Millions of Home Routers Are Hackable

Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.

I can believe it...

[fuzzyfuzzyfungus]

At one point, just out of morbid curiosity, I cranked up a copy of OpenVAS(the OSS fork of nessus) and told it to just hit everything on my home network with all "safe" tests(the program offers the option of either including or excluding tests that are likely to crash/DOS the target, rather than simply confirm/deny the presence of a vulnerability).

When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.

And that was with the "safe" tests.

Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...

Re:I can believe it...

[Manip]

Indeed. I found a bug in a D-Link DIR-655 and was completely unable to report it to them. I couldn't even log into their support system because according to them I don't own my own router (serial already in use) and couldn't find a more technical or security contact at the company.

The product still contains the bug - it is also using the latest firmware.

Re:You mean besides using default admin/password..

[ickleberry]

it seems that changing the password would render this hack fairly useless. also many routers are only accessible through a private IP, so even changing the router's IP would work unless the script tries all the addresses on the local network and then tries to brute force the router, but that would take years since I would assume its written in JavaShit

Only half? It's probably a lot more

[davidwr]

Odds are the good guys haven't found all the vulnerable ones.

Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.

On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.

Re:You mean besides using default admin/password..

[Beardo+the+Bearded]

Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.