Drive-By Pharming Attack Could Hit Home Networks

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.

Simple solution for this

[suso]

1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

The net needs to be more secure and there need to be more checks in place through authoritive sources.

This pharming attack reminds me of when I first installed the doorbell on my house, every once in a while it would go off and nobody was at our door, it turned out that the people across the street had the same doorbell set to the default settings.

Re:Simple solution for this

[mpe]

1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

Re:Simple solution for this

I don't know which I'm more appalled at:

A. You bought a *wireless* doorbell.

B. You refer to double-stick taping it to your wall as "installing".

C. You left it at the default settings...

Re:Simple solution for this

[rolfc]

Who are you? A Doorbell Administrator? A Doorbell Security consultant?

Re:Simple solution for this

[smooth+wombat]

If you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

I know, I know. The people who write the manuals don't actually use the products they talk about* so the manufacturer will have to make a concerted effort to put this notice on the three pieces of paper that come with products nowadays.

*In helping my parents configure their new tv a few years back, the manufacturer left an important part in how to save your settings when blocking out unused channels. If you followed the directions, blocking channels would not have worked. The crucial step of selecting the channel in question was left out of the instructions. It was only because of having used similar menu arrangements on other devices that I knew to not follow the directions as written.

Re:Simple solution for this

[Richard+Fairhurst]

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings And for the manufacturers to make the web-based config interfaces suck a bit less hard.

Re:Simple solution for this

[paeanblack]

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

Dude, ATM machines don't even have futuristic features like that. Come back to reality.

http://it.slashdot.org/article.pl?sid=06/09/21/181 9242

Re:Simple solution for this

[maxume]

He's a doorknob.

I'll be here all week.

Re:Simple solution for this

[tinkertim]

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

Cars ship with seatbelts and big fat warning signs in the glove box and the top side of the sun visors that tell you to use them, but an alarming number of people don't.

Yet, if your car failed to start if you weren't buckled up, people would go ballistic.

I agree 100% with you, but I think all Cisco (Linksys) and others (may) do is go with the big fat warning label and a checkbox / button combo to make it go away, if even that.

Re:Simple solution for this

[MECC]

Software is an amazing thing, really. These routers could just be programmed to, in the presence of default settings, not to route to the outside world and only pop up a web page that tells users that they have to set up a userid and password in order to use the router.

Then all people need is a 3.5 postcard(s) in the box telling them to plug their computer into the router and go to http://192.168.1.1/ and follow the instruction.

I know, its not perfect, but its better - way better - than what's there now, and reasonably easy on the consumer, if done in a sensible way.

Of course, then what will happen then will be malicious web sites will just push down an applet that directly changes the DNS settings in the computer itself, bypassing the need to mess with the routers. No real defense against that one, outside of blocking all scripts. Something few users will likely do.

Re:Simple solution for this

[SevenHands]

Be expecting a visit from the Door Police.

Re:Simple solution for this

[Shambhu]

Or, the router could come with default DHCP settings, but you couldn't change those until you held down a button while logging in to the interface ... at which point it would require you to create credentials before it would proceed. Sounds complicated, and it is a little bit so, but the default would work with most setups and the manufacturers have already tried button-triggered setup for wireless.

Heck, just make it default to denying login to the admin panel over wireless. Make them plug in with ethernet OR hold down the button and etc.

Re:Simple solution for this

3COM OfficeConnect routers do something different to consumer routers, on the sign in page they publish the DEFAULT password :)

If you dont like that, CHANGE IT :)

Re:Simple solution for this

[trianglman]

If that was set up they wouldn't even need the postcards. Any free wireless hot spot at hotels or your local Starbucks has it set up to route any request to a sign on/EULA/etc. page before you can do anything. All it would take is setting this same thing up on the router and you are good to go. The trick there would be phishing tricks that might copy that page layout to get a username/password for the router, but there isn't a whole lot that can be done to stop that (as evidenced by the incessant barrage of phishing spam I get).

Re:Simple solution for this

[BBandCMKRNL]

Yet, if your car failed to start if you weren't buckled up, people would go ballistic

You don't remember 1974 in the U.S.?

For a few years beginning with 1974 model year cars, the cars were required by federal law to only start if the driver and front seat passenger, if any, had fastened their seatbelt.

Re:Simple solution for this

[myth24601]

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

Another idea might be to have the default password set to the serial number of the device or something that would make it different on each device.

Or

They could set the device so that it can only be managed by a directly connected PC unless that setting is manually changed in the setup or even a switch.

Neither of these stop people from accessing an open default connection but it would keep somone from managing the device easily using default passwords.

Re:Simple solution for this

[JPribe]

I didn't look it up, but this is intriguing in a "Hey, where'd that go???" sort of way. So what happened?

I'm the guy who rewired his starer/clutch interlock so I can start without pressing in the clutch pedal (while in neutral or in gear) and tweaked some crap so I can use high-beams and OEM fog lamps at the same time...so I don't see this lasting in my vehicle for long anyway

Signed,

the rock crawling, fat knubby tire, off camber driving, lifted Jeep Wrangler driving nut-case

Re:Simple solution for this

[paeanblack]

Yet, if your car failed to start if you weren't buckled up, people would go ballistic.

If they aren't buckled up, they are going ballistic anyways...it's just a matter of time.

Re:Simple solution for this

[operagost]

The law was repealed within two years and disabling the seat belt interlock became legal. Basically, it was a bad idea even without taking account that the technology wasn't up to it and nearly every interlock mechanism didn't work properly. If you placed a heavy package on the passenger side, it had to be buckled in. Sometimes switches would stick, too. Basically, I imagine people just buckled the belts behind them.

Re:Simple solution for this

[zukakog]

Be expecting a visit from the Door Police.

I didn't know that The Doors were touring with The Police...

Re:Simple solution for this

[mikey1134]

This is actually how current model Netgear routers are configured. After connection every url redirects to the setup wizard until it has been run through completely. It's actually a nice and straight forward setup for a novice computer user.

Re:Simple solution for this

[rrohbeck]

Simpler solution: Only allow admin access with the default password for 1 minute after powerup.

Re:Simple solution for this

[Legion303]

"If you placed a heavy package on the passenger side, it had to be buckled in."

That's really not a bad idea, interlock or not. Loose objects flying around your car during an accident are no picnic.

Last time I checked. . .

[Who235]

Last time I checked, it's stupid to leave anything with a default password.

If you had all your personal papers in a safe, would you leave it set to the factory combination?

Re:Last time I checked. . .

[loafing_oaf]

Exactly. The first thing I did on my router was change the password. A few months later, my forgotten password now locks me out. Does anyone have a safety pin?

Re:Last time I checked. . .

[Corporate+Troll]

If you really can't remember, there is nothing wrong with taping the password to the bottom of your router. If the attacker can gain physical access to your router you have a much bigger problem that wireless security.

You shouldn't do this at your workplace, but at home it is acceptable...

I don't do this, I know the (strong) password of my Access Point

Re:Last time I checked. . .

[gstoddart]

Last time I checked, it's stupid to leave anything with a default password.

If you had all your personal papers in a safe, would you leave it set to the factory combination?

You're right of course. But, part of the problem is simply consumer education.

It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about these things. They can walk into a box store, buy a wireless router, plug it in and go. They simply don't have a clue about securing their machines.

It's a commodity mindset -- "I go, I buy the product, I plug it in like a TV, and I never think about how it operates". Consumers haven't yet fully understood that they might need to take steps to secure such things, or that it poses a risk. All they know is they click the right button and they download the internet. :-P

Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.

Cheers

Re:Last time I checked. . .

[Fortissimo]

Stupid, indeed. But most of the readers on /. are computer savvy, and for us this sort of thing is second nature. The majority of the population does not know better. I can spot a phishing email a mile away, but many cannot. I know to look for the "https" in my URL, but many do not. Dentists have the best teeth, construction people have the most well-kept houses, and IT folks have the most secure computers, because it falls into their particular area of expertise.

But technology is daunting to the average person. Most do not realize the danger involved. There are those who might suggest that people who don't change their password deserve what they get, and maybe there's a case to be made there. But companies and manufacturers need to be more responsible about getting the word out that defaults are a bad thing. Most manuals - not that I read 'em :) - might casually suggest channging a password but don't really make it a part of the setup routine as it should be. Exploits are a part of technology, for sure, but educating the masses on what to do to prevent it needs to come to the forefront.

