Slashdot Mirror
Millions of Home Routers Are Hackable
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
to log in.
The tool apparently exploits the routers through DNS rebinding. Wjhile this technique has been discussed for 15 years or more, Heffner says 'It just hasn't been put together like this before.'"
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
The "list of routers affected" at Notebooks.com is just a picture (.png) of a few rows of a spreadsheet. I would like the full list, please, even if just posted in a comment.
If I used a sig over again, would anyone notice?
Lets see:
Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites.
Thank you Captain Obvious!
"Murderer? Well, that's a harsh word. I prefer to think of myself as a Mortality Technician."
At one point, just out of morbid curiosity, I cranked up a copy of OpenVAS(the OSS fork of nessus) and told it to just hit everything on my home network with all "safe" tests(the program offers the option of either including or excluding tests that are likely to crash/DOS the target, rather than simply confirm/deny the presence of a vulnerability).
When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.
And that was with the "safe" tests.
Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...
it seems that changing the password would render this hack fairly useless. also many routers are only accessible through a private IP, so even changing the router's IP would work unless the script tries all the addresses on the local network and then tries to brute force the router, but that would take years since I would assume its written in JavaShit
Just trying to understand this...
But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.
Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.
How does your DNS stack pick up a new IP address for a host name once it's already been resolved? I don't understand the mechanism for this part of the exploit. Anyone?
Okay, so let's say the attacker can pull this part off without a problem...
One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device's software or by simply trying the default login password. Only a tiny fraction of users actually change their router's login settings, says Heffner.
So, then the hacker has to rely no the browser running some javascript in the victim's browser that will actually break the security of the victim's gateway router?
Definitely your vulnerability goes up once an attacker can approach your gateway from the inside, but this isn't a free pass through everyone's home system. Seems like just changing your default password is a great first step to prevent any shenanigans.
Why are you letting these clowns ruin our country?
First things first, you can block most of these attacks by setting a new router password and or changing the router's default IP. Secondly browsers could very easily solve this by disallowing mixed local (192.*, 10.*, 0.*, 127.*) and remote IP addresses from a single site. If it is a local server it won't be load balancing with something on the Internet and the reverse is equally true.
default configs on routers are a joke. Last I checked, linksys routers still tended towards unsecured wireless networks and default passwords. While extremely convenient, most users will abruptly drop the setup process once they can connect to the internet on their laptop. What the router firmware needs to do is force the user to set up a password and a security protocol before allowing direct access to the internet.
Before this step is taken, every other "security" exploit is a joke in comparison.
That would actually probably help a lot(though not as much as a real password).
In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.
Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.
Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
I assume in most cases this applies to OEM firmware, correct? I can't believe a hole this large has not been plugged by DD-WRT and Tomato, yes?
The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
That's no worry, I changed mine to 12345.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
Wouldn't stop them if they're Swedish!
And yes, I'm an insensitive Cljod!
Science advances one funeral at a time- Max Planck
blah blah luggage blah blah
Here's the secret fix: change the default password on your home router.
Phew! Black hats thwarted again!
Odds are the good guys haven't found all the vulnerable ones.
Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.
On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is only a problem when a geek looks at it, the average consumer doesn't really care, and they are right to not care.
How would you test my router is hackable? Can you please share the tests? Thanks in advance. -geek chick
12345
Funny, that's what Zyxel modems by CenturyLink default to.
They also happen to have Telnet and Web Access enabled by default to the internal and external world.
Nothing more responsible than a bunch of oily nerds who still call them self's "black hats" in the year 2010 giving away tools to their only fans, script kiddies
Here is a tip, grow the fuck up already
This attack is just a redirect. It redirects an attack to inside your network to hopefully exploit a second vulnerability in your router. It relies on a second attack to actually compromise the router itself, either a firmware vulnerability or weak security settings. This isn't a single attack which will root your home networking devices by itself. It's just a way of directing an attack to run from inside your network (where security might be weaker) and doesn't allow any access in and of itself to your router. The "Millions could be affected" line comes from default passwords and configs or poor security settings by the user.
