At Least 700,000 Routers Given To Customers By ISPs Are Vulnerable To Hacking

← Back to Stories (view on slashdot.org)

At Least 700,000 Routers Given To Customers By ISPs Are Vulnerable To Hacking

Posted by Soulskill on Friday March 20, 2015 @01:33AM from the seeds-of-a-class-action dept.

itwbennett writes: More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a 'directory traversal' flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models.

96 comments

Min score:

Reason:

Sort:

Run your own equipment by chuckinator · 2015-03-20 01:36 · Score: 5, Informative

I've always run my own hardwsare for years for a reason: it gives me a buffer beyond which I know the ISP no longer has control of my home network. 2x OpenWRT routers, a managed switch in the middle, and a lightweight embedded PC running the essential network services (dhcp, dns, ntp, etc), and the IT management overhead is fairly low.
1. Re:Run your own equipment by Njorthbiatr · 2015-03-20 01:38 · Score: 3, Informative
  
  Me too, since the only reason they want you to use their router is in the first place is to price gouge with rental fees.
2. Re:Run your own equipment by Anonymous Coward · 2015-03-20 01:43 · Score: 0
  
  Did you decide to run the network services on a embedded PC for routing performance purposes?
3. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 01:46 · Score: 0
  
  Me too, since the only reason they want you to use their router is in the first place is to price gouge with rental fees.
  Not the only reason. Some are now using these routers to set up a hotspot from your home. Peeps connectin' for free - what could go wrong?
  Now of course, that's silly economics. If people can legally mooch off their neighbors, why would they pay for their own connection? so everyone decides to drop their service at the same time, including the person who was the last unwitting provider in the hood.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:Run your own equipment by Anonymous Coward · 2015-03-20 01:51 · Score: 4, Informative
  
  Uh no, those hotspot things require people to be a subscript, it's not pure public and unrestricted access.
5. Re:Run your own equipment by neghvar1 · 2015-03-20 02:05 · Score: 3, Informative
  
  This is why I always run my own router behind the ISP's router. Create a DMZ between the 2 routers with a 255.255.255.252 subnet so that the only available IP addresses are one for the WAN port on my router and the other for the LAN port on the ISP router.
6. Re:Run your own equipment by Anonymous Coward · 2015-03-20 02:10 · Score: 0
  
  In order to connect to them, you need to have purchased Internet access from that company. So, not free.
7. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 02:13 · Score: 0
  
  Uh no, those hotspot things require people to be a subscript, it's not pure public and unrestricted access.
  Which changes my basic point how?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
8. Re:Run your own equipment by Anonymous Coward · 2015-03-20 02:17 · Score: 0
  
  Dropping service leaves you unable to mooch.
9. Re:Run your own equipment by ckatko · 2015-03-20 02:50 · Score: 4, Insightful
  
  You seem to be under the assumption that your hardware, and your compiler are incapable of being attack vectors.
  
  http://cm.bell-labs.com/who/ke...
10. Re:Run your own equipment by jader3rd · 2015-03-20 02:52 · Score: 2
  
  I would prefer it if it was illegal to have service providers also provide the hardware. Because since they provide 'free' hardware, the cost of that hardware is in your bill. So even though you aren't using the 'free' hardware, you're still subsidizing it in some way.
11. Re:Run your own equipment by Anonymous Coward · 2015-03-20 02:56 · Score: 0
  
  The hotspots in question can only be used by their customers. The idea is that if a customer agrees to host such a hotspot, doing so gives them access to everyone else's hotspot as well.
  Many ISPs have made deals with global players such as FON, so that you get hotspot access not only within the coverage area of your own ISP, but also in many countries around the world.
  I've not tested it, but my ISP says that the hotspot traffic is rate-limited, such that my own browsing experience is not too badly affected by the hotspot guests.
12. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 02:57 · Score: 1
  
  Dropping service leaves you unable to mooch.
  That was my point. When everyone decides they'll mooc off their neighbor, the neighbor might want to do the same thing.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
13. Re:Run your own equipment by Anonymous Coward · 2015-03-20 02:59 · Score: 1
  
  Now of course, that's silly economics. If people can legally mooch off their neighbors
  As my parents neighbors found out. I turned it off on xmas eve evening. He was complaining his internet was 'slow'. He had not put a password on the wireless router. They had renamed it and put a password on it. 24/7 torrent from what I could tell from wireshark. One reset later. Latest firmware. I owned that router.
  So I turned it off. Oh xmas is on a friday? Oh you cant get anyone to come out until next week? Oh you are on vacation? Oh you have a paper due. Really. Hmm thats nice have fun trotting over to the library. I even left the SSID in the clear just to rub it in.
  If they had asked, my dad probably would have been cool with it.
  why would they pay for their own connection?
  They learned a connection you do not pay for you do not control.
  Though it was funny seeing them standing in the snow with a laptop trying to get a signal :)
14. Re:Run your own equipment by RPI+Geek · 2015-03-20 03:07 · Score: 3, Insightful
  