Re:Last time I checked. . .

[955301]

Wouldn't it be great if the router hijacked the few http requests passing through it and gave the user a dynamically created password with instructions to print it and tape it to the router? There could be a snazzy checkbox letting them skip future redirects after they have the password.

Then hitting the reset on the router just caused this to happen again with a newly created password.

Viola, no more default passwords.

Re:Last time I checked. . .

[ptbarnett]

Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.

When I switched from DSL to Verizon's FIOS, I got an Actiontec MI424WR router. By default, it was configured with a randomly generated SSID and WEP key. I've changed it to a WPA key, but if I do a hard-reset, it returns to the original values. Apparently, the boot ROM is 'tweaked' during the manufacturing process and a matching sticker is generated with the SSID, WEP key and MAC address -- which is attached to the bottom of the router.

The administration username and password were set to constant values. Unfortunately, you can login to the router as administrator via a wireless connection -- my older Linksys/Cisco router allows you to restrict administrative access to a wired port.

Re:Last time I checked. . .

[ajs318]

It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about these things. They can walk into a box store, buy a wireless router, plug it in and go. They simply don't have a clue about securing their machines.

Give that person a cigar!

The moment ease-of-use trumped security was the moment the rot set in. Some things are meant to be hard. That's the whole point.

Re:Last time I checked. . .

[kabocox]

It's a commodity mindset -- "I go, I buy the product, I plug it in like a TV, and I never think about how it operates". Consumers haven't yet fully understood that they might need to take steps to secure such things, or that it poses a risk. All they know is they click the right button and they download the internet. :-P

Um, why should they? Um, they don't worry about securing their TV, radio, cable box, cell phone, oven, toastor, land line phone, or lamps. How why should they have to actually think and do extra magic undocumented steps to setup this computerish piece of equipment? You don't have to worry about your TV, DVD, or cable box being hacked through your over the air broad casts, DVDs, or VHS tapes. You don't have to worry that your radio will start being illegal if you tune it to the wrong station or that if you tune it to the wrong station some one could take over your radio or even your car through your radio. Cell phones are starting to be hackable and virus ridden so that's a bad one to put in there. You don't have to worry about your oven, toaster, or lamps being magically hacked by plugging them into your electrical outlet. (There are ways and means to send data over power lines so it could one day be possible.) I'm sorry computer security should be like land line security or better. I don't have to worry about a telemarketter calling me and them magically taking control of my phone and using it to call others with.

Why do we have these freaking problems with computers? Because us slashdotters are too stupid to build and design computers that can be used and can't be hacked by outsiders. Every other freaking slashdot response is that it is the stupid users fault for not securing his stuff. I call massive CS BS. The CS priests are emperors without any clothes. We don't have any security and can't offer them any. The OLPC seems to atleast try to properly lockdown their laptops according to the last slashdot article about their security. That's how both Linux and MS should be trying to lockdown the desktop. Yes, it would be highly annoying to develop on a locked down box. Yes, "trusted" "verified" computing is anti-open source evil anti-slashdot, but that's what we need. Grr. Slash can complain all it wants, but it should just fix the problem rather than complain. Oh, but we can't have Linux, OSS, or MS totally lock down "our" desktop so virii, worms or outside programs can attack. IF you can't work in a locked down environment or are pushing default locked down states for every computer tech, then you are part of the problem.

Re:Last time I checked. . .

TV, DVD, or cable box being hacked through your over the air broad casts, DVDs, or VHS tapes.

Intriguing idea. Set top boxes do crash, so they certainly aren't flawless. Perhaps one could exploit these flaws through the video bitstream. They all come with flashable firmwares, so there may be some potential for a satellite simulating hacker to create a funny hack. Goatse on the OSD anyone?

Re:Last time I checked. . .

Voilà is the word you seek. Viola is a musical instrument.

Re:Last time I checked. . .

[Chris+Mattern]

Last time I checked, it's stupid to leave anything with a default password.

If you had all your personal papers in a safe, would you leave it set to the factory combination?

Yes, people do. Ever read Feynman's memoirs? He got a reputation in Los Alamos for
being a master safecracker simply because he knew the default combinations the
safes used there shipped with...and nobody ever changed them. In the middle of
the Manhattan Project, nobody ever changed the combinations on their safes.

Chris Mattern

Re:Last time I checked. . .

[kmbss]

HUH??? 1234 isn't a good combination?

Re:Last time I checked. . .

[955301]

Your write, I'm so embraced :)

Re:Last time I checked. . .

[bill_kress]

Or more simply, these devices could have a button on the router in lieu of a default password. You would connect to the router and the web page would say "Press the big red button".

Whenever pressed, the button would allow the MAC Addr that had most recently displayed the web page to set a new password (Possibly could allow full access with just the button, forgoing passwords altogether, but that has some security holes if an attacker happened to be on your wireless at the same time--so does the password thing but at least you could be notified right away if you were being attacked while setting the password.)

Heck, it could even be the power button, it's not like these things need to be 24/7--You could impose that when no password is assigned, a password must be entered within 1 minute of powering up. If you don't enter one, you have to restart it. Once a password was entered, of course, all this would be disabled and you would access it like any other passworded system (can't have a power failure leaving you vulnerable).

If you work on a home router, suggest this to your marketeer.

Re:Last time I checked. . .

[eat+here_get+gas]

there's an option on most routers...it's called "restore factory defaults"...enabling it will put you right back to square one, the default password.

Re:Last time I checked. . .

[VENONA]

I've only seen education be even somewhat effective a few times. And that was in corporate settings. I don't see things as any better in government settings. For general consumers I've no hope at all. I see little or no evidence that most consumers *want* to be educated. Though they might, after the first time they're phished. :) They want to Do Stuff, not Learn Stuff.

The consumer solution probably lies with the manufacturer, possibly via generating a random password as the last step before packaging the device. On first boot, you would have to connect to it with a browser, and the device would then display the password, and prompt the user to make a note of it (with lots of dire warnings, in a large red font). Only after having connected locally via browser would the device establish the WAN side connection, then present a login screen--hopefully catching a large percentage of those people who didn't make a note of it, and have already forgotten it. Only after a successfull password change would the device consider a boot to not be a first boot.

You'd proably want to test the exact order of this. For instance, it might make more sense to only consider first boot conditions satisfied after another successfull login. That would probably reduce the rate of immediate service calls. Other solutions probably exist--this is just off the top of my head.

Some still won't make a note of that password, or they'll eventually lose the note, so there will be an added helpdesk load in any case. Follow the money. The current situation now places the *entire* financial burden (recovery from being phished can be expensive and time-consuming) on the consumer. I'd consider shifting *some* of the burden back to the vendor via a small increase in support costs a reasonable thing. But it's unlikely to happen before a lot more bad press is generated.

I usually advocate running own DNS resolver on the LAN side--keeping something this critical on a system you have more control of, and a hop or two deeper into the LAN. It's an innexpensive process to run, on Unix-y machines, anyway. So even if you only have a single computer, it's a useful security addition. Although I assume there's a possibility for playing games with any DNS data cached on the router, and cacheing might be something the broadband providers would consider worth doing in the interests of lightening the load on their DNS systems. LAN side DNS can also speed your network operations tremendously. My provider went through a period of several *months* of slow DNS response. Of course, that was while they were the only game in town. When another provider appeared, the problem dissappeared immediately. :)

Does anyone know of any broadband routers that are actually known to cache DNS lookups?

Re:Last time I checked. . .

[The+Darkness]

there's an option on most routers...it's called "restore factory defaults"...enabling it will put you right back to square one, the default password. Pardon me if I missed the obvious but how are they going to "restore the factory defaults" from software? You do realize the current password is needed to get at that interface, right?

FYI: The safety pin they mentioned is to enable them to get access to the hardware "reset to factory" button.

Re:Last time I checked. . .

Yes. According to Richard Feynman's observations, many people in the top secret military research lab in Los Alamos did use their safes with the default password. Should we suppose any more cautiousness from the regular folks?

Re:Last time I checked. . .

There simply should be a hardware switch that maps the flash memory to a different address, activates a ROM at the original address and resets the machine. The ROM should only contain a program to receive a firmware file over a wired connection, write it to the flash memory and clear out all configuration data. Bonus points for including a hardware write-protect switch for the flash memory and configuration memory. Developers who make these switches software controllable go straight to hell.

