Evolution or ID?
You can flash the firmware to one from sveasoft http://www.sveasoft.com and avoid the whole problem. You also get a nifty linux environ to work with.
Anyone know of another WiFi gateway company that would be good to buy stock in? They might suddenly be getting a massive number of orders.
One line blog. I hear that they're called Twitters now.
I have one, as do several of my friends.
Pretty much the first thing I did when I took mine out of the box was to try to access port 80 and 443. No go.
After seeing this, we tried again. None of us can access the box from the WAN port, only the LAN side.
I wonder if this guy got a refurb or one that had been returned to a store after a user screwed with it?
Most of slashdot readers already know that there are a bunch of modified firmwares for the wrt54g such as this one. You should also be aware to realise that they are already backdoored/rootkit version (custom version of teso's adore of the wrt54g which will hide specific clients, processes, mac address and connections. It should also be noted that vulnerable linksys access point are trivial to detect using kismet (runs on linux, *bsd, zaurus, wrt54g) or kismac (runs on Mac OS X).
A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?
There's several cases where software failure has been fatal.
How about the case of the THERAC-25, where several died or were seriously injured.
This is a typical case study shown in any ethics course involving software design. It turns out the cause of the severe radiation burns was from the operator entering commands and parameters faster than the unit could handle.
Then there's the Soviet pipeline that blew up due to delibrately buggy software stolen from the US.
Then there's the Osprey , had software bugs that killed 30 Marines in 3 accidents.
There's also 2 commercial jet crashes due to software problems with either radar, or just reporting position properly to the pilot, killing over 300 people in the 2 accidents.
This problem is very real. So when people joke about getting a BSOD while driving a car, it's highly plausable.
See Microsoft Link
Microsoft even tells you that this is a "good thing" at the link:
Disabling SSID broadcasts on an access point is not considered a valid method for securing a wireless network.
Actually I was able to reproduce the 'problem' It is not mentioned in the article, but you can access the admin page from the WAN port if 'firewall protection' is disabled.
... although it is NOT at all obvious at first glance.
In hind sight this sort of makes sense
In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).
Thoughts on tech, Software Engineering, and stuff
I live in a mill building on both sides of a river. There's 310 apartments with about 700 to 1100 people, I guess. When I moved in during May 2003, there was 7 broadcasting wireless networks. When we renewed our lease this May, we warwalked it again and there were 22. Both times, about 60% were completely wide open, and about 75% of them were linksys devices. One fellow across the river must have a booster or something because his network punches through way too many walls. He would seem to be on the interior side, facing the river, and I can get him on the opposite side of his building, as well as into my own building on the opposite side of the river. My roommate's girlfriend lives down the hallway and she can see exactly 6 wireless networks. 3 are wide open.
With people giving away USB 802.11b cards for free, the temptation to steal all that free interenet is just well, it's inevitable that it gets used.
Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I thought the same thing. The problem I found is that XP will select based upon signal strength. In my case, I was at a friend's apartment. His router was in the next room, but his neighbor's router was immediately behind us next to the wall. So I could specify the non-SSID connection and have it at the top of the priority list, but it would eventually drop it in favor of the SSID one because it had a stronger signal strength.
But in retrospect, my friend (who's apartment I had this trouble at) was using Windows 2000 and using a netgear wireless card's app and didn't have this problem... But we attributed it to Windows XP's new behavior over 2000... (which is sort of true...)
I hadn't thought about using the linksys app... (which I had uninstalled because I didn't want all the icons cluttering up my start bar and, geez, Windows XP already provides those services anyway...)
check it every now and then, if it's expired. it seems to cycle through after each expiration. i grabbed mine after the first time i saw it expire.
= 345833&adcampaign=email,PWB02474
http://www.pcmall.com/pcmall/shop/detail.asp?dpno
there's a vendor that has it til june 30th. there's a ton of these, just google for "free usb wifi" or something.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
It should, somewhat. At first I felt bad, like perhaps I *had* jumped the gun when I made my first report. Even after I went over my original notes, I still wasn't satisfied due to the fact that I was getting people who stated they could not reproduce this, while others said they could.
So I put some more $$ into it and got three new ones. Sure as shit, it didn't work OTS, nor after flashing. So I spent some serious time trying to vindicate my original findings, which are now seemingly worthless.
Because of that, I put out a follow-up as quickly as I could, detailing my experience with more recent hardware, admitting that results from the tests in March was indeed dated.
Then today I see my name and my original post blasted around, as if I had never posted the follow up to clarify the whole affair. Word travels fast, huh!
Cisco/LinkSys never got back to me to help with troubleshooting after I made the results of my testing available to them, the firmware version on the website never changed, and I had the results of two new units on which to base my report. Once I collected responses to my post, I made the effort to keep from looking like an ass, and also to try to figure out why and if this would be coming from LinkSys as-is.
What it boils down to is that some people may be able to reproduce this behavior off the shelf with v2.02.7. Others will only see this behavior after disabling the firewall. The bug certainly exists, but it doesn't seem to be entirely LinkSys's fault if that behavior makes it to the home user.
I've been following this on BugTraq. As others in this discussion have pointed out, it's not that big a deal, since most people turn the firewall on. There's also an interesting post about someone who bought a few of them and checked whether the firewall was enabled by default--it turns out that two of the three units he tested came with the firewall enabled.
Much more terrifying, though, is the fact that Netgear WG602 Access Points have a default admin account that can't be turned off, with the username "super" and the password "5777364". So expect anyone on the WLAN/LAN to be able to own your router if you have this product and enable the admin interface.