  I did this quite recently and I couldn't agree more!
  After my Linksys started dying on a regular basis, I repurposed an old laptop that had been sitting untouched for years into an OpenBSD router. After fiddling with it for a while to get the settings correct, I switched out my old Linksys and haven't had so much as a hiccup since then. The 26 days uptime is ~19 more than my average with the crappy old Linksys, at the cost of a bit more power consumption. At some point I may upgrade my hardware to something lower-power, but so far I'm calling my experiment a sucess.
  
  --
  
  - "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
15. Re:Run your own equipment by RabidReindeer · 2015-03-20 03:12 · Score: 5, Funny
  
  Well, if EVERYONE decides they'll mooch off their neightbor, it's Communism!
  And if no one actually HAS WiFi to mooch off of, that's Soviet-style Communism.
16. Re:Run your own equipment by Anonymous Coward · 2015-03-20 03:18 · Score: 2, Informative
  
  But they can't, since once they stop subscribing, they're no longer able to use the WiFi.
  So quit all you want, then you can't mooch because they're actively requiring you to be a subscriber.
  Is this flying past you somehow?
17. Re:Run your own equipment by Anonymous Coward · 2015-03-20 03:20 · Score: 0
  
  Can you please elaborate more on your setup ? I have a ATT-Uverse branded modem+router in my setup. I would like to have my own DD-WRT based router behind it.
18. Re:Run your own equipment by Anonymous Coward · 2015-03-20 03:44 · Score: 0
  
  as a service provider, I have to disagree with you. I have hundreds of customers who wouldn't be able to configure their own ADSL modem. Selling them a decent modem preconfigured at a decent price AND supporting it well makes sense for them and for us.
19. Re:Run your own equipment by houstonbofh · 2015-03-20 03:50 · Score: 3, Insightful
  
  You seem to be under the assumption that your hardware, and your compiler are incapable of being attack vectors.
  Possible attack vectors vs known attack vectors. I guess you could also add "likely attack vectors" since they keep getting compromised, and not updated. Of course, so does user home equipment.
  
  The big difference is, if I own it, I can upgrade the software, and choose secure passwords. If I rent it, I have to trust that Comcast is a conscientious as I am. Stop laughing!
20. Re:Run your own equipment by Raistlin77 · 2015-03-20 03:56 · Score: 2
  
  Reduce to slowest/cheapest option, disable wi-fi on your router, mooch to your heart's content off your neighbor's high-speed connection.
21. Re:Run your own equipment by pnutjam · 2015-03-20 04:06 · Score: 1
  
  When I did this with my uverse router it would "forget" the passthough rule every couple of months. I finally gave up and just use nat redirection to my server.
  
  --
  Cheap storage VM.
22. Re:Run your own equipment by Anonymous Coward · 2015-03-20 04:07 · Score: 0
  
  Why the hell don't you just buy your own modem and not have to deal with the bullshit?
23. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 04:14 · Score: 0
  
  The hotspots in question can only be used by their customers. The idea is that if a customer agrees to host such a hotspot, doing so gives them access to everyone else's hotspot as well.
  Many ISPs have made deals with global players such as FON, so that you get hotspot access not only within the coverage area of your own ISP, but also in many countries around the world.
  I've not tested it, but my ISP says that the hotspot traffic is rate-limited, such that my own browsing experience is not too badly affected by the hotspot guests.
  Which still doesn't change my argument. Take a hypothtical neighborhood, where everyone decides they ar egoing to use a hotspot rather than use their own router, that has this feature built in. Who's hotspot will they use?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
24. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 04:19 · Score: 1
  
  Well, if EVERYONE decides they'll mooch off their neightbor, it's Communism!
  And if no one actually HAS WiFi to mooch off of, that's Soviet-style Communism.
  And that's pretty darn funny! Well played sir. Well played.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
25. Re: Run your own equipment by Anonymous Coward · 2015-03-20 04:20 · Score: 0
  
  My ISP's slowest wired speed is still faster than the fastest you can get from their WiFi. So...no gain.
26. Re:Run your own equipment by Ol+Olsoc · 2015-03-20 04:26 · Score: 0
  
