Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft

← Back to Stories (view on slashdot.org)

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft

Posted by Soulskill on Tuesday September 1, 2015 @06:30AM from the another-day-another-exploit dept.

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.

48 comments

Min score:

Reason:

Sort:

good news by Anonymous Coward · 2015-09-01 06:39 · Score: 5, Funny

Good news: an upgrade is available. Bad news: it is a hardware upgrade.
1. Re:good news by Grishnakh · 2015-09-01 07:11 · Score: 1
  
  Just upgrade to DD-WRT or OpenWRT. Who still uses manufacturer-provided router firmware anyway?
2. Re:good news by Anonymous Coward · 2015-09-01 07:13 · Score: 0
  
  The hardware is in need of refactoring. Too many platforms running too many broken OSes running too many broken apps with too many legacy framework ports running too many buggy libraries linking too many glitchy modules. We don't even know what's in most of the software anymore because we're all too busy writing apps, learning developer framework-du-jour, and porting broken crappy libraries to brand new broken programming languages just so we can stay slightly ahead of the curve.
  What's this "quality" thing they keep talking about? It sounds nice. Maybe we should get some of that.
3. Re:good news by Bob+the+Super+Hamste · 2015-09-01 07:20 · Score: 1
  
  Unfortunately you appear to be correct.
  
  I don't get why manufactures don't just don't put effort into getting OpenWRT, or DDWRT on their routers since it seems like it would be less effort than maintaining their own shit pile of code. For those few consumers who care it would make their lives easier while the vast number of general user wouldn't know the difference.
  
  --
  Time to offend someone
4. Re:good news by mr_jrt · 2015-09-01 07:51 · Score: 4, Informative
  
  (Potentionally) Not for long...
  
  --
  Boo.
5. Re:good news by Bert64 · 2015-09-01 07:52 · Score: 1
  
  I don't understand why manufacturers insist on bundling their own crappy firmware anyway...
  It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
  They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribute towards the project and ensure good support for their devices.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:good news by tlhIngan · 2015-09-01 09:53 · Score: 1
  
  I don't understand why manufacturers insist on bundling their own crappy firmware anyway...
  It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
  They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribute towards the project and ensure good support for their devices.
  Because a lot of the stuff is proprietary to the chipset. DD-WRT and others get the "open source" versions of that code, which for WiFi often means lower throughput, and on the Ethernet side, again, lowered speeds as the accelerators aren't used.
  It really boils down to the fact that most of the stuff is made by Broadcom, and they're basically a proprietary company. What little they make open-source is generally poorly performing
  Sometimes you get lucky in that Broadcom provides the binary modules as part of the package, so you can get full speed Ethernet and WiFi, but they're binary blobs so you can't peek inside them to see if certain features are supported.
  Anyhow, Netgear does have a little open-source support - they do have "Open Source Routers" which do have DD-WRT or Tomato or other firmware available, and I believe they actually support this configuration - their web site is generally up to date on which routers are "open" and have supported DD-WRT and which ones don't. http://www.myopenrouter.com/
  Asus generally provides source code and there's a big community around them as well. Everyone else is pretty much forget it.
7. Re:good news by flink · 2015-09-01 10:11 · Score: 2
  
  Probably due to NDAs they have with component manufacturers.
8. Re: good news by YodaDaCoda · 2015-09-01 10:53 · Score: 1
  
  I've long considered starting my own company manufacturing and selling routers, and simply using OpenWRT for the default firmware. Ideally employ a programmer to maintain a branch for my hardware, but of course contributing everything to the open source project and keeping nothing proprietary. The problem is that there isn't really a market for it - the vast majority of people simply don't care.
9. Re:good news by Anonymous Coward · 2015-09-01 11:28 · Score: 0
  
  So separate your firmware from the wifi radio firmware. They want you to run their code on the wifi radio? Fine. The rest of the hardware is yours to customize.
10. Re: good news by Grishnakh · 2015-09-01 11:57 · Score: 1
  