Re:Last time I checked. . .

[pnutjam]

There are actually ways to take over people's phones and place long distance calls on their dime. Usually these are associated with PBX type systems.

Re:Last time I checked. . .

[El_Oscuro]

I have a safe with the combo supplied by the manufacturer. There is no way to change it, which supprised me. Of course, you also need a key. I hope they have more than a few of them...

Legal issues

[Reverse+Gear]

My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

I think there are many interesting legal issues in this.

Re:Legal issues

[maryjane+gonjasoft]

i know a guy that does this(unfortunately) he had downloaded whole movies sitting in an apartment complex parking lot. network stumbler and idiots= free bandwidth. definately need to change that factory password

Re:Legal issues

[ArsenneLupin]

According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this. Presumption of innocence, anyone?

Re:Legal issues

[djones101]

Why is your sister sharing information regarding an on-going case with you? Surely the client has some right to privacy in not having his case discussed with people outside of legal counsel.

Re:Legal issues

[Wudbaer]

Welcome to the real world. Besides that it is neither a problem nor illegal if it is told in a fashion that noone can figure out who the client is. Where do you think case studies both in law and medicine come from ? IANAL but I am a MD by training. Docs talk among each other, the nursing staff and their families and friends all the time about the amazing, troubling and bizarre things happening to them each day; I can imagine it's the same for a lawyer. You need to talk about things to stay sane. As long as you don't go around "Yesterday that awful Miller guy from across your house came to me..." there's no problem neither it is illegal in any way.

Re:Legal issues

"Danish law"

I only studied Croissant law.

Re:Legal issues

[Reverse+Gear]

True. She is allowed to share general information that is available to anyone on this, she told me nothing more than what I could have learned from studying different kinds of public available information. Also I have no clue who her client is.
The reason I don't know about the outcome of this case could be because it is somehow not public information, perhaps it will be at some point, I don't know.

Re:Legal issues

[maxume]

God forbid his sister seek out a better understanding of the technical issues involved.

Re:Legal issues

[ak8b]

The REAL blame lies with the router manufacturers who SHIP the things with open wireless. Totally irresponsible of them.

Re:Legal issues

[squiggleslash]

I'm not sure that's relevent. I can't speak for Danish law, but there are a lot of laws in Britain you can break with no ill-intent or action on your part. As a general rule, you are responsible for your Internet connection there and the laws are worded such that you're responsible on the basis of the end result and chain of responsibility, not bad faith actions on your part.

I've heard of people (as in my mother is a lawyer and has assisted them, this is not friend-of-a-friend stuff) being arrested after complaining to the police that someone has emailed them child pornography. They were, technically, bang to rights. The laws concerning the issue were not concerned with whether he solicited that content, merely whether he possessed it. Did he possess it? Yes, the content was on his computer, he admitted it, therefore as the law was written he was 100% guilty. Beyond a reasonable doubt.

(FWIW, before anyone thinks a massive injustice was done, it was more a minor injustice - they dropped the charges. Britain's legal authorities tend to recognise that many of the laws they enforce are deliberately over the top to reduce the number of "loopholes" that a truly guilty person could wiggle out of; and as such tend, though not always, to use their discretion when enforcing them. That is, of course, a dangerous situation, and in many cases entirely innocent people do get caught up in draconian laws that should never have applied to them. Britain's judges also seem less willing as a matter of principle than American ones to refuse to find fault with someone who has caused no harm and didn't intend to in the first place, though there are occasional exceptions, some of which are hilarious.)

Oh, and this situation gets worse when it comes to civil law.

Re:Legal issues

[Doctor+Memory]

I've undergone croissant examination, but I'm pretty sure it wasn't legal.

Re:Legal issues

[dk.r*nger]

Being Danish, I'd love to hear more about this case.

I have law-student friends who claim that there are no provisions in the law that can make someone responsible for what other people does with their (legal) stuff, no matter how it's done.

Compare a bypasser grabbing a shovel from my driveway, smashing a kids face in with it. Am I responsible? Hardly.

Made a mistake, please don't publically flog me.

[suso]

I'm sorry, I was thinking about from the wrong way. That wouldn't work. But perhaps something along those lines could be implemented.

Drivebys

[Ikyaat]

"We haven't seen an example of this in the wild, but some of the building blocks are out there," he said. "It's really just a matter of time before we do see this."

Ya, about as much time as it takes to read the article and write one line of java. http://www.allyourbasesarebelongtous.com/

FUD

Do we always need to come up with a security solution even for the most stupid person on earth? Instead of spreading FUD they should give simple advise: It is ok to leave your router open but, for heaven's sake, change the default password.

not with my 2wire router

[fishyfool]

it came from the factory with a random 10 digit wep password and with wireless disabled by default. if 2wire can do this, so can everyone else.

Re:not with my 2wire router

Read the article. This attack is not about wireless access. The attack uses a webbrowser that is already (and legitimately) on the internal network to reflect HTTP requests towards the router configuration interface. A simplified example: make a webpage with an image src=http://root:default@192.168.178.1/dnsconfig?dn s1=10.0.0.1&dns2=10.0.0.2&commit. Then make the webpage popular (put some silly video on it, post to digg), and watch as users with default-configured routers have their dns servers changed.

Re:not with my 2wire router

[drpimp]

I second that notion. I just got my 2Wire router from AT&T, and I was surprised that is was already setup with WEP. (That's why all my neighbors have WEP enabled ... DUH they can be that net savvy, at least not all of them), but like the Coward above stated this article is not about wireless. It did have default password, but it also has no user, just a password. And could you guess I think it was either "admin" or "password". The only good thing is that it wasn't a 192.168.1.1 or 10.0.0.1 gateway it put it at the end of the spectrum 192.168.1.254. Which doesn't make it any safer, but the javascript would just have to be setup to try all possible router combinations.

My question, if they can distribute a auto-generated WEP key (which is printed on the router case) why not issue and print an auto-generated password as well printed the same way? IMHO that would solve alot of this hijacking going in this fashion.

Re:not with my 2wire router

[ranger714]

Ummm... if you are an AT&T customer, then your homeportal would have prompted you to create an admin password when it first was setup and configured. It's part of the setup routine and can't be skipped. If the password was set to "admin" or "password" then someone chose that for ease of use, perhaps it was installed by a lazy DSL install technician. All 2wire wireless routers that have ever shipped (something north of 6 million) have shipped with at least 64-bit WEP as default encryption based on that random 10-digit number. it's not perfect, but it's still 100% more encryption than you'd get with most big-box purchased standalone routers. I use WPA, but even plain WEP is nice when there are four or five available unencrypted access points visible in my neighborhood, which isn't even that dense with housing (typical suburbia).

Re:not with my 2wire router

[drpimp]

Touche! I was frustrated (this due to the fact that Time Warner fucked me around for a month and still haven't heard back from them to when they will come out and install my cable) so I quickly went through the setup so yes, I may have missed a few minor details. My point was that it was better than defaults for most routers. I too use WPA. Given the fact that BackTrack helped my crack (err. obtain) some WEP keys in my hood to steal (err. borrow) some wireless before I was able to get an internet connection setup, helped buy me some time will I was WOI (with out internet)

Comcast

[towsonu2003]

making your network completely invulnerable is a simple case of setting a strong router password

try setting a strong password on a Comcast router...

Re:Comcast

Good point. Many ISP's seem to ship modems with built in routers these days. Chances are, many people don't even know they're there, let alone to go in and configure them securely.

Re:Comcast

[value_added]

try setting a strong password on a Comcast router...

Could some elaborate on this? My understanding was always that cable and DSL providers provide modems to their customers. Do cable ISPs now manufacture, sell, rebrand or distribute "routers", or is the poster talking about Linksys, Netgear et al. consumer NAT boxes purchased by the user?

Re:Comcast

Of course broadband providers are now starting to sell/rebrand all-in-one modems/routers.
That way they can charge an addition, say, $2/month as an add-on to provide service "up to four computers, and also with wireless!"
People want an all-in-one solution, especially when a company is going to ship it to them and have it ready out of the box (and then support it if anything goes wrong).

