Slashdot Mirror
Millions of Home Routers Are Hackable
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
to log in.
The tool apparently exploits the routers through DNS rebinding. Wjhile this technique has been discussed for 15 years or more, Heffner says 'It just hasn't been put together like this before.'"
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
The Forbes article has a Google spreadsheet of the routers.
At one point, just out of morbid curiosity, I cranked up a copy of OpenVAS(the OSS fork of nessus) and told it to just hit everything on my home network with all "safe" tests(the program offers the option of either including or excluding tests that are likely to crash/DOS the target, rather than simply confirm/deny the presence of a vulnerability).
When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.
And that was with the "safe" tests.
Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...
it seems that changing the password would render this hack fairly useless. also many routers are only accessible through a private IP, so even changing the router's IP would work unless the script tries all the addresses on the local network and then tries to brute force the router, but that would take years since I would assume its written in JavaShit
That would actually probably help a lot(though not as much as a real password).
In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.
Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.
Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
Here's a direct link to the spreadsheet of routers, without the IFRAME so it's easier to read: https://spreadsheets.google.com/pub?key=0Aupu_01ythaUdGZINXQ5Vi16X3hXb3VPYkszNXM0YXc&hl=en&output=html&widget=true
Lets see: Make sure you have a strong Admin password on your router
Check
and don't surf p0rn/warez sites. Thank you Captain Obvious!
Uhm - any solution that relies on you not browsing to an infected site is not a solution.
Here ya go:
Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES
Lets see: Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites. Thank you Captain Obvious!
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
RIP America
July 4, 1776 - September 11, 2001
From the article:
"One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network."
So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.
Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.
Finally had enough. Come see us over at https://soylentnews.org/
"Make sure you have a strong Admin password on your router..."
Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?
"...and don't surf p0rn/warez sites."
Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.
Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.
www.eFax.com are spammers
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
Wouldn't stop them if they're Swedish!
And yes, I'm an insensitive Cljod!
Science advances one funeral at a time- Max Planck
Odds are the good guys haven't found all the vulnerable ones.
Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.
On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
As I understand it, it generally works like this: You set a ridiculously short TTL on the server hosting the exploit. When a victim connects you grab their IP address, add it and any other likely target IPs to the list of A records for the server and reload the zone. Your attack code just needs to wait for the TTL to expire, DNS to refresh and then try and connect to the target, which now appears to come from an attack on a trusted network.
Going to be interesting to see what this talk is going to add to the mix though... Either way, now would be a really good time to change any easy to remember, alpha-numeric only device passwords, if you've got any.
UNIX? They're not even circumcised! Savages!
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
Yes but going by the "I'll know it when I see it" definition, any image of that woman in a dress qualifies as pr0n . . .
"People who think they know everything are very annoying to those of us who do."-Mark Twain
It is the first step. In fact, apart from a firmware vulnerability or some REALLY shocking DMZ setup, you're going to leave this attack with nowhere to go just by changing from the default password. There might be a second exploit in the form of a dictionary attack tacked on to the end, but that's not what the article is about.
It's not that big a deal. It's a headline of the type you're likely to find in the Daily Mail; Sensationalist and inaccurate. There might be more info in the future which justifies the grandeur of the statement, but right now (pre-Black Hat) it's just bullshit sensationalist speculation from Slashdot's specialist on the matter.
(Yeah, i'm getting a chip on my shoulder about this guy.)
Finally had enough. Come see us over at https://soylentnews.org/
Nope. According the article, OpenDNS doesn't make a difference and DD-WRT v24 was one of the router firmwares that was successfully exploited.
Freedom is drinking a beer in the park when you're supposed to be at work.
Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.
and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.
Apparently p0rn sites are lower risk than normal sites :P
Slashdot is *the* most important site. For you to call it "trivial" is a most wicked sin.
As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.
Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.
Minne-snow-da: Winter is comming...
Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES
> How does your DNS stack pick up a new IP address for a host name once it's already been
> resolved?
It doesn't. The way you do this is to return a list of two IP addresses for the hostname when it's first resolved; the first IP is your server and the second is the user's router.
Then you serve stuff up as normal. When you want to carry out an attack, you point the browser to a url that has your hostname (probably in an iframe that's part of your page) and have your server refuse the connection. When that happens the browser will fall back to the next IP in the list and try it (that's how round-robin DNS works), and load a page from the router; if you pick the path part of your url right, this would be the login page. Now the key here is that web browser security policies are based on hostnames, not IP addresses. So the router's login page is now same-origin with yours and you can run script that does things to it. Like filling in the default admin username/password and submitting the form, for example. Or direct XMLHttpRequest access with the right Cookie headers, whatever.
Changing the default password definitely helps.
Some browsers are working on changes that would deny attempts to connect from a public IP to one on the local network, no matter what the hostnames are. That would stop this cold.
> in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008
So their filter against non-profitable clients has worked as expected.
Each time a human at Linksys touches a customer, the company incurs at least 5 euro in costs. Since Linksys relies on retail volume and not consultation for their consumer sales, it's to their financial advantage to never hear from customers once the sale has been made, and especially to their advantage not to have to respond to unending lists of complaints or questions from detail-oriented customers. That same 10,000 euro of kit sold to 200 customers who do not generally know enough to complain is much more profitable to Linksys than if it were sold to you since you have both the aptitude and time to complain, but not effectively. (If you had complained effectively, you would have received a successful resolution from Linksys and both parties would have benefitted directly.)
Instead, they've successfully outsourced through you, and with no compensation to you, a few hundred euro of support costs to their competitors, and avoided losing their very thin margin on 10,000 euro of sales. And since you only deal in 10,000 euro of kit a year spread out over many sites and much time (and thus many purchase orders and incidents requiring human intervention), you're no big future loss either since selling one 10,000 euro pizza box to one customer is about 10 minutes of work for anyone in corporate sales, plus they would get to sell a support contract to go with it.
There are 1.1... kinds of people.
Then they click submit and BAM you hit 'em with tubgirl.
Random Thoughts From A Diseased Mind (Not For Dummies)