  But they can't, since once they stop subscribing, they're no longer able to use the WiFi.
  So quit all you want, then you can't mooch because they're actively requiring you to be a subscriber.
  Is this flying past you somehow?
  It must be. I stated the possibility, and you think that that it cannot happen?
  If you don't have to go through the trouble of having someone come into your house, install a modem and router, and you can just "get it off the neighbor that has it", what are you going to do when everyone decides they'll just "get it off th neighbor? When that neighor that has it that you were quite legally accessing their router with your quite legal subscription decides they will ge ta quite legal subscription, and take out the wireless, and now, there isn't a hotspot in the neighborhood
  Is there some kind of majickal internet that gets you your service simply because you are subscribing, even if there is not one wifi signal to be picked up?
  So kind sir, I'll call a whoosh of my own on you
  Unless of course you can tell me about this no signal needed Wi-Fi. Simply subscribe, and you get the intertoobz, no router needed at all? Anywhere ever?
  Do you have a newsletter or a perpetual motion youtube video?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
27. Re:Run your own equipment by Anonymous Coward · 2015-03-20 04:41 · Score: 0
  
  If you would just admit you made a mistake instead of trying to backpedal and insult GP, you'd save a lot more face. You specifically mention dropping service in the original post, not dropping modem rental. You make a mistake, own up to it and get over it.
28. Re:Run your own equipment by Anonymous Coward · 2015-03-20 04:43 · Score: 0
  
  Which is cool and the best way to do things but . . . . .
  Most of the world doesn't read Slashdot. Most of the world isn't capable of setting up and / or configuring something like that on their own.
  They just want it to work. Thus, they get the generic stuff from the ISP and assume they're protected. ( Most of the time they are )
  I'm right there with you on using your own equipment. My cable modem. My Cisco gear behind it. I have full control over what comes in and
  what leaves my home network and it will stay that way. I wouldn't have it any other way.
29. Re:Run your own equipment by nehumanuscrede · 2015-03-20 04:49 · Score: 1
  
  This was exactly my thoughts:
  ( assuming they're not doing exactly the same thing )
  What will your connection speeds be on the Xfinity Hotspots ? Are they fixed, or are they faster / slower than what the location hosting it is paying for ?
  Eg: If a household is paying for a 60 / 10 connection, does the included Hotspot run at that speed or no ? If it does, it might be worth paying for a low end package just to get the subscription, then connect to your neighbors Hotspot to have access to a faster speed.
30. Re:Run your own equipment by Anonymous Coward · 2015-03-20 04:53 · Score: 0
  
  Except they aren't offering it to anybody with no requirements. You need to have a subscription, or it doesn't work since you won't have an account you can use to connect to it.
  Decide you don't want to pay for an account? Oh well, now you're not able to use that WiFi.
31. Re:Run your own equipment by tlhIngan · 2015-03-20 04:57 · Score: 2
  
  Me too, since the only reason they want you to use their router is in the first place is to price gouge with rental fees.
  Not the only reason. Some are now using these routers to set up a hotspot from your home. Peeps connectin' for free - what could go wrong?
  Now of course, that's silly economics. If people can legally mooch off their neighbors, why would they pay for their own connection? so everyone decides to drop their service at the same time, including the person who was the last unwitting provider in the hood.
  To use those hotspots require you to be a subscriber of said service. So if you're a Comcast subscriber, you can use those Comcast hotposts that Comcast makes available.
  If your neighbors want to use your hotspot, they're still paying for internet service. Just a crappier version of it because the hotspot one is usually rate limited. They could just instead use the one they're paying for.
  It's not "free wifi" - it's a gated access wifi - as long as you're a subscriber to internet service from that company, you can use that hotspot.
  Mooching off your neighbours means yours sits idle. Comcast or whoever still gets their pound of flesh from you every month. (And your neighbor is free to mooch off your modem since they subscribe to the same service).
  And yes, it's an annoyance if you're in a marginal area with overlap and your wifi switches from your home router to your neighbor's.
32. Re:Run your own equipment by Anonymous Coward · 2015-03-20 05:33 · Score: 0
  
  You're not going to get super-fast mega-speed out of them, it's throttled.
  So all you'd get is...paying for a subscription without the gains of the faster internet you get with wired.
33. Re:Run your own equipment by ShaunC · 2015-03-20 05:53 · Score: 1
  
  If you don't have to go through the trouble of having someone come into your house, install a modem and router, and you can just "get it off the neighbor that has it", what are you going to do when everyone decides they'll just "get it off th neighbor?
  I don't see that as a likely scenario. For one, most people who sign up for cable modem service are going to do whatever the nice people at Comcast say to do, which is why these "xfinitywifi" spectrum-blasting hotspots are showing up in the first place. And the users who are a bit tech savvy are damned sure going to want their own cable modem and router (whether it belongs to them or they rent it from Comcast) in their own home, to ensure they get the best speed possible.
  Technical support forums all over the web are full of people bitching, whining, and moaning that they don't get satisfactory speeds from the CPE installed in their own home. Do you think everyone is going to order service but decline the equipment, with some master plan to use the neighbor's signal that's even weaker than what a router in their own home could provide?
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
34. Re:Run your own equipment by amxcoder · 2015-03-20 06:08 · Score: 1
  
  I have ATT-Uverse modem/router at my home as well, and I run my own router behind it just fine, and was fairly easy to setup. I left the TV receivers and everything that was ATT connected to the Uverse modem/router, and then connected my personal router's WAN port to one of the ATT LAN ports.
  