Re:Comcast

[SydBarrett]

Yup, Comcast rents out a router for the same price as a modem ($2). They also toss in a crappy USB wireless thing for free. The router is just 4 feet from my computer so I just took off the anntena rather than messing with wireless, I dont think there is an option for disabling wireless anyway on their braned routers.

Re:Comcast

[morgan_greywolf]

And what's to stop you from putting another router/firewall behind the Comcrap router? (Hint: nothing)

Re:Comcast

[Dreamstalker_wolf]

That depends. They can have some mildly obscure settings requirements for third-party routers, at least that's what I was told...recent experience with my router confirms that the modem is a bottleneck. The PC that's hardwired to the router is fine, but the wireless laptop gets kicked off every so often.

Re:Comcast

[Technician]

try setting a strong password on a Comcast router...

I knew better. When I finaly moved from dial-up to broadband, I specified modem only, no router. On dial-up, I already had a LAN and router including wireless. I was using an Actiontec Dual PC Modem as a narowband modem. I asked for self install, but since I didn't subscribe to TV already, they insisted they send out a guy to set it up. When he showed up, I simply said replace the narowband modem with the cable modem. He mentioned he needed to set up the DNS to point to the Comcast server. I let him know I already had and told him what the West coast server was. This suprised him. The information is online and easly found by a Google search. I complained about paying nearly $100 to simply plug it in, but it was in the contract.

He was suprised when I turned on a couple machines, opened browsers and they brought up webpages with no tweaking. I wonder if they noticed I have never gone in and configured e-mail or logged-in?

It would be funny if the RIAA tried to send me e-mail based on my IP address. I already have an account elsewhere.

Re:Comcast

Please at least have a fundamental understanding of the topic you are trying to discuss.

I don't even think Geek Squad would hire you.

Re:Comcast

[towsonu2003]

Comcast rebrands a router+modem thingy with crippled features (such as being able set only a 6-character-or-so password, not being able to shut down wireless for good etc)... they charge you about $5 a month for those things and to be able to keep charging you, they make it hard for you to set up your own (how: well, you can guess how a company can force their ways onto you... lack of support if using other hardware etc)...

Re:Comcast

[towsonu2003]

And what's to stop you from putting another router/firewall behind the Comcrap router?

Good point. The answer is: if my connection starts to not work anymore, they will not be able to tell me "hey, we don't support the OS you're using PLUS the router+modem you're using"... Another aspect is: router+cablemodems are not cheap and not guaranteed to work with "your ISP" (again, no support)... and, of course, Comcast has to do something so your new router+modem works (ie they should change the HWadress) and I'm pretty sure they'll screw it up somehow and then come back to me and tell "hey, something is wrong with your thingy and we don't support it"...

see, that's how companies force stuff down your throat if you are not willing to waste time to fix their errors.

Re:Comcast

u r smrt

Re:Comcast

Depends... Either the wireless connection is iffy and you're dropping connection. That's an entirely different problem from modem/router config.

The other thing is that you're letting the cable modem see more than one computer through your router. If your wireless router is setup right, it should mimic the MAC of the computer you originally setup the modem with. (If it can do so, otherwise you may be SOL.) That way it has no clue as to how many computers are attached. (Your whole home network is limited to sharing X amount of internet bandwidth anyways, so why should it matter?)

Re:Comcast

[rapidweather]

Well, I'm using a D-Link WBR-2310 router, and I did have a new password for the admin account. Now, according to the article, I need to also change the "login name" for the Administrator account to something other than the default "admin".
I've done that now, and also changed the password to the maximum allowed by the router.
I am using Comcast, but the router is not their equipment. No problem with Comcast, really, and I am satisfied with their service.
Once, during high winds (Katrina) my cable line was brought down, they fixed it in a reasonable amount of time. It did take a week for the power to be restored to my street, Comcast came and fixed the line shortly thereafter. I do have problems with limbs, and need to hire a tree-trimmer to fix that, neither Comcast, or the power company will do that for me.
I usually have up to three desktops connected to the router, (wired), and one laptop (wireless).
I do have backup dial-up service with Nexband, they are very reliable, I can connect at 49333 or higher, sometimes as high as 53000. Phone company put in all new lines from pole to house, I wired everything in the house.

Rapidweather

Oblig...

[AutopsyReport]

You, sir, are insulting the great King Roland...

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Oblig...

[ptbarnett]

Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?

Dark Helmet: 1 2 3 4 5.

President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

Dark Helmet: Yes, sir!

President Skroob: And change the combination on my luggage!

So, how do you tell your clueless neighbors?

This raises a question: if you are using your wireless card and notice that your neighbor has a wide-open access point, how do you educate them without being seen as a suspect or nosy? I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me, and taping the tutorial to their door. But, it's not worth the trouble to me, but it could be a big deal to them one day. In this litigious day, that's why I'm posting as AC.

Re:So, how do you tell your clueless neighbors?

[ArsenneLupin]

I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. ... or put the MAC addresses of his own computers on his APs blacklist.

Well, being clueless, they will ask their most computer-savvy neighbor for advice. That would be you. You come over and "fix" their AP, and in the course of fixing it "discover" that it is also insecure. Then you advise them on how to properly secure it.

Re:So, how do you tell your clueless neighbors?

[oni]

printing up a quick wireless security tutorial on a printer not linkable to me

you mean like for example *their* printer?

I did that to some AF guys once. I printed a page with orders to call me in giant letters. They were pretty good natured about it and actually appreciated that I was helping them.

Re:So, how do you tell your clueless neighbors?

[TheChromaticOrb]

You could check if they have a network shared printer and deliver the message straight home.

Re:So, how do you tell your clueless neighbors?

[ajs318]

One way is to ignore it, because it's not your problem.

Another way is to point out gently that it's a problem. Except then, you have made it your problem; and you can expect to be treated like a free 24/7/52 helpdesk forever from then on. Or treated as though it was your fault that it wasn't secure.

Yet another way is to set up your a router of your own, with broadly the same settings as theirs, but with a proxy configured to do something like this. But don't switch it on just yet. Then, while their network is idle, disable their router (remember the password .....) and enable yours. The only thing that could possibly be more phun than this would be listening in on their frantic phone calls to their ISP's support hotline. And, with the appropriate equipment, you could even hi-jack their phone wiring ..... but that's a little bit much to expect anyone to survive!

Re:So, how do you tell your clueless neighbors?

[Xenna]

You don't. You use his connection when your ISP happens to be down and when your new laptop comes in you use it to ssh to your server so you can copy & paste your own 63 char WPA key so you don't have to type it all. It's really handy having such neighbours.

Actually I have 6 access points in my range (apart from my own 2) and all but one have encryption enabled, most of them WEP. The 'open' one's SSID is 'default', that was a bit of a giveaway. I guess I'm probably in a relatively smart neighbourhood.

X.

Re:So, how do you tell your clueless neighbors?

"I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me"

You mean, on your neighbour's printer?

The Ah-nold response

[AKAImBatman]

"You want to be a Pharmer? Here, I give you a couple of achers!"

Ah, now if we could only invent a way of delivering a swift kick through the internet.

So let's set good passwords

[physicsboy500]

We'll chase off the Pharmers with our phlaming torches and pitchphorks!

A big part of the problem is poor documentation

[StressGuy]

I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

Best security software in the world won't do much good if you don't tell the user what it is and how to use it.

Re:A big part of the problem is poor documentation

[Corporate+Troll]

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I know it's always hip to bash Windows on slashdot, but to be fair: in Windows XP the applet that handles wireless connections says "unsecured wireless connection" right there in the dialog. The problem here is the software that comes with these access points: they are braindead. If you are using Windows XP, you do not need a CD to install your wireless access point. Never...

At max you need the CD to install the drivers of your wireless card, but that has nothing to do with your access point.

For some reason people think that you need to insert a CD whenever you buy new hardware. That's why so many people run Logitech Mouse drivers that work just fine without those drivers. (An example amongst many) In many cases, it's easier to configure hardware by ignoring all CDs.

Access point manufacturers should just make the CD autorun to http://192.168.0.254/login.html and then let them in with the default user/password combo. The first thing it should do after that is force the changing of the password. The second its forcing the choice of an SSID and then enable WPA-PSK... After that the wireless connection will break, Windows will detect the new SSID and want to login and you'll just have to type in the password you just defined.