Holy sensationalist bullshit headlines, Batman!
Finally had enough. Come see us over at https://soylentnews.org/
Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.
The important info
Heffner tested his attack against 30 router models and found that about half were vulnerable. Here's his chart of which are and aren't subject to attack. ("Successful" in the far right column means that the router was successfully hacked.)
Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES
from http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/
FTA: "Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won't prevent his exploit, Heffner adds."
Can someone explain how using NoScript doesn't prevent this exploit? How does he run code on the local machine without scripting?
The article doesn't really describe the attack in detail, but as far as I can tell, this can be achieved much easier through cross site request forgery (CSRF). That is, a website tells the browser to do a malicious cross-site request, which targets some IP Address on your local network (i.e.: an image tag which causes the browser to access "http://192.168.1.1/login?u=admin&p=123"). This request could be used to login to the device using standard credentials and then activate remote administration on the WAN interface.
Using JavaScript, the attacker can even send POST requests to the target host
This has been done almost for decades and there are exploits available for hundreds of different Routers out there...
From pfSense's forum via here: http://forum.pfsense.org/index.php/topic,26368.0.html
Quote from: Craig Heffner
While my talk is focused on attacking routers, there is no exploit in
any router per-se, and it is not necessarily restricted to attacking
routers. The exploit is DNS rebinding, which circumvents the
same-origin policy in a client's Web browser by exploiting the trust
inherently placed in the DNS protocol. Also note that the talk summary
clearly states that this only provides access to the router's
administrative interface; an attacker would still need to exploit the
router or log in to it via default/weak credentials in order to do
anything. Given that PFSense is relatively secure, and PFSense users
are generally more advanced and security aware than the average user,
I would suspect that this attack would only realistically affect a few
PFSense users.
Everyone knows this; and one way or another in these sicko days of ours, one simply has to make the headlines to grab attention; followed by get-rich-quick.
Fine. Let them try. I wished, though, some clever chap in Slashdot would have vetted the whole lot sufficiently, to dump it where it belongs: into the trash-bin.
Here is why: Because it actually is an attack. An attack that works for dumbos only. For people, who ought not legally be allowed to buy an access point or whatnot.
Here is the attack: assume router XYZ by default comes with username 'root' and password '12345'. The same router, as default or after reset, offers dhcp in 192.168.1.0/24, with 192.168.1.1 as gateway address. Then, following the trick, some 192.168.1.0/24-address becomes available on the outside (WAN). So when you blindly send 'root' and '12345' to 192.168.1.1 (to the box), from the outside, you're in.
As I said, yes, it is an attack. But for any sane setup it will fail miserably, because you have changed the internal network; and most of all, you changed at least the password.
I dunno, and haven't tried - because I have better things to do with my time - if any of those spoofing-filters that simply drop RFC1918-compliant addresses on the WAN-side would also fail the proposed attack, despite of default network, username and default password.
Shakespeare would probably have called this 'much ado about peanuts'. And as far as I am concerned, anyone who actually is vulnerable, should be slapped with a court order restricting him or her from touching, buying, setting up or administrating any network equipment until further notice, including home networks.
you idiots, you know how many fkin businesses only have a "Home" style router especially in restaurant and retail, thanks alot might as well just fkin email me ill give you my cc number save you the trouble
Agreed. I think 2-Wire does a lot of things right. Initial connection to a factory default router automatically initiates a setup process, which IIRC, will not give you internet access until completed. This process also forces you to change the default password, and, again IIRC, has the default wireless security set as WEP. Though, it has been a very long time since I set one up (they tend to last quite a long time, too); I may not be remembering things quite right.
They also tend to be smart enough to "notice" when you do things that the typical joe sixpack user would not do, like connect other routers up behind them, and it does some somewhat smart things in automatically configuring itself to handle those situations properly.
Of all the routers that I've used, I'd have to say that 2-Wire are currently my favorite, and Linksys are currently my most hated.
Everything I say is a lie. Except that... and that... and that, and that, and that, and that... and that.
now a few thousand admins from around the globe have just logged into their home boxes to "double check on everything"
Good people go to bed earlier.