  In the ATT router, you go in, and I disabled WiFi on it (so my router handles all the WiFi in my house), and you setup a DMZ entry in the ATT router, and point it to your home router. This allows your home router to 'act as if' it's connected directly to the internet. IE: all packets will pass through to your router, where you have better control over your network (and most likely more options). You also need to setup the two routers to be on different IP schemes, so I changed the ATT one to use a 192.168.2.xxx subnet, and my home router is still at a 192.168.1.xxx subnet, so that everything works correctly.
  
  Connected to my home router, I can access my router to admin functions, and I can also hit the ATT Uverse router for admin functions, and I have not noticed any drawbacks so far. This way I can be sure that ATT can't get into my network any further than their equipment. I know a lot of these modems/routers can have backdoors for tech support uses, so I feel safer knowing that if this is the case, they can only access the TV equipment I am using and not get to any of my PC's, servers, or mobile devices that using my internal network.
  
  As for the DMZ settings for the ATT routers, the location of these settings can be a little difficult to find (not clearly marked), and will be different depending on what brand modem/router you have from them. I've had 2 different RG devices, and the web interface was different on both of them, so I had to hunt around for it. The web has tons of info on setting this up, just search for it with the make/model of the modem you have and you should be able to find instructions for enabling DMZ to a second router (seems to be a common setup).
35. Re:Run your own equipment by amxcoder · 2015-03-20 06:11 · Score: 1
  
  You cannot buy your own ATT UVerse modems yet. They are holding on to those tightly, and they are not something you can walk into a computer store and buy like you can with a normal DSL or Cable modem. I looked around when I signed up as I wanted to own mine as well, but no luck. Using your own router of your choice in a DMZ behind their's is about the best solution I have found, and works great.
36. Re:Run your own equipment by BuckaBooBob · 2015-03-20 06:27 · Score: 1
  
  And they should have liability for that rented equipment :)
  
  --
  Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
37. Re:Run your own equipment by chuckinator · 2015-03-20 06:45 · Score: 1
  
  Nope. I did it because I was cheap, and the AMD fusion system on chip board cost a fraction of what it would cost to run big iron grade boards.
38. Re:Run your own equipment by chuckinator · 2015-03-20 06:46 · Score: 2
  
  Unfortunately, that's not entirely true with cable modems. Connecting to the DOCSIS network grants your ISP admin rights over the device. That's a big reason why you should separate the functionality of your primary gateway route from your DOCSIS demarcation device.
39. Re:Run your own equipment by chuckinator · 2015-03-20 06:47 · Score: 1
  
  Good thing I'm not using bcc as a compiler. Probably not very useful off of PDP-7 or PDP-11 systems, anyway.
40. Re: Run your own equipment by Anonymous Coward · 2015-03-20 07:36 · Score: 0
  
  You're an idiot.
  That's not how this works. That's not how any of this works.
41. Re: Run your own equipment by Anonymous Coward · 2015-03-20 07:40 · Score: 0
  
  Wow. That was an exciting story.
  I look forward to more of your wondrous technological tales in the future, good sir.
42. Re:Run your own equipment by antdude · 2015-03-20 15:32 · Score: 1
  
  Or don't use/disable the ISP's router?
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
And this is why... by barlevg · 2015-03-20 01:45 · Score: 2

I realize this isn't the router in question, but I refuse to use my Comcast modem--which has a wireless router built in--as anything but a modem, preferring to run everything through my own hardware. Also disabling that stupid Comcast Hot Spot functionality--like Hell am I paying Comcast for the privilege of hosting a part of their "free wireless" network, whether it affects my own personal bandwidth or not (or whether it leaves a door open to hacking into my own private network).
1. Re:And this is why... by Anonymous Coward · 2015-03-20 02:04 · Score: 3, Interesting
  
  Why don't you just buy a docsis 3 modem then? Stop paying for the privilege of renting a modem.
2. Re:And this is why... by Anonymous Coward · 2015-03-20 02:50 · Score: 0
  
  Why don't you just buy a docsis 3 modem then? Stop paying for the privilege of renting a modem.
  It's cute that you assume capitalism gives every customer this choice.
3. Re:And this is why... by barlevg · 2015-03-20 03:15 · Score: 3, Insightful
  
  Wow. You're absolutely right. They charge me $10/mo, and modems are less than $100. That's insane.
4. Re:And this is why... by houstonbofh · 2015-03-20 03:58 · Score: 1
  
  Why don't you just buy a docsis 3 modem then? Stop paying for the privilege of renting a modem.
  It's cute that you assume capitalism gives every customer this choice.
  Well, Comcast does. The even have a list... http://mydeviceinfo.comcast.ne...
  