That's all they need to do... It's that simple...

Re:A big part of the problem is poor documentation

[bcattwoo]

As an AC points out further up, this vulnerability is not limited to open wireless routers. The exploit is accomplished when the victim visits a website containing some malicious code. The code causes the browser to make a HTTP request to a common default router IP using the default username and password to change the DNS server entries. I would guess that there are a number of people out there that are a lot less security conscious about their non-wireless routers.

Re:A big part of the problem is poor documentation

[Valdez]

Thanks for saving me the typing... it's not a windows thing, it's a router thing. Excellent points on responsibility falling squarely on the shoulders of router companies... If windows were to use the method described in the article to force a new, more secure config onto the router... we'd be hearing screams of "Windows broke my router I hate MS!"

Re:A big part of the problem is poor documentation

[Lumpy]

The fun part is when you set up your router with the Newest DD-WRT beta release. I have it broadcasting about 30 SSID's all of them with default router names and no WEP. then you set the nocatauth to redirect all traffic to a splash page that simply says " YOU ARE A MORON" then I leave it disconnected except for power in my attic with the power turned up and some nice high gain antennas.

After 30 days the number of default confuguration routers in my neighborhood dropped significantly. I forced them all to reconfigure it to at least change the name so they can find theirs, many actually added WEP some added WPA.

Re:A big part of the problem is poor documentation

[lukas84]

Well, it depends on the equipment you buy - a lot. The el-cheapo crap i have at home (a Level-One ADSL-Ethernet Bridge, a Linksys WRT54GL) came both wide open, with no reminder to change defaults. The Linksys also came with a fully open WLAN by default.

On the other hand, these 5 new access points i bought for my companies office Cisco 1131AG, came with a disabled radio interface. It had to be brought up manually. However, their web interface still sucks, and didn't remind me ot change passwords (which was a non-issue, since i had to include them into radius, enable ssh, etc. pp.).

Re:A big part of the problem is poor documentation

[theonetruekeebler]

Forget documentation. Nobody reads it. They think of the computer -- and the router -- as an appliance that's simply switched on and that's the end of it.

What home networking routers should do is, right out of the box, (a) have wireless off by default, and (b) when they plug their Ethernet cable in, all outgoing port 80 requests get redirected to an internal web server:

Welcome to the RouteCo Pornblaster 2000 wireless router!
Next >> then (c) gets them to set a password and finally (d) asks them if they want to activate the wireless. Oh, and throw in some legal disclaimers and some actual configuration parameters somewhere for good measure.

Alternatively they should all have a different password that's printed on a sticker on the bottom. That'll at least reduce the vulnerability level by a smidge. Shouldn't be too terribly hard to do.

Re:A big part of the problem is poor documentation

[Legion303]

"Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever."

This sounds familiar. I just set up a "wireless gaming router" on my DSL router (outside the firewall and with appropriate filters to keep the wireless router from accessing the internal network) so that my neighbor would be able to check his email without going to the library, and during the installation process I found out that it can be configured over the wireless link, as I had forgotten to hook up the CAT5. Even better, there's NO default password and no way to set one. I set him up with an SSH tunnel to a secure external server but let him know he should buy a real router with some security built in. The gaming router does have WEP128 but that would only hold out for a minute or two. Anyone with a spare wireless card and a copy of the "quick setup" program can reconfigure the router however they want.

how nice of symantech to develop this

[swschrad]

not, of course, that there is anything wrong with virus companies and universities developing hacks and cracks, but

)80qws()8FAWEJ

SPAM
SPAM
SPAM
SPAM
SPAM

Re:how nice of symantech to develop this

...Symantec is a security corporation. It's their job to develop 'hacks and cracks.'

Re:how nice of symantech to develop this

[Marcion]

It is like a Batman comic. Dr Evil unleashes a plague of killer wombats, while Dr Evil also has another life as the chief scientist of a drug company whose latest product is wombat prevention cream.

Like this....

[StressGuy]

[YOU] "Do you have a [brand] router?'

[NEIGHBOR] "Yes, I do."

[YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

[NEIGHBOR] "What's that?"

[YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
                if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.

Re:Like this....

[UziBeatle]

  Yeah, it's sad but it is the way a huge percentage of the population works from day to day.
  They never read the manual of the new 'appliance' they brought into their lives.

  I saw this sort of thing back when I used to be an auto mechanic. People would bring in their car because they wanted the clock set on the radio. Then they would be outraged because we would charge a fee for a 'simple thing like that'. Some would be anyway. Of course I had to dig out their manual usually and read the manual myself as we were an independent shop and methods vary from model to model.

  With computers being more complex from a user perspective and with the attitude fostered by the computer industry that computers and the like are all 'appliances' it is no wonder this
open router config 'problem' is around.

  I suppose I should have summed up the post and deleted all the above and just said'
  'The world is full of idiots.'

Re:Like this....

[Grail]

[NEIGHBOUR] "You'll be hearing from my lawyer." *slam*

[time passes]

[COP] "You are under arrest for unlawfully accessing a computer network" *click*

here's the link to the paper

[sid77]

click
(NO, it's not one of those malicious URL, it explains how do they work, really!)

This isn't about wireless access!

[JackHoffman]

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.

The exploit is a single line of JavaScript...

[Giorgio+Maone]

Still accepting candy from the strangers?

Default permit is the dumbest idea in security (well, default passwords can't even qualify as "ideas" ;) )

--
There's a browser safer than Firefox, it is Firefox, with NoScript.

Re:The exploit is a single line of JavaScript...

[eat+here_get+gas]

interestingly enough, when I went to download this, it's an unsigned script (BIG RED letters too!).

DNS

[endianx]

If you do not have your router set as your computer's DNS source, this would not effect you would it?

So like, if you had a Linksys, you'd have to have your computer set to use 192.168.1.1 (by default) as your DNS server right?

Re:DNS

[JackHoffman]

The attacker could make other changes:

How about a port forward to your SMB ports? While he's changing your router configuration, he might as well add a DynDNS name for you, so that he can find your computer again even after you got a different dynamic IP address.

Or he could relay your ISP account credentials to an external webpage (normally cross site checks would prevent this, but the attacker would only have to create a hostname for the router ip address under the domain of the webpage.)

Change default passwords. If you can't find a shocking answer to "what could happen to me?" yourself, rest assured that someone else can.

Re:DNS

No, your router points to your DNS server. So if you had a Linksys that was still in it's default settings, it would use the password "admin" to access your router through your PC and then change the DNS settings in the router to whatever it wanted.

Re:DNS

Routers are typically configured to act as relay DNS servers and they present themselves as DNS servers in DHCP requests. If you've configured your computer manually and entered different DNS servers, then the DNS configuration of the router doesn't matter.

Re:DNS

[ACMENEWSLLC]

>>If you do not have your router set as your computer's DNS source, this would not effect you would it?

The stupid DLINK DI-514 router I have with the latest firmware quits serving DNS after about a day. So all my PC's run local copies of BIND and DNS is forced to use localhost. So I'm safe. But of course, if I don't keep patching BIND then I get other security issues.

This router also locks up after a week, requiring a cold boot. If I don't, it defaults to factory defaults and allows wide open Internet access. I don't immediately recognize this as my main PC is wired. Oddly, cold booting it gets the settings back.

Any decent routers out there? The one's I've had experience with all lock up for various reasons.

Re:DNS

[Rukie]

I setup clarkconnect on a small system at home at a gateway. I also use a netgear wireless router and a linksys wireless router (long house, need 2 aps..)

Re:DNS

[Bacon+Bits]

You could ask the ethernet interface what the gateway IP is or the default route is. By definition that's a network bridge of some kind, most often a router for home users.

Re:DNS

[Technician]

If you do not have your router set as your computer's DNS source, this would not effect you would it?

Many (most) people set up thier computers on the LAN using DHCP as it is less difficult than setting up Static IP, manualy configuring a Gateway address and DNS server.

There are a few geeks like me who set everything manualy and a few OS'es that have some default DNS set up quite well such as Ubuntu.

We tend to be a little more immune to DNS server attacks because we have longer lists, so one server out is not a showstopper like it is on many Windows boxes.

What the Phudge?

[Bohnanza]

Why do all these things need to start with "Ph" instead of "F"? Someone explain it to me.