  If you do start such a company, you'll be competing against Buffalo. They use DD-WRT firmware.
  http://www.buffalotech.com/pro...
11. Re:good news by Grishnakh · 2015-09-01 12:06 · Score: 1
  
  You're forgetting about Buffalo. They have a whole line of routers running DD-WRT from the factory.
Who cares by mveloso · 2015-09-01 06:45 · Score: 1

If you care enough to compromise the upstream WAN the router is fucked anyway.
1. Re:Who cares by Anonymous Coward · 2015-09-01 07:07 · Score: 0
  
  No need to compromise the WAN.
  This is DNS spoofing, can be done from anywhere if you can spoof udp and guess the txid.
2. Re:Who cares by Anonymous Coward · 2015-09-01 08:47 · Score: 0
  
  "And Guess the txid" I think this is the part that would require compromising the upstream wan. I think you'd need to intercept their dns traffic to find out what txid they are on.
Bugs? by Spazmania · 2015-09-01 06:59 · Score: 1

Bugs? In a Belkin product? Say it ain't so!

--
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
1. Re:Bugs? by Tyrannicsupremacy · 2015-09-01 07:53 · Score: 1
  
  Now that's a little unfair. The chance of the suspect being black is largely based on region. As we all know, black suspects rarely appear on national news, regardless of what heinous crimes they may commit. Only in the most scandalous and shocking cases do we see them reported nationally.
  
  --
  http://i.cubeupload.com/T6cyLu.png
2. Re:Bugs? by Anonymous Coward · 2015-09-01 08:45 · Score: 1
  
  Now that's a little unfair. The chance of the suspect being black is largely based on region. As we all know, black suspects rarely appear on national news, regardless of what heinous crimes they may commit. Only in the most scandalous and shocking cases do we see them reported nationally.
  National stats: black males are around 7% of the population. They are charged with 50% of the murders. Even if half of all those charges are dropped (theyre not), they are disproportionately violent. Mostly against other blacks.
3. Re:Bugs? by Anonymous Coward · 2015-09-01 12:50 · Score: 0
  
  All interesting viewpoints, however as a totally disinterested party, who is neither particularly racist, nor a big fan of fascists, I can't help but feel a deep feeling of "I told you so" when I learned of the latest cop killing, which in my theoretically perfect society view is morally reprehensible, and honestly, a sad event. It seems all the multicultural nonsense and very sophisticated politically correct bullshit you have been suckled on hasn't worked out. The problem is I don't really have a solution to offer you, except to say I've been alive a long time now and having witnessed the assassination of martin luther king, in a day where most cops were knightstick wielding Irishman. I find it difficult to understand neither a group of Oakland burning savages, nor a local police force that has no qualms about styling itself after a Nazi style military force that is used against its own citizenry at every opportunity.
  Ultimately, my solution has been to acquire as much money as possible and secret myself away behind locked gates and armed security. Neither savages, nor fascists are allowed to operate inside. That is because I am a fully assimilated 3rd generation American, who speaks the language, operates mostly within the law, and understands that I have innumerable unalienable rights, and simply refuses to take more than a reasonable amount of shit from anybody. I think that is the nugget you can take away if your looking for advice... realize that all men, regardless of size, color, religion, or what have you, have a natural limit to the amount of shit they will take. These levels vary greatly, however the limits are well known and only sociopaths test those limits, with the inevitable results. This is true whether you are cop, a convict, or a connoisseur, or a cleaning lady. I wish all people could live within their nature rather than project their rage into this universe, however this is not realistic. Maybe all your psychobabble will work out, just remember to stay away from people like me, 'cause the truth is, you don't stand a chance against a man that knows how to project the power of freedom against kings and cocksuckers alike.
4. Re:Bugs? by Spazmania · 2015-09-03 07:52 · Score: 1
  
  That's because whites get a job working for the store and -then- they steal from it.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
A semi workaround by fustakrakich · 2015-09-01 07:13 · Score: 1

Turn off all automatic upgrades. Do it manually, verifying the source in the process.