  I know it is shocking to see Comcast doing something right. It must be an oversight. :)
  
  AT&T Uverse, however, does not. You must your there VDSL equipment only...
5. Re:And this is why... by houstonbofh · 2015-03-20 04:00 · Score: 1
  
  AT&T Uverse, however, does not. You must your there VDSL equipment only...
  In before the spelling NAZIs... their equipment... DYAC.
6. Re:And this is why... by camperdave · 2015-03-20 04:02 · Score: 1
  
  You can buy docsis 3 modems everywhere Comcast operates... so yes, capitalism does give every customer this choice.
  
  --
  When our name is on the back of your car, we're behind you all the way!
7. Re:And this is why... by Anonymous Coward · 2015-03-20 04:09 · Score: 0
  
  It's cute that you think you know what you are talking about.
8. Re:And this is why... by Anonymous Coward · 2015-03-20 04:10 · Score: 0
  
  Getting your own modem set up with comcast is the motherfucker of all difficult times, though. Actually more of a pain than trying to get the dipshit on the phone to properly register your cable card if you have your own DVR equipment.
  Also, for awhile it was a real bitch because Comcast refused to acknowledge that anyone could actually own their own DOCSIS 3 modem, so any DOCSIS 3 modems registered with the system were treated as rentals and you had to fight the bill with them every month. I think they've finally sorted that out mostly.
9. Re:And this is why... by houstonbofh · 2015-03-20 05:01 · Score: 1
  
  Comcast screws up authentication, billing and speed for everyone. Owning or not owning your modem makes no difference here. :)
10. Re:And this is why... by chihowa · 2015-03-20 06:19 · Score: 2
  
  Keep in mind that it's purely a monetary win, though. Even though you own the modem, they completely control it and can (and do) reflash its firmware. You should still treat it as a potentially hostile device on your network.
  There are other limitations, too, like Comcast's refusal to sell you static IP addresses unless you rent a modem from them.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
11. Re:And this is why... by Anonymous Coward · 2015-03-20 06:24 · Score: 0
  
  Yes, you can own your own modem with Comcast. It only took me 1.5 weeks, at least 8 separate phone calls and an elapsed time of greater than 10 hours on the phone, and everything was working fine. My situation was complicated by the fact that on day 7 of my "self-activation" process, just as all of the approvals and such were starting to get worked out in Comcast's system, a Comcast cabling contractor trenched across my front yard (in the right-of-way) in order to extend the Comcast cable infrastructure from my house (last on the block) to the newly built house next door. My cable Internet service stopped at about 3 pm on a Friday, 30 minutes after the cabling contractor began their work. Ultimately this fault was traced to their work (they accidentally damaged a connector and weakened my signal below the threshold at which it could work), but it took tremendous persuasion on my part to get Comcast to roll a truck out the following Monday. And then they tried to bill me for a technician visit to complete my self-activation. Comcast - a lot of really great people (no really - everyone I talked to was extremely polite and as far as I can tell did everything in their power to make things work out) hampered by a truly horrendous back-end system and process.
  Pro-tip. If you are signing up for Comcast service, be sure to monitor the e-mailbox associated with your Comcast "username" during the activation process. You may get one or more documents sent to you via e-mail to this mailbox that require you to open them and follow a link to "certify" your understanding of your Comcast contract. No one will tell you that these documents are there, or ask you about them when things aren't working, but if the people trying to help you out keep mentioning a "security" flag on your account this is probably what they are talking about. These messages may arrive and require your attention days after self-activating, and may be sent despite your being put through several telephone-based security certifications of the same material. Until this is done, the Comcast folks won't be able to "complete" your self-activation by putting your modem device in a permanent status on your account despite your Internet and phone service working just fine.
12. Re:And this is why... by barlevg · 2015-03-20 06:40 · Score: 1
  
  Wait, Comcast will sell me a static IP?
Uhh.... by Anonymous Coward · 2015-03-20 01:47 · Score: 0

"An unauthenticated attacker that is connected to the router's LAN may be able to read critical system files on the router."
Big fuckin' deal. Anyone that is on your LAN that wants to access shit can already do so. This won't allow remote attackers to access anything. I would wager that virtually all residential routers at one point or another allowed unauthenticated access to their configuration, and were eventually patched via firmware. Why do I even bother coming to this site anymore?
1. Re:Uhh.... by Maritz · 2015-03-20 01:50 · Score: 1
  