Re:What the Phudge?

[ZOMFF]

b3C4$3 3V3ryT1nG h4x0r r3L4t3D mU$t b3 ph34r3d!!

Re:What the Phudge?

[oni]

because of the cult of the dead cow, loftcrack, back orifice, port 31337, etc. etc.

It's part of a culture that goes back to The Beginning.

What's the saying from roots? If you don't know where you came from you wont know where you're going.

Re:What the Phudge?

[KillerBob]

Back in the early days, using "ph" meant you were doing things to the telephone system. Like that scene in Hackers (yah yah, I know) where the kid used a tape recording of the tones a phone makes when you insert coins to fool the phone company into thinking that he'd inserted coins. Would have been "phreaking".

These days, it's just idiot reporters who don't bother to actually do their research, coupled with idiot kids who think that misspelling words makes them sound cool. A Hacker is somebody who takes things apart, dammit. A Cracker is somebody who breaks through security measures. I want my words back! Now if you'll excuse me, I need to go make some ovaltine and try to remember where I left my teeth.

Re:What the Phudge?

"These days, it's just idiot reporters who don't bother to actually do their research, coupled with idiot kids who think that misspelling words makes them sound cool. A Hacker is somebody who takes things apart, dammit. A Cracker is somebody who breaks through security measures. I want my words back! Now if you'll excuse me, I need to go make some ovaltine and try to remember where I left my teeth."

Should we get off your lawn too?

Phuck off, you old phart!

Re:What the Phudge?

[Twisted64]

So is Cracker Barrel a highly dangerous place to set up an AP, or is it just a place the white folks go to line dance? :-P

Re:What the Phudge?

Because if you called it a Farming Attack then everybody would start thinking about pigs and chickens.

Coming up with unique names for new things is good.

defaults passwords

[aod7br]

I wonder why companys dont generate a random pw and put a sticker with it in the manual of each electronics that are connected to the internet. Thats so easy and would solve a lot of problems. And its not a big deal to support, they just need to store a serial number/password table in the support computers.

Re:defaults passwords

[ricebowl]

That'd be fine but surely you've got to have some form of a failsafe option in that scenario for the wrong sticker in the manual of the equipment: if the router's set with random password 'Ghe443sXTp23' and the sticker reads 'Ghe443r6Tp23' then the consumer's kinda screwed without some form of absolute hard-reset to an easy default user-name/password.

While I don't advocate the stupidity of, with my own BT Voyager 220v, the default user-name/password of 'admin'/'admin' I do think that, as suggested by another poster, there should be a default state of non-connectivity to external networks until the default user-name and password have been changed, with an obvious blatant message on the config/router-installation software. That way the manufacturer is able to retain the hard-reset to known defaults and the consumer is at least somewhat protected from attacks from external sources until the defaults have been changed.

Admittedly I'm using the default BT router, so I have limited geek-credential, so I bow to further, probably better-qualified, suggestions from more experienced users and /.-ers.

Re:defaults passwords

[QuantumRiff]

Could you imagine what would happen if masterlock created Padlocks that all had the same combo to start with, and required you to change them? I totally agree!+

Re:defaults passwords

[ricebowl]

I read your comment as being an assertion that each padlock should have its own unique key, which, let's face it, is reasonable. But since car manufacturers are unable to reliably provide unique keys to their, far more expensive, vehicles I'd suggest that even then it's a form of security through obscurity. But that's aside from the point I want to make.

Padlocks are arguably less secure than user-name/password protected equipment (lock-picking and key-bumping, mechanical destruction with tools and so on) but their prevalence allows it to be impracticable to try all possible keys. Randomly assigned user-names and passwords are probably an order of magnitude more secure (though obviously it depends on the computational power available to an attacker) however this causes its own problem. If the randomly assigned details are set at the factory then what happens when the factory messes up its packaging, with the wrong details being sent with the router?

That's the only reasonable, so far as I can see, use for obvious factory-defaults, to allow guaranteed (so long as the firmware's not been messed up by the user in the meantime) access to the router's configuration panel. But, while in the default state, it shouldn't be allowed to connect to an external network in order to prevent/reduce potential harm to the user's network.

Re:defaults passwords

[Sanat]

Actually the better combo lock manufacturers like Greenlee does this. All of Greenlee locks come with the combination set to 10-20-30. Also a key is enclosed to change the combination before use.

In a lot of situations one keeps their lock set to 10-20-30 and then sets in the new combination just before using it. After finishing the task with it then the combination is reset to 10-20-30.

This is especially true when transporting launch codes, missile computer tapes, etc. that require a high level of security.

One idiot 2nd Lieutenant who was a missile launch officer was being evaluated and mentioned to the evaluators that his combo was 10-20-30... this was a funny joke and everyone laughed until he mentioned it later again and the evaluator was able to gain access to the Lieutenant's launch codes using 10-20-30

The lieutenant was relieved of duty on the spot and may have ended up in Leavenworth because of the security breach.

linux

i have two of those "cheap" NAT DSL routers.
unfortunatly i have changed the default
password for the devices (Zyxel) and my DNS is handeled
my a firewall(ed) linux box.
the DNS lookups go directly to the ROOT dns servers.
it's bit slower then using the DNS of the ISP, but
then again i think the ROOT servers are in the hands
of pros ...
also running ure ownz (forwarding) dns server lets
you do some niffty stuff (blocking sites, renaming
sites, redirecting, etc.)

Enough with the goofy terms for this crap

[duffbeer703]

I'm so sick of phishing, vishing, pharming, pheering, etc.

The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.

Re:Enough with the goofy terms for this crap

[Beryllium+Sphere(tm)]

Someone agrees with you about oh-so-precious neologisms like "pharming" being considered harmful. "Pharming", besides being cutesy, is uncommunicative: it doesn't convey any more about the nature of the attack than "blepping" would, and with more risk of confusion as everyone tries to figure out how DNS spoofing relates to agriculture.

Re:Enough with the goofy terms for this crap

[BluBrick]

Funny, I saw it quite differently. My first thought was that it had something to do with drugs. Probably because I read it before I heard it.

Hmmm, considering that these compromised routers will almost certainly end up somehow involved in promoting Ci/-\lis, v1@gRa, and so on, maybe I was right!

Re:Enough with the goofy terms for this crap

everyone tries to figure out how DNS spoofing relates to agriculture.

It's an attack where you don't attack the victims directly. Instead you prepare the land (manipulate DNS configurations) and later you harvest what you've sown. The name also expresses the view on the victims: They're seen as an exploitable resource.

Re:Enough with the goofy terms for this crap

[duffbeer703]

It's an attack where you don't attack the victims directly. Instead you prepare the land (manipulate DNS configurations) and later you harvest what you've sown. The name also expresses the view on the victims: They're seen as an exploitable resource.</blockquote>

That's pretty tenuous... I guess they're running out of words to prepend with "ph".

You haven't dealt with end-users much, have you?

[spun]

f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."

Seen this and it's scary

[ajs318]

It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.

Re:Seen this and it's scary

[crabpeople]

All good points but its kind of futile with most people. My friend has used wireless internet access for over a year, shared by one of his neighbours. I had a 30 minute conversation with him that ended in no resolution. His question: How do you know that you (meaning me) or me (meaning him) are not running an open wireless ap?

Imagine trying to convince someone that 1) to run wireless you have to BUY a router 2) even if I had a wireless router I would secure it properly 3) I know what I have in my own house. See for him, wireless is just like magic air dust. If you cant see it, how do you know its not there, or that you are secure?

It really opened my eyes to what normals have problems understanding about technology.

Re:Seen this and it's scary

[irc.goatse.cx+troll]

Having control of DNS also allows you to introduce exploits in places that trust things they shouldn't. For example, software that autoupdates without good keychecking -- You subvert that request and send it whatever it wants.

Plenty of other ways to inject exploits like that once you can hijack DNS, none of them remotely traceable if done right.

Moo

[Chacham]

Don't most routers--also by default--require a physical link from the inside to administer in it?

Re:Moo

Turn off wireless administration.

Re:Moo

In this attack, the web browser running script is on the internal network. Only weirdos like me disable scripting, everyone else is too focused on the dancing pigs to care about some East European gang snagging their online banking details.

Re:Moo

[Radon360]

They can be configured that way, but usually by default, they are not. I know that Linksys has the option, but Wireless management of the router is not disabled by default.