--
“He’s not deformed, he’s just drunk!”
I have bought 5 Belkin products by Anonymous Coward · 2015-09-01 07:14 · Score: 0

3 of them didn't really work. The other had very extremely awkward user interfaces or drivers.
Then they bought Linksys from Cisco --- if you go to 192.168.1.1 and setup the router --- you actually need a recent version of Chrome or FireFox. So you can't setup the router using a mobile phone or an iPad.

You also *MUST* install the CD provided, which is of course for Windows. They actually made router setup require a CD.
In the router options, it no mechanism for setting the router to not require a password.

This is just one Belkin product example ---- how is Belkin still in business?
1. Re:I have bought 5 Belkin products by techno-vampire · 2015-09-01 07:56 · Score: 1
  
  In the router options, it no mechanism for setting the router to not require a password.
  
  Even if you ignore the fact that this "sentence" has no verb, it still isn't clear what you mean. Are you saying that there's no way to set the router up so that it doesn't require a password (good) or that you can't set it to require a password (bad)?
  
  --
  Good, inexpensive web hosting
2. Re:I have bought 5 Belkin products by Anonymous Coward · 2015-09-01 08:17 · Score: 0
  
  I meant no password for a device to connect to it for internet access.
3. Re:I have bought 5 Belkin products by Anonymous Coward · 2015-09-02 05:55 · Score: 0
  
  This is usually referred to as a pre-shared key, or PSK, and not just a password.
Is there an uptick? by KGIII · 2015-09-01 07:16 · Score: 1

There was just a vulnerability reported not long ago on Slashdot and another one was just a few weeks before that as I recall. Is there an uptick in crappy code or is there just more eyeballs on routers now than there used to be?

--
"So long and thanks for all the fish."
1. Re:Is there an uptick? by Anonymous Coward · 2015-09-01 07:34 · Score: 0
  
  I think it's partly increased feature set in embedded devices (automatic vs. manual firmware updates, for one) and the current approach to firmware updates.
  Even though most home routers are Linux-based nowadays, unlike a regular general-purpose Linux distro you can't just update or patch individual components on your home router such as the local DNS resolver if a vulnerability is discovered - you have to wait until the manufacturer bundles the fix into their next firmware release, if ever. And I'd expect that the device manufacturers are directing their firmware development spending to supporting shiny new devices and features rather than hardening last year's models - greater return on investment, good for the company's bottom line.
2. Re:Is there an uptick? by KGIII · 2015-09-01 08:03 · Score: 1
  
  The whole IoT is going to be grand, isn't it?
  
  --
  "So long and thanks for all the fish."
Sounds like what we need by The-Ixian · 2015-09-01 07:19 · Score: 1

is a firewall for the firewall.
I just don't understand how people who design commodity networking gear can be so bad at network security.
I am by no means a network expert, but it seems as though some of these things are just common sense....
- Don't have ports open to the Internet ("stealth" or otherwise) by default
- Don't use unencrypted protocols... period
- Don't enable wireless by default
Seems like just doing those things our routers would be a lot safer than they are now.

--
My eyes reflect the stars and a smile lights up my face.
1. Re:Sounds like what we need by gstoddart · 2015-09-01 07:33 · Score: 1
  
  I just don't understand how people who design commodity networking gear can be so bad at network security.
  Really? Pick any of the following:
  Lazy, incompetent, cheap, unaccountable, indifferent, greedy
  Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.
  At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.
  