  The description says that a remote hacker can get admin credentials. Didn't read TFA. What I don't understand is why a router like that has any kind of management enabled on the WAN side by default at all.
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
2. Re:Uhh.... by Anonymous Coward · 2015-03-20 02:03 · Score: 1
  
  Your browser runs in your network. A browser with CSRF vulns might be exploitable if you visit a site containing something like this:
  <img src="http://10.10.10.1/cgi-bin/vulnerable.cgi?enable_wan_admin=1&old_pass=admin&new_pass=now_i_own_your_router>
3. Re:Uhh.... by Anonymous Coward · 2015-03-20 02:20 · Score: 0
  
  So support staff can log on and handle config issues without having to deal with a tech illiterate at the other end that can't even type in an IP address correctly. It can also be used to automatically pull in and install updates that fix security holes (funny, eh?).
  As with all these things, if a support person can use a service backdoor, you can be sure there's an underworld that has the defaults for each make/model of router in the wild.
4. Re:Uhh.... by Anonymous Coward · 2015-03-20 06:02 · Score: 0
  
  Thankfully noscript with ABE can block that kind of stuff.
Yawn, carna did it first by Anonymous Coward · 2015-03-20 01:49 · Score: 0

The Carna botnet found 400,000 vulnerable devices without really trying (just using plain simple default login params) and that was a few years ago. Some times, I wish whoever ran that botnet had torched the whole thing and sent a wake up call. We are just setting the stage for the next great botnet.
Service backdoors by Registered+Coward+v2 · 2015-03-20 01:50 · Score: 4, Interesting

Having been a field engineer, where I had to fix and make work the stuff the idiots who called them selves engineers doing the design, having a backdoor to access systems was very useful. Customer didn't remember the password? No problem, I still had a way into the control system. I did, however, wonder what other equipment had the same "feature?" My stuff had no public facing interface no network connection so illicit access was not an issue except maybe if a disgruntled employee decided to have some fun; but the general design approach was "we need backdoors for support reasons" and that mentality carried over as equipment became more connected and no one ever seems 2015-03-20o question it or assess the risks vs reward for such a design philosophy. Of course, no one would ever access the proprietary "Company Confidential" engineering support documentation, right? It's kept safe right here on our internal document so no one weill ever know our backdoor user is "admin" with a password of "Pass1234" and thus we can make them easy for our field support staff, who we at HQ all know are dumb knuckle dragging mouth breathers anyway, to remember.

--
I'm a consultant - I convert gibberish into cash-flow.
1. Re:Service backdoors by cliffjumper222 · 2015-03-20 04:01 · Score: 3, Funny
  
  > no one ever seems 2015-03-20o question it or assess the risks vs reward for such a design philosophy.
  This date brought to you by the backdoor to the letter "t"!
Is there a list of the backdoors? by Anonymous Coward · 2015-03-20 01:58 · Score: 0

"Many of the routers have additional flaws. For example, around 60 percent have a hidden support account with an easy-to-guess hard-coded password that’s shared by all of them. Some devices don’t have the directory traversal flaw but have this backdoor account, Lovett said."
Dlink, ZTE etc. all vulnerable.
Cisco too, loads of execute and directory traversals:
http://www.cvedetails.com/vendor/16/Cisco.html
Juniper seem to be quite reasonable, but far from perfect:
http://www.cvedetails.com/vendor/874/Juniper.html
Thomson v-good:
http://www.cvedetails.com/vendor/1996/Thomson.html
Probably the best choice at this point is a Thomson Router, French company, unlikely to be loyal to the UStasi.
Is there is a nice list of backdoor accounts somewhere?
Please Read TFA by Anonymous Coward · 2015-03-20 02:06 · Score: 0

Most of the vulnerable devices he identified are ADSL modems with router functionality that were supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. A few were also found in the U.S. and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.
Belkin.
As a Uessian, I don't give a crap. Botnets? What's a botnets?
Belkin N150 by Anonymous Coward · 2015-03-20 02:11 · Score: 5, Informative

Why doesn't the OP mention that they're only talking about the Belkin N150, with various versions of the firmware prior to v1.00.08?
1. Re:Belkin N150 by Anonymous Coward · 2015-03-20 03:58 · Score: 0
  
  Because Slashdot.
Many routers are hacked to use a rogue DNS by Anonymous Coward · 2015-03-20 02:14 · Score: 4, Interesting

Many of the routers in Thailand are hacked to use a DNS owned by a Lebanese company that replaces the DNS entries of ad-networks by their own ad-networks and redirect servers.
The largest ISP hands out ZyXEL routers that are vulnerable. This is probably also happening in other countries, only for Thailand this must be already a million dollar business.
Check the DNS entry of your router! You might not observe that you are hacked if you use an ad-blocker or hard-coded DNS in your system.
1. Re:Many routers are hacked to use a rogue DNS by TwoEyedJack · 2015-03-20 03:42 · Score: 1
  