Beside that, the title was a bit misleading with the term "drive-by". This exploit has nothing at all to do with a wireless LAN.

Basically:

1. You get a person to browse to a web page with the malicious code
2. The web browser downloads the malicious JavaScript and executes it.
3. The JavaScript connects to the router from the user's computer and changes the settings.
4. The router's DNS now point to the attacker's DNS.
5. Attacker can now point the user's browser in whatever direction he chooses.

Re:Moo

[Chacham]

First of all, thanx for the explanation.

The web browser downloads the malicious JavaScript and executes it.

You mean there are still people who do not run NoScript?

Re:Moo

[ajs318]

But that's the point -- it is coming from the Inside!

The request to change the settings is coming from your PC. You just have to visit a malicious web page that has a bit of JavaScript that calls up another web page in an iframe ..... nothing too extraordinary ..... Except the URL it calls up is something like "http://admin:1234@10.0.0.1/configure?dns1=123.4.5 .67&dns2=234.5.6.78&submit=submit". And the iframe is too small for you to be able to see it.

Now you are no longer using your ISP's nameservers, but the attacker's own nameservers. You type in "www.google.co.uk"; that has to be translated to an IP address, just like a place name has to be translated to an STD code when you want to make a phone call, and the "codebook" is the nameserver. The nameserver tells your computer that the IP address is 66.230.165.157. Your computer then goes and asks the computer whose IP address is 66.230.165.157 for a web page ..... and you find out the hard way that 66.230.165.157 is not really Google at all. Scarier still would be to replace "real" bank sites with phake sites that accept and store up your login details (and maybe even pass them on to the real site to confirm them).

Re:Moo

"You mean there are still people who do not run NoScript [mozilla.org]?"

I don't... Never could get it to work in Internet Explorer.

Re:Moo

[AndreasJS]

The offending command is not necessary a script command, it could be:

<img src="admin:admin@192.168.1.1/something.cgi>

NoScript would not help here.

By the way, it seems that Macintosh users cannot use NoScript

No shit!

An obvious attack vector exploited in the wild, say it ain't so!!!

web scripting is a gaping security hole and I'm tired of being treated like a freak for pointing it out.

The sequel

[kahei]

(Later)

[NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

[NEIGHBOR] An idiot is me.

[COP] Yes. Yes, an idiot is you.

Re:The sequel

[Technician]

(Later)

[NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

[NEIGHBOR] An idiot is me.

[COP] Yes. Yes, an idiot is you.

(Later)

[NEIGHBOR] ...and then suddenly I started getting notices in the mail requiring me to visit a settlement center or be sued for copyright violations at $7500 each. I can't get anyone at the settlement center to understand. They just demand money.

[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change. I hope you have a good lawyer.

[NEIGHBOR] An idiot is me. Do you know a good lawyer?

[COP] Yes. Yes, an idiot is you. I can't recommend a good copyright lawyer. Have you tried the yellow pages?

Show your sister this article!

[oni]

RIAA Will Drop Cases If You Point Out That An IP Address Isn't A Person

Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do.

Re:Show your sister this article!

[Reverse+Gear]

Thank you for this, I have forwarded the link to my sister.

In Denmark we have something called anti-piratgruppen instead of RIAA, but they do the same thing as far as I know. This could very well prove useful if my sister has not already found it, even if US and Danish law is probably pretty different.

Re:Show your sister this article!

Well, duh. IP- Isn't a Person. What more do you need?

Part 2 of this attack

[davidwr]

Part 1 is using default passwords.

Part 2 is installing a trojan that systematically tries passwords, starting with obvious ones like the current hostname, the current username, or the decrypted or keylogger-captured login passwords. Or just wait for the user to log into the router and capture the password at that time.

Part 3 will be doing a firmware "update" so a back door will always be there and false entries don't show up in the configuration screen.

I want a router that has a hardware security switch so I can enable or disable modifications. If it's in the "locked down" position then everything becomes read-only. I also want a second "reset" switch that reloads the factory firmware. This second switch will also be a de-bricking switch in case of a bad or interrupted firmware upgrade.

BTW, the "factory firmware" the 2nd switch activates doesn't have to be the "original firmware" as seen by the customer, it can be a mini-firmware environment that does nothing but allow real firmware to be installed. It's whole purpose in life is to sterilize the machine of all non-factory-installed options.

You'd be fired on the spot for such a suggestion

Any firmware or product engineer at Linksys or Netgear would be canned for even making such a recommendation. Yes, yes, that's extreme. But seriously, if Jane-Wine-Box picks up a WiFi router at Best Buy for her new Dell notebook and the router does not operate after performing a casual "DVD player" install (plugging in the cables), then the router will be returned to the store with the claim that its "broke".

I agree that the average population is getting much better at dealing with "bleeding-edge technology". But the majority of paying customers simply don't care enough. They just want it to work, NOW!

The is NOT Drive-By Pharming

Drive-By Pharming is when you use a pea shooter to launch vicodin into someone's open mouth.

auto change password?

[Rukie]

Would it be possible for every router to be shipped with a random password that is printed on the cards it comes with? Therefore solving this dillemma. Or by default only allow access from the NAT, and not from outside, the internet (thus blocking any javascript attempt)?

Re:auto change password?

[evolseven]

I don't think you understand the attack vector, javascript executes on a client machine (eg inside the NAT), so restricting access to the outside world would do you no good. In fact I believe that most routers block outside access by default, and you have to enable it if it is even available.

Yes, but read closer

[michaelwigle]

"The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers.

The attacker would have to persuade the user to visit the web page containing the attack code. This could be done with spammed links, or by inserting it into a page on a compromised web server on a popular site."

The problem is that this attack is launched from a web site, not a drive-by wireless connection. Therefore, it will affect non-wireless routers and wireless routers if you happen to be hard-connected to it instead of using the wireless connection. Makes it a much more dangerous problem with the number of default installations for routers out there. One could also make an assumption that folks who are more likely to be tricked into a bad site in the first place probably don't have the technical know-how to change the default password and IP settings of their router.

Re:Yes, but read closer

[Chacham]

Thanx for the clarification. :)

not a new technique

This isn't a new technique:

http://ha.ckers.org/blog/20070215/router-reconfigu ration-xss/

I call Bull...

[flyingfsck]

Most WiFi home routers don't allow configuration over WiFi by default - only over a wire. This may work with a small number of very old routers, of which the PCs behind them are probably already totally full of crapware, so any more won't make the slightest difference.

Re:I call Bull...

My Netgear WGR-614 allowed administration via the WLAN port by default, and my girlfriend's previous Linksys router also did (it now has a newer Netgear which also allows WLAN administration). I doubt that it is as rare as you think.

Even if it was not allowed "by default", it's likely because the wireless was off "by default", not due to a setting specifically targeting the configuration access.

Re:I call Bull...

[really?]

Actually, I have yet to find a router that won't let me admin it once I am connected to it; wireless or not. There could well be some/many, but all the ones I connected to wanted just the name/password to let me admin them.

not me

[scharkalvin]

The First thing I did when setting up my NetGear router was to change the password.
I don't know if I can change the login name (need to check that).
I also added blocks to certain web sites to keep the kids out of trouble.

Things like this make me want to build my own router with an old computer running Linux or
'BSD. Only problem would be getting Roaring Penguin to work with Bellsouth (AT&T!) dsl.
(G-D PPPOE)!) Except that the Netgear box uses SO much less power than an old computer.
Anybody know of a good and cheap low power platform to build a Linux router on?
(no soldering required!)

Re:not me

[mutterc]

Anybody know of a good and cheap low power platform to build a Linux router on?

A Linksys WRT54GL, running OpenWRT. I'm in the midst of replacing my 486-based firewall and cheap 802.11 access point with it.

Re:not me

[peekitty]

You could simply use one of the many wireless routers that are supported by dd-WRT. I use a $15 (eBay) Dell Truemobile 2300 for this, and I switch the 802.11 radio on only when I need it.

FWIW, RP-PPPoE works fine on my laptop with BS/ATT's ADSL, I used it frequently in the field when I did some contracting for BS.

The sequel to the sequel....

[StressGuy]

[COP] Did anyone other than you have access to your computer?