  --
  Lost at C:>. Found at C.
2. Re:Sounds like what we need by Grishnakh · 2015-09-01 07:50 · Score: 1
  
  I just don't understand how people who design commodity networking gear can be so bad at network security.
  I am by no means a network expert, but it seems as though some of these things are just common sense....
  To you maybe, but not to a manager.
  - Don't have ports open to the Internet ("stealth" or otherwise) by default
  But then their back doors won't work.
  - Don't use unencrypted protocols... period
  But then some idiot customers will complain.
  - Don't enable wireless by default
  But this makes it easy for idiot customers.
  Seems like just doing those things our routers would be a lot safer than they are now.
  Yes, but these things all have rational reasons behind them, which managers demand, and which increase profitability for the company. Consumers don't care about security, they just want it to work out-of-the-box and be easy. As long as it says it's "secure", that's good enough for them. It's just like the TSA and other security theater: people want to be told that they're safe, and the want to see stuff that makes it look like they're being kept safe, even if in reality they're not safe at all and all those security measures are completely worthless because the security protocols have wide-open back doors.
3. Re:Sounds like what we need by Grishnakh · 2015-09-01 07:53 · Score: 1
  
  Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.
  At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.
  It's a company's **job** to be greedy. Their sole purpose is to make money, so anything that detracts from that is by definition a bad thing.
  The reason they have shit security is because their customers don't care about it, don't value it, and don't demand it. Customers want things that are cheap, and easy-to-use. Making something highly secure goes against both of these, both in developer effort needed, and in eliminating features that make things easier for consumers but are inherently insecure.
4. Re:Sounds like what we need by Voyager529 · 2015-09-01 07:55 · Score: 1
  
  is a firewall for the firewall.
  I just don't understand how people who design commodity networking gear can be so bad at network security.
  Another response to your inquiry handles the cynical/pragmatic answer, but there's another half to it: Unfortunately, 'commodity networking gear' has to work for the same type of people who install 'flashlight' apps on their phones that require access to contacts and GPS. If you and I had our druthers, SOHO routers would ship with DD-WRT or PFSense out of the box...but unfortunately, these boxes get sold at Wal-Mart...to the kinds of people who buy routers at Wal-Mart.
  
  I am by no means a network expert, but it seems as though some of these things are just common sense....
  Pull 100 people off the sidewalk and ask them if any of these sentences mean anything to them. Odds are good that an unfortunate Saturday afternoon involving whiskey and a circular saw would leave you with enough fingers to count the number of people who could provide an explanation to these concepts. Thus the "common" in "common sense" doesn't really seem to apply.
  
  - Don't have ports open to the Internet ("stealth" or otherwise) by default
  Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.
  
  - Don't use unencrypted protocols... period
  That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.
  
  - Don't enable wireless by default
  A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.
  
  Seems like just doing those things our routers would be a lot safer than they are now.
  Yes. Now put one of your routers in the hands of the general public, and see exactly how far 'security' gets them - Their iPads don't connect, Skype doesn't work on their desktop, and certificate authorities get to determine who lives and who dies on the internet.
  For places where your line of reasoning is practical, there is SonicWALL, Cisco, Smoothwall, and Barracuda. For home users, there's Asus and Netgear.
5. Re:Sounds like what we need by The-Ixian · 2015-09-01 08:26 · Score: 1
  
  - Don't have ports open to the Internet ("stealth" or otherwise) by default
  Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.
  I meant this from the perspective of the router itself. All too often routers have remote management turned or ports that appear filtered to a scan but are really just waiting for a "magic packet" in order to initiate a remote console.
  
  - Don't use unencrypted protocols... period
  That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.
  Again, from the perspective of the router. When you go to check for new firmware, use encrypted protocols.
  
  - Don't enable wireless by default
  A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.
  Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion, or do as you suggest, enable wireless but use a unique password clearly labeled on the device itself.
  
  --
  My eyes reflect the stars and a smile lights up my face.
6. Re:Sounds like what we need by The-Ixian · 2015-09-01 08:37 · Score: 1
  
  The thing is, they don't necessarily need to be that good at network security. They can write the crappiest code in the world but it doesn't take a genius to create a simple iptables rule to block all new incoming traffic. Or to use HTTPS when checking for new firmware. The little Linux distro they are probably using (because they are cheap) has this functionality. No extra coding or time required.
  It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disconnect?
  
  --
  My eyes reflect the stars and a smile lights up my face.
7. Re:Sounds like what we need by The-Ixian · 2015-09-01 08:42 · Score: 1
  
  But surely if the product starts to function in a degraded manor because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...
  