  I had an ActionTek ADSL router provided by Century Link. All the computers on my network started having browser requests hijacked to a rogue website. I ran all kinds of virus checks on the PCs and found nothing. A check of the DNS IP address in the router revealed a known bad actor. The support tech at Century Link was completely unaware that this was even possible.
2. Re:Many routers are hacked to use a rogue DNS by Raistlin77 · 2015-03-20 04:17 · Score: 1
  
  ...The support tech at Century Link was completely unaware that this was even possible.
  Surprised?
3. Re:Many routers are hacked to use a rogue DNS by Anonymous Coward · 2015-03-20 09:06 · Score: 1
  
  When DNS hijacks were popular, there was a test website that was a great test. The website simply linked to the logo graphic of all the major AV vendors.
  Malware often tried to block the cure with DNS or hosts file changes.
  Visiting the site revealed which ones were blocked by the failure to load the logos.
  Does anyone know the page or if it is still up?
LOL by koan · 2015-03-20 02:17 · Score: 0

At Least 700,000 Routers Given To Customers By ISPs Are Vulnerable To Hacking
Almost seems like it was on purpose.

--
"If any question why we died, Tell them because our fathers lied."
1. Re:LOL by BVis · 2015-03-20 02:56 · Score: 1
  
  Never attribute to malice what can be adequately explained by stupidity. Some suit probably heard "blah blah blah shit that isn't important blah blah" when an engineer told them about this problem (and I am sure one did, unless they were too afraid of being fired for daring to suggest that the suit didn't know everything about everything).
  
  --
  Never underestimate the power of stupid people in large groups.
Ive developed a workaround for many models. by nimbius · 2015-03-20 02:42 · Score: 3, Funny

This is a preliminary workaround so im sure many of you will find bugs, but heres what im using:
1. unbox the router from your ISP. Many will come with an extra CAT 5 cord. Set this aside.
2. position the router (and wireless antennas should it come with wireless) directly above your garbage can
3. releasing the device will cause it to fall at 9.81m/s^2 directly into the bin (NOTE: this DOES NOT WORK or may respond slowly in areas without earth mode gravity...double check first.)
4. Wind the cat 5 cord in a pretty loop and hang it up with the rest of them.
5. continue instructions at: https://openwrt.org./

--
Good people go to bed earlier.
1. Re:Ive developed a workaround for many models. by camperdave · 2015-03-20 04:18 · Score: 2
  
  Directions unclear. Router bounced off lid of garbage can and landed on toe. Involuntary spasm caused garbage can to be knocked over and to become tripping hazard. In hospital with concussion. Garbage everywhere.
  
  --
  When our name is on the back of your car, we're behind you all the way!
2. Re:Ive developed a workaround for many models. by ageoffri · 2015-03-20 04:43 · Score: 1
  
  That's what you get for using a bleeding edge process.
  
  --
  -- Slashdot, making the Left look conservative since 1997.
3. Re: Ive developed a workaround for many models. by Anonymous Coward · 2015-03-20 07:49 · Score: 0
  
  Error does not effect all users. Flagging as "no fix needed".
4. Re:Ive developed a workaround for many models. by Anonymous Coward · 2015-03-20 13:43 · Score: 0
  
  That sounds a lot like my grandfather's infamous modification of my grandmother's recipe for rum cake.
Free? by Radical+Moderate · 2015-03-20 03:04 · Score: 1

Comcast charges a rental fee for their router, it's right on the bill. Qwest, er Century Link, did the same thing

--
Never let a lack of data get in the way of a good rant.
1. Re:Free? by Enry · 2015-03-20 03:56 · Score: 1
  
  Verizon gave me a free router for signing up for FIOS. It's still in my basement collecting dust but it's not a line item on the bill like the cablecard.
Since I don't use wireless.... by Anonymous Coward · 2015-03-20 03:38 · Score: 0

...I completely disabled it from my ISP provided router. Doesn't, of course, mean it cannot be hacked, but it at least keeps one vector out of the equation. I also turned off wireless on my PC (PC came with this capability; I even turned off the Bluetooth though that avenue would require a much closer proximity to attack it). I don't trust wireless period. Even WPA2 has been shown to be vulnerable under certain conditions and who really know if it's under every condition yet. Call me paranoid. lol :)
1. Re:Since I don't use wireless.... by Anonymous Coward · 2015-03-20 04:19 · Score: 0
  
  You do realize this has little-to-nothing to do with wireless, right?
2. Re:Since I don't use wireless.... by Anonymous Coward · 2015-03-20 05:20 · Score: 0
  
  Maybe so; just eliminated one point of entry (and did so completely with prejudice). :)
Only 700k? by Anonymous Coward · 2015-03-20 03:38 · Score: 0

I would assume that every router is vulnerable to hacking.
It's like saying that only a percentage of CPU's are prone to execute code.
Various router models? by EmagGeek · 2015-03-20 03:42 · Score: 2

The webpage linked shows precisely ONE router model. Or, am I blind?
http://www.cvedetails.com/cve/...
even worse threat: AT&T routers support 802.11 by jsepeta · 2015-03-20 03:58 · Score: 1

When replacing my parents' AT&T U-Verse router with a brand new U-Verse router, I was dismayed to note that it only supports 802.11g. WTF? That's a wifi standard from 2003. It's as if AT&T give zero fucks about your wi-fi experience.