[NEIGHBOR] Only the guy next door, and *he* says that he didn't see anyone tamper with it...I guess it's a mystery

{COP immediately goes next door}

I don't know about you, but I make an effort to get to know my neighbors, thus, the notion that I would actually suggest helping them with something is not automatically deemed a scam.

Face the facts

This is not the fault of router manufacturers or their users.

The problem here is evil known as javascript.

Take that one line of javascript, wrap it in a loop with a few variables and presto, you have a brute force or dictionary attack.

This cannot be fixed without disabling javascript in browsers altogether.

Though I'll admit that not using a web-based interface on the router might help, but what are the chances that the average user will be able to comprehend how to change their router password on a telnet session? Even then, I wouldn't be surprised if one could use javascript to attack such a router from the inside as well.

I'll modify my statement that this cannot be fixed without either eliminating javascript from web browsers or for router manufacturers to ship a configuration application that uses a proprietary network protocol to configure the router.

Slightly better solution

[Otto]

The latest Linksys routers come with a CD with a configuration program on it. You insert the CD, run the program (or it autoruns) and it goes through a setup dialog which forces you to set the various settings. Then it finds your router and uploads the settings and such.

Of course, you can still use the router without the installation, and it still has the web interface, so users who know what they're doing toss the CD and just configure it themselves, but I thought it was an interesting solution.

Non-knowledgable users invariably think that the CD is required to make the device work, regardless of what the device is. In point of fact, most things that come with CD's nowadays do not require them at all. The CD might contain drivers, but generally Windows will have drivers or can download them from the 'net when it really needs to. More often, the CD contains advertising or product demos.

In Linksys's case, the idea of an unnecessary configuration program for n00b's was slightly marred by the fact that the configuration program did not actually work due to a firmware bug in the shipped router (their QA people should have been shot for that), but nevertheless I thought it was a neat idea. Make the config program able to find and download new firmwares from their website, install them onto the router, etc. Sorta the layman's way of working with the router.

Re:DNS - Router Suggestions

[MrDoh1]

Without going into business grade routers I've found one so far that seems well above any other solutions. I've tried many different brands and models but this is what I finally decided on and have running (and love).

http://games.dlink.com/products/?pid=370 DLink Wireless Gaming router
http://games.dlink.com/products/?pid=371 DLink Gaming router (same but no wireless)

I've never been a fan of DLink at all but these routers make up for it in spades. Firstly, the switch ports are gigabit and the WAN port is 10/100, not just 10. Also, with all the other "home grade" routers I never had enough port forwards (for hosting servers etc.). Those two DLink routers don't have that problem. So far I don't think there is a limit to the number of forwards you can have. My ping times have also been drastically reduced compared to other routers. It also has fairly robust QoS settings (for a home router anyway). The other big thing is that it can handle thousands of sessions at once. No more firing up Bittorrent and having to hard reset the router an hour lately because it's frozen and has stopped routing. The only things so far that I see that could even be improved would be better logging (so I could get bandwidth reports from it with Wallwatcher http://sonic.net/wallwatcher/). Currently it just does plain old syslog logging. My only other complaint is that the Dynamic DNS feature only will keep track and update one name for you. So if you have multiple domains pointing to your dynamic address you'll have to have another solution to update all but one.

I believe they do themselves a disservice by advertising this exclusively as a gaming router. This thing could handle most small (and even some not so small) business without any kinds of problems. It does cost more than the Linksys you can get at Walmart but, at least to me, it has been more than worth it. I personally use the wireless version since I prefer to keep my AP and router as 2 separate pieces of equipment (both for security and if my router breaks I don't wanna be out an AP or vice-versa.) I can tell you that I've put mine through the paces and it has not locked up or had to be reset once thus far.

The other option that I would have chosen would have been M0n0wall http://m0n0.ch/wall/ on a Soekris http://www.soekris.com/ board. In particular I was going to go with one of the bundles found at http://www.soekris.com/bundles.htm. I wanted the Net4801 with the Lan1641 4 port NIC expansion. That would have given a total of 7 ethernet ports. The only reason that I didn't end up going in that direction was because they offer no gigabit options. Otherwise that would have been an awesome setup.

My .02.

no!!

[crabpeople]

Are you trying to kill linksys, the only international wireless ISP out there?

This isn't about wireless!

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.

How about "Surf By" fixes?

[jan+de+bont]

So, the attack is a snippet of Javascript that uses Linksys/D-Link, and so forth's default passwords. Let's use those defaults for "good" instead of "evil". How about a site that documents the problem and has a "Click here to fix the problem" link that tries those exact same defaults, but CHANGES THE PASSWORD (with the user's help) rather than changing the DNS?

How about the big boys of Internet 2.0 each create a page (or series of pages) that non-nerds can visit that fix these kinds of things? Google's "Defend yourself" page sounds pretty good to me.

Sad But True

[Hades1010]

A good start of this attack would be start with a simple JS port scanner and run the default password check on all webservers ,routers etc connected in the LAN,WAN and then control the Network
A simple JavaScript port scanner is here :
http://www.spidynamics.com/assets/documents/JSport scan.pdf
and default password list of most of the connected devices is here :
http://www.phenoelit.de/dpl/dpl.html
Njoy

Drive-by pharming procedures

[merc]

1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
7) Profit.

It's the router companies fault

[PharmerWithTractor]

The router companies need to stop selling products with default passwords that don't promt the user to set a password.

Oh noes

[RomulusNR]

So, I have to be sufficiently un-dumb enough to have changed from the default password on my home router/gateway. Ok, done.

Re:Oh noes

[mshurpik]

My dad actually mentioned this story to me today. And I *don't* think he reads Slashdot.

Meanwhile, I finally told him the router's password, which has been the same for the past 5 years. Suffice to say, any household without a tech-viable consultant is potentially vulnerable.

a stupid question

[ringm000]

Why wouldn't router manufacturers just use the serial number of the device as a default password??? Yeah, the one which is printed on the case of the device.
Too complicated for the user? Too hard to implement? It's hard to believe that. Use larger font if you must.
You could also use the same password as a WPA key...

Re:a stupid question

[Tim+Ward]

Too hard to implement?

Er, yes, I'd think so - you'd have to add a per-unit provisioning step to the production line, and a new database (or new hooks into an existing one), and, hardest of all, some way of getting the password to actually match the serial number label.

Then, you'd have to have a back door, for the units that went out with the wrong password, resulting in the owners of their brand new doorstops phoning up for support. So, you'd also have the expense of more training for support, rejigging the scripts, and so on.

OK, so you spend all this money. Then, how many more units will you sell as a result?

Duh!

Re:a stupid question

Fun fact: AVM sells all their routers with random keys and WPA encryption enabled. There is no backdoor, the key matches the label on the device. Reviewers regularly commend them for that practice. How many more units do they sell as a result? That's hard to say, but since they get recommendations left and right, I'd guess lots.

But Has Anyone Actually Verified this Claim? No

[funchords]

So far, there are 66 "Sources" in news.google.com that have "reported" this story. However, none of them have claimed to have actually tried to reproduce the exploit, themselves.

If someone had, they would have found that the Zone Elevation situation it creates (Internet -> Intranet) would be prohibited by most browsers, including IE since version 6.0. IE would have also balked at crafting a url with http://hostname/ as suggested by the Symantec paper.

Parrotting a Press Release and calling it journalism is rather weak.

Re:But Has Anyone Actually Verified this Claim? No

[AndreasJS]

Try the following: Make a web page that includes
<script src = "http://admin:admin@192.168.1.1/wan_poe.cgi?dns1=2 04.101.251.1"> </script>
If you have the same router as I have, you will have entered a new DNS. No Java, no Javascript, just plain HTML. View the source of the configuration page of your router to find out what cgi commands you need for this.

Bad router configuration interface

Note that the exploit depends on being able to change the state of the router using HTTP GET. According to RFC 2616 the GET method should be safe and idempotent: it should not change the state of the underlying resource.

If the web interface to configure the router had been coded correctly, to only allow state changes in the router on a POST, then this exploit couldn't work.

Change password alone is not enough

[AndreasJS]

In order to be safe, 1. you should logout after changing the password or (if no logout is possible, such as with simple HTTP authentication) restart your browser before visiting any webpage. 2. Do not tick the "memorize password" box. If you do this, an intruder could manipulate the router without a password.