Slashdot Mirror
Millions of Home Routers Are Hackable
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
to log in.
The tool apparently exploits the routers through DNS rebinding. Wjhile this technique has been discussed for 15 years or more, Heffner says 'It just hasn't been put together like this before.'"
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
The "list of routers affected" at Notebooks.com is just a picture (.png) of a few rows of a spreadsheet. I would like the full list, please, even if just posted in a comment.
If I used a sig over again, would anyone notice?
At one point, just out of morbid curiosity, I cranked up a copy of OpenVAS(the OSS fork of nessus) and told it to just hit everything on my home network with all "safe" tests(the program offers the option of either including or excluding tests that are likely to crash/DOS the target, rather than simply confirm/deny the presence of a vulnerability).
When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.
And that was with the "safe" tests.
Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...
it seems that changing the password would render this hack fairly useless. also many routers are only accessible through a private IP, so even changing the router's IP would work unless the script tries all the addresses on the local network and then tries to brute force the router, but that would take years since I would assume its written in JavaShit
Just trying to understand this...
But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.
Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.
How does your DNS stack pick up a new IP address for a host name once it's already been resolved? I don't understand the mechanism for this part of the exploit. Anyone?
Okay, so let's say the attacker can pull this part off without a problem...
One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device's software or by simply trying the default login password. Only a tiny fraction of users actually change their router's login settings, says Heffner.
So, then the hacker has to rely no the browser running some javascript in the victim's browser that will actually break the security of the victim's gateway router?
Definitely your vulnerability goes up once an attacker can approach your gateway from the inside, but this isn't a free pass through everyone's home system. Seems like just changing your default password is a great first step to prevent any shenanigans.
Why are you letting these clowns ruin our country?
First things first, you can block most of these attacks by setting a new router password and or changing the router's default IP. Secondly browsers could very easily solve this by disallowing mixed local (192.*, 10.*, 0.*, 127.*) and remote IP addresses from a single site. If it is a local server it won't be load balancing with something on the Internet and the reverse is equally true.
default configs on routers are a joke. Last I checked, linksys routers still tended towards unsecured wireless networks and default passwords. While extremely convenient, most users will abruptly drop the setup process once they can connect to the internet on their laptop. What the router firmware needs to do is force the user to set up a password and a security protocol before allowing direct access to the internet.
Before this step is taken, every other "security" exploit is a joke in comparison.
That would actually probably help a lot(though not as much as a real password).
In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.
Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.
Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
Lets see: Make sure you have a strong Admin password on your router
Check
and don't surf p0rn/warez sites. Thank you Captain Obvious!
Uhm - any solution that relies on you not browsing to an infected site is not a solution.
Lets see: Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites. Thank you Captain Obvious!
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
RIP America
July 4, 1776 - September 11, 2001
The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
"Make sure you have a strong Admin password on your router..."
Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?
"...and don't surf p0rn/warez sites."
Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.
Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.
www.eFax.com are spammers
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
Wouldn't stop them if they're Swedish!
And yes, I'm an insensitive Cljod!
Science advances one funeral at a time- Max Planck
Odds are the good guys haven't found all the vulnerable ones.
Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.
On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is only a problem when a geek looks at it, the average consumer doesn't really care, and they are right to not care.
Probably not, but you're still better off making sure you are running the latest of your choice of firmware (Tomato just released a new version a couple of weeks ago, go get it now!).
Doesn't hurt to make sure that you only allow https connections to the router's admin page (which means in Tomato that you'll get the inconvenient-but-useful "unverified certificate!" warning in Firefox that takes many ugly steps to get around, and as far as I know cannot be scripted), and setting a reasonably complex password.
And don't assume that your local network is "safe". Run software firewalls and avoid things like open network shares.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
Yes but going by the "I'll know it when I see it" definition, any image of that woman in a dress qualifies as pr0n . . .
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Nope. According the article, OpenDNS doesn't make a difference and DD-WRT v24 was one of the router firmwares that was successfully exploited.
Freedom is drinking a beer in the park when you're supposed to be at work.
Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.
and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.
And yet DD-WRT is on the list of vulnerable firmware.
Apparently p0rn sites are lower risk than normal sites :P
> ...NEVER let your browser remember passwords.
Never let it remember important passwords. There's no harm in letting it store passwords for trivial sites such as Slashdot.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Everyone knows this; and one way or another in these sicko days of ours, one simply has to make the headlines to grab attention; followed by get-rich-quick.
Fine. Let them try. I wished, though, some clever chap in Slashdot would have vetted the whole lot sufficiently, to dump it where it belongs: into the trash-bin.
Here is why: Because it actually is an attack. An attack that works for dumbos only. For people, who ought not legally be allowed to buy an access point or whatnot.
Here is the attack: assume router XYZ by default comes with username 'root' and password '12345'. The same router, as default or after reset, offers dhcp in 192.168.1.0/24, with 192.168.1.1 as gateway address. Then, following the trick, some 192.168.1.0/24-address becomes available on the outside (WAN). So when you blindly send 'root' and '12345' to 192.168.1.1 (to the box), from the outside, you're in.
As I said, yes, it is an attack. But for any sane setup it will fail miserably, because you have changed the internal network; and most of all, you changed at least the password.
I dunno, and haven't tried - because I have better things to do with my time - if any of those spoofing-filters that simply drop RFC1918-compliant addresses on the WAN-side would also fail the proposed attack, despite of default network, username and default password.
Shakespeare would probably have called this 'much ado about peanuts'. And as far as I am concerned, anyone who actually is vulnerable, should be slapped with a court order restricting him or her from touching, buying, setting up or administrating any network equipment until further notice, including home networks.
We made changes to pfSense 2.0-BETAS that prevents the DNS rebinding attacks thanks to Craig's help.
Slashdot is *the* most important site. For you to call it "trivial" is a most wicked sin.
As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.
Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.
Minne-snow-da: Winter is comming...
I really miss the good old days, where presentations done on security seminars were revolutionary and technical.
How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?
Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.
Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
The attack relies on the attacker being able to guess the victim router's internal IP address, and to associate a host name of their choice with that internal address. Most routers will use their manufacturers' default addresses which are easy to guess. Since DNS rebinding relies on chance, forcing the attacker to make more incorrect guesses lowers the success rate of the attack. Therefore, attackers are unlikely to attempt to guess all of 10/8 or 192.168/16 etc. (tens of thousands of possibilities) when the vast majority of router addresses are at their defaults of 10.(0|8).(0|1).1 or 192.168.(0|1|123).1 etc. (around a dozen possibilities).
There are 1.1... kinds of people.
img src="http://sasdfreercf.example.com/cgi-bin/foo.pl?bar=baz"
Of course, the sensible thing to do if you can't depend on your router to resolve IPs correctly (like if you don't own or have access to it) is to set your localhost to point DNS requests directly to a trusted IP address. Or, even better (if you're really paranoid), run your own bind.
Funny, that's what Zyxel modems by CenturyLink default to. They also happen to have Telnet and Web Access enabled by default to the internal and external world.
I've never heard of that manufacturer, but that's just plain bad, not sad. Telnet was useful back in the days when the internet was so small, many of us users actually knew each other, but I can't think of a single legitimate reason (excuse) to allow it to run now.
here is a single legitimate reason for telnet.
nethack.alt.org
you could run your own...
0xB315AA8D852DCD3F3DCA578FD2E0BF88
Then they click submit and BAM you hit 'em with tubgirl.
Random Thoughts From A Diseased Mind (Not For Dummies)