--
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
Right To Fix - needed now! by cliffjumper222 · 2015-03-20 03:59 · Score: 1

This is just one example of why there needs to be a clear "right to fix" when it comes to firmware. For *any* object with firmware in it, the owner of the hardware MUST have a legal right to unlock (if locked), reverse engineer (if required), change, update and fix the firmware. We are heading into an abyss where flaws/bugs/exploits in our cars, thermostats, TV's, phones, IOT tags, routers, etc. etc. WILL be found years after they have been sold. There is no way we can rely on the original equipment maker to keep these objects up to date - indeed they might not even be around in a few years when the objects become popular enough to become a target - so we must demand a clear, unambiguous right to fix!
Re:even worse threat: AT&T routers support 802 by nehumanuscrede · 2015-03-20 05:11 · Score: 2

Hmmm
Unless networking between local systems, 802.11g is more than adequate for the Wan link speed they're likely getting from AT&T DSL.
Since you said you were replacing their router and it's your parents ( if your parents are like mine ), I would wager they're not running
NAS backups locally, or doing much else between local systems requiring lots of bandwidth. So I'm not sure I would see a need for
them to run N or even AC class WI-FI. ( Mine most certainly didn't. )
What's the top speed offerings on Uverse . . . . 45Mb/sec best case ? ( I have cable and not in AT&T territory so I have no idea )
Smoothwall FTW by Anonymous Coward · 2015-03-20 05:31 · Score: 0

This is precisely why I use a Smoothwall and, besides that, it was free. I used an old computer laying around and the Smoothwall distribution is free. It's feature rich, secure, well supported by the user community and oh, did I mention IT IS FREE? As in beer.
Fear mongering by Anonymous Coward · 2015-03-20 06:47 · Score: 2

Summary:
1. Belkin ADSL routers are crap and hackable
2. This has been known since 2011
3. As a result, only 700K of them are still in use worldwide
Where's the news? Where's the angle? Pre-fixing a number with "More than" doesn't make it big, it only makes it sound that way. 700K isn't even a spit in the ocean, I live in a medium sized city in a small country and it has more than 700K routers. This is just fearmongering, and it's not even a very good attempt at it. Why was this posted?
Re:even worse threat: AT&T routers support 802 by Anonymous Coward · 2015-03-20 11:11 · Score: 0

This defeatist message brought to you by the domestic ISP oligopoly. "We'll never upgrade your access speed so give up and use any old crap we deliver. And remember to tip the installer handsomely for the privilege of waiting around all day for them to show up."
Wifi speed isn't just a LAN issue by Aqualung812 · 2015-03-21 06:08 · Score: 1

With only 3 non-overlapping channels, and often wifi access points choosing their own overlapping channel (like 3 or 8), your parent's wireless is likely interfering with a neighbor's wireless. This is much more likely in an apartment complex.
If someone is running 802.11g (or, 802.11b because they only have 6mbps DSL and 11mbps 802.11b is more than enough for their DSL), they are occupying the wireless channel for an extended amount of time.
Even a group of grandmas in an apartment complex running 802.11b only to access their 6mb DSL connection would quickly see their speeds plummet because of CMSA/CA causing a cascade failure of the wireless signal.
Going with the current wireless standard (802.11n in both 2.4 and 5ghz) is the right answer. 802.11ac is very new, so I would agree for now that the additional cost isn't worth it. At the very least, 802.11n 2.4ghz should be default.

--
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Few really control personally bought routers by Anonymous Coward · 2015-03-24 15:53 · Score: 0

Even OpenWRT included proprietary software. The only way to really gain control over your device is to use a OpenWRT derived distribution called LibreCMC and make sure your bootloader is free software too. There are less than a dozen devices you can really have complete control over. There are zero devices with ADSL or cable modem chips as these combo modem routers are dependent on proprietary component for the modem portion. Thereby your losing control over the device. We therefore need a router and a separate modem currently for any secure setup. While I'm hardly going to call a router with LibreCMC secure it is the best starting point as we must discard any device and distribution dependent on proprietary pieces of code from being trustworthy or securable. What we don't know can't be secured.