We made changes to pfSense 2.0-BETAS that prevents the DNS rebinding attacks thanks to Craig's help.
Slashdot is *the* most important site. For you to call it "trivial" is a most wicked sin.
I hope the hack does not work on DD-WRT firmware for the Linksys wrt54.
Also, what about Smoothwall? IMO Smoothies are one of the best solutions out there.
Whats is this tjursbajss? Us's swedes don'ts adds extra J
How about against 3rd party firmware, ala Tomato for Buffalo / Linksys?
Didn't see any mention of it in the article.
Some days it's just not worth
chewing through my restraints.
That is just the thing that I find so annoying with many exploit announcements. The buzz and cloud of publicity abounds, the MSM gets all panicky over what? Something that is not really a threat at all.
Home of The Suki Series
If you'd have read TFA, you'd have noticed that the idea is not to change the router's IP (what would be the gain of that?) but to change the attacker's websites (pretended) IP to be the one of the router, so that scripts running from that server on the victims browser would have access to the router (i.e. circumventing the same origin policy)
Who cares about your router when I can just own your modem? http://www.exploit-db.com/download_pdf/13592
www.isoHunt.com
As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.
Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.
Minne-snow-da: Winter is comming...
According to the article: An IP address is a series of four numbers ranging from 1 to 255.
So, 10.0.0.43 is not an IP address?
We've always used the Linksys BEFSR41 because we like a non-wireless router. But now I see it is on the hackable list.
Can somebody please recommend which non-wireless non-hackable router is best? Which one is closest in performance to the BEFSR41?
THANKS.
I really miss the good old days, where presentations done on security seminars were revolutionary and technical.
How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?
Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.
10.0.0.1 is no longer considered an IP address.
An IP address is a series of four numbers ranging from 1 to 255.
Shocking !!... NOT..
yay open source! I was shocked to see pfsense on that list in the first place!
now if only the newer builds after 1.2 booted on my p3 450 :( i could possibly upgrade.
As a potential lottery winner, I totally support tax cuts for the wealthy
Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Most home user routers have the default username and passwords anyway. The average home user has no idea about security they don't know log in and change there password. Even some small business are this way this not really news.
http://www.thetechnologygeek.org
Well, my router is so old that it wasn't covered in the Forbes article referenced, and the firmware for it hasn't been updated since 2007. So that means that either (a.) I'm totally safe because nobody would think of bothering with equipment THAT old; or (b.) I'm totally hosed because there IS no way to protect hardware that old.
... there IS no security in this world short of unplugging the internet connection. (And even THAT'S iffy!)
I've done all the obvious stuff (like changing the router admin ID and password to something generated by my nifty random-password generator program), but face it
The attack relies on the attacker being able to guess the victim router's internal IP address, and to associate a host name of their choice with that internal address. Most routers will use their manufacturers' default addresses which are easy to guess. Since DNS rebinding relies on chance, forcing the attacker to make more incorrect guesses lowers the success rate of the attack. Therefore, attackers are unlikely to attempt to guess all of 10/8 or 192.168/16 etc. (tens of thousands of possibilities) when the vast majority of router addresses are at their defaults of 10.(0|8).(0|1).1 or 192.168.(0|1|123).1 etc. (around a dozen possibilities).
There are 1.1... kinds of people.
Of course, the sensible thing to do if you can't depend on your router to resolve IPs correctly (like if you don't own or have access to it) is to set your localhost to point DNS requests directly to a trusted IP address. Or, even better (if you're really paranoid), run your own bind.
Funny, that's what Zyxel modems by CenturyLink default to. They also happen to have Telnet and Web Access enabled by default to the internal and external world.
I've never heard of that manufacturer, but that's just plain bad, not sad. Telnet was useful back in the days when the internet was so small, many of us users actually knew each other, but I can't think of a single legitimate reason (excuse) to allow it to run now.
Does this work on the same model routers with custom firmwares installed on them, e.g. DD-WRT or Tomato?