  --
  My eyes reflect the stars and a smile lights up my face.
8. Re:Sounds like what we need by Anonymous Coward · 2015-09-01 10:34 · Score: 0
  
  Or they end up upgrading to the latest model of the month.
9. Re:Sounds like what we need by Grishnakh · 2015-09-01 12:09 · Score: 1
  
  But surely if the product starts to function in a degraded manor [sic] because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...
  That's not a problem for two reasons:
  1) People are stupid. They'll just buy another one, blame "the hackers", etc.
  2) Even if the company's reputation gets dragged through the mud, it won't matter because the CEO will have already left with his golden parachute. The only thing that's important is the next quarter's financials.
10. Re:Sounds like what we need by gstoddart · 2015-09-02 01:59 · Score: 1
  
  It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disconnect?
  Was I unclear?
  Lazy, incompetent, cheap, unaccountable, indifferent, greedy
  Choose any of the above. It really is that simple.
  
  --
  Lost at C:>. Found at C.
11. Re:Sounds like what we need by Grishnakh · 2015-09-02 02:43 · Score: 1
  
  Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion
  A CD??? What is someone who only has iPads and iPhones supposed to do with a CD? Or what about someone whose laptop doesn't have an optical drive (which is a lot of them these days)?
  Next, you're going to suggest they ship with a floppy disk.
Someday no 3rd party firmware by kamaaina · 2015-09-01 07:52 · Score: 1

Saw this posted
http://hackaday.com/2015/08/31...
It is for 5GHz but if they can get away with 5Ghz why not 2.4
So if that ever happens, I may become a criminal, flashing my own router to protect myself.
1. Re:Someday no 3rd party firmware by mattventura · 2015-09-01 08:34 · Score: 1
  
  1. Buy PC hardware (SuperMicro atom board of your choice off ebay + PicoPSU is a great starting point): $100-150
  2. Get PCIe > miniPCIe adapter with antennas included ~$25
  3. Get wifi card that supports AP mode: $30-100 depending on how much you want to spend.
  There, for as low as $150 you have a device that can run whatever OS you want and will have far better routing performance than a crappy home router (their CPUs are so awful that they need NAT accel hardware to NAT at line speeds). The only thing you miss out on is fancy wifi features like beamforming, but worst case you can just get a standalone AP instead of a wifi card. Plus you never have to worry about locking yourself out or a bad flash bricking it since you're just booting off a thumb drive.
My Belkin router is spamming me... by slazzy · 2015-09-01 08:10 · Score: 1

http://www.theregister.co.uk/2... http://yro.slashdot.org/story/...

--
Website Just Down For Me? Find out
1. Re:My Belkin router is spamming me... by amicusNYCL · 2015-09-01 11:15 · Score: 1
  
  That's always the first thing I think of when I hear "Belkin". I haven't bought any of their products over the last 12 years. I didn't know many people still did, I'm a little surprised they're still making things with their brand on them.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Can someone explain this? by Anonymous Coward · 2015-09-01 12:03 · Score: 0

As someone who is trying to build a small hardware project with limited reach (looking at a few hundred units), It won't get mass appeal or hundreds of open source forks to fix my shortcomings, I am so worried about security.
I have been trying to learn PKI and what I need to keep it secure, but, I will most likely be limited to a lot of open source projects and there is very limited resources out there that explain security start to finish on embedded - can someone explain what is actually wrong here and what a countermeasure would me?
Belkin? Say it isn't so! by Anonymous Coward · 2015-09-01 19:35 · Score: 0

Shitty hardware by Belkin? Shocking. Well, not in this case, but I wouldn't test their insulation any more than necessary.
I asked Belkin about a similar issue by laughingskeptic · 2015-09-02 10:00 · Score: 1

I attempted to report a similar issue to Belkin last October via their forums and asked if they would be providing an update. They not only deleted my post, they deleted the account that I had to set up to make the post. I took that as an emphatic 'NO', there would not be an update.