I read the article, and found it utterly useless. ("Change your password!")
I decided to just delete my password since there seems to be no safe easy to remember password. However the only active login user name is "lnV6TbHXxRvxzMIw"
For years, I've used the serial number on the bottom of the router written backwards as the admin password. If you have physical access to the box, you have access a la reset button, and there's nothing obvious about the router that says "Here's my password", and the password is thereafter never forgotten.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
http://it.slashdot.org/comments.pl?sid=1703724&cid=32747590
Say it right: "Nuc-le-ah Powah".
"In order to be compromised, you must first be compromised! Well, no shit! The author then goes on to explain that this is easy because most people don't change their router's password."
Maybe I'm missing something here, but is the researcher saying that this kind of attack can bypass a router even it if has WAN-side admin access disabled? Is he remotely hijacking the browser, and then attempting to access the router from the inside via a standard address (usually 192.168.0.1)?
If that's the case then this isn't a router vulnerability, it's a browser/OS vulnerability. What am I missing here?
Life is hard, and the world is cruel
here is a single legitimate reason for telnet.
nethack.alt.org
you could run your own...
0xB315AA8D852DCD3F3DCA578FD2E0BF88
Then they click submit and BAM you hit 'em with tubgirl.
Random Thoughts From A Diseased Mind (Not For Dummies)
Actually, all you need to do is look at the default route of the PC. There's your modem.
Schlock Mercenary.
Gotta love Centurytel (aka Centurylink, their lame new name after choking on acquisition of Embarq) their choice default passwords... and not just for PPPoE authentication, either, where they can at least restrict a username/password pair to a particular CO.....
There are thousands, perhaps hundreds of thousands, of Centurytel EMAIL accounts using one a very small handful of default passwords. Frakking idiots they are - must be something in the swamp water down there in Louisiana that destroys common sense.. no wonder the first rule about having Centurytel as a provider, is to NEVER call them for anything, unless you don't even get a dialtone on your line.
And it's not really an Exploit, either.
1: It's javascript that tries to guess what your modems IP address is. If it's possible for javascript to find out what your IP Address is, it becomes trivial, and it it's possible for javascript to find out what your default route is, then it's solved.
2: It then tries to get into your router. I would assume there would be another js library that it would load, that could be easily kept up to date, containing fingerprints of modems so it can figure out what it is, and try the default (root/password, admin/admin, etc)
3: It then updates the DNS servers in the modem to NOT use the ISP assigned ones, but nasty ones. As your PC queries the modem (99% of the time, unless you've manually changed your DNS servers) for DNS results, if the DNS relay in the modem is pointing to the wrong root, then you'll get crap answers.
I realise they say that using OpenDNS wouldn't avoid this, but I think that's known, technically, as bullshit.
Schlock Mercenary.
Dude someone mod up thats an awesome idea. I wonder if these hackers would use automated scripts or if they would still have to manually poke around since everyone's set-up is going to be different.
The default route of the PC is not the modem if there's a gateway/router between the two, hence this story.
If you've compromised the host PC enough to run code to get its network configuration, you don't need this hack to attack the router. Although there are plenty of tricks to determine a host's network configuration from the browser alone, a measure of safety is provided by the high cost for the attacker to obtain the low benefit of controlling a small handful of additional routers configured with non-default addresses.
There are 1.1... kinds of people.
Nice job jackass. I (and I expect the vast majority of home internet users) don't have anything on my home network of interest to terrorists or whomever you're hoping will now compromise our home networks. So all you've really done is force a bunch of people to jump through needless hoops and possibly buy new routers (yay, buy more plastics, support BP). Oh, but most of the user's you're going to compromise don't read slashdot, and don't know they're at risk, and you're putting them at increased risk in a manner that does not help them to understand their current risk. "Nice job breaking it hero." Is his company even legitimate? I can't find a web site for it. If so and they are really a security company, they should probably consider terminating him for this conflict of interest.
A more constructive and effective approach might be to present this to ISP's only and encourage them to help their users properly select and configure their home routers. But that wouldn't come with the same ego boosting would it?