Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft

Posted by Soulskill on from the another-day-another-exploit dept.

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.

35 of 48 comments (clear)

  1. good news by Anonymous Coward · · Score: 5, Funny

    Good news: an upgrade is available. Bad news: it is a hardware upgrade.

    1. Re:good news by Grishnakh · · Score: 1

      Just upgrade to DD-WRT or OpenWRT. Who still uses manufacturer-provided router firmware anyway?

    2. Re:good news by Bob+the+Super+Hamste · · Score: 1

      Unfortunately you appear to be correct.

      I don't get why manufactures don't just don't put effort into getting OpenWRT, or DDWRT on their routers since it seems like it would be less effort than maintaining their own shit pile of code. For those few consumers who care it would make their lives easier while the vast number of general user wouldn't know the difference.

      --
      Time to offend someone
    3. Re:good news by mr_jrt · · Score: 4, Informative

      (Potentionally) Not for long...

      --
      Boo.
    4. Re:good news by Bert64 · · Score: 1

      I don't understand why manufacturers insist on bundling their own crappy firmware anyway...

      It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
      They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribute towards the project and ensure good support for their devices.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:good news by tlhIngan · · Score: 1

      I don't understand why manufacturers insist on bundling their own crappy firmware anyway...

      It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
      They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribute towards the project and ensure good support for their devices.

      Because a lot of the stuff is proprietary to the chipset. DD-WRT and others get the "open source" versions of that code, which for WiFi often means lower throughput, and on the Ethernet side, again, lowered speeds as the accelerators aren't used.

      It really boils down to the fact that most of the stuff is made by Broadcom, and they're basically a proprietary company. What little they make open-source is generally poorly performing

      Sometimes you get lucky in that Broadcom provides the binary modules as part of the package, so you can get full speed Ethernet and WiFi, but they're binary blobs so you can't peek inside them to see if certain features are supported.

      Anyhow, Netgear does have a little open-source support - they do have "Open Source Routers" which do have DD-WRT or Tomato or other firmware available, and I believe they actually support this configuration - their web site is generally up to date on which routers are "open" and have supported DD-WRT and which ones don't. http://www.myopenrouter.com/

      Asus generally provides source code and there's a big community around them as well. Everyone else is pretty much forget it.

    6. Re:good news by flink · · Score: 2

      Probably due to NDAs they have with component manufacturers.

    7. Re: good news by YodaDaCoda · · Score: 1

      I've long considered starting my own company manufacturing and selling routers, and simply using OpenWRT for the default firmware. Ideally employ a programmer to maintain a branch for my hardware, but of course contributing everything to the open source project and keeping nothing proprietary. The problem is that there isn't really a market for it - the vast majority of people simply don't care.

    8. Re: good news by Grishnakh · · Score: 1

      If you do start such a company, you'll be competing against Buffalo. They use DD-WRT firmware.
      http://www.buffalotech.com/pro...

    9. Re:good news by Grishnakh · · Score: 1

      You're forgetting about Buffalo. They have a whole line of routers running DD-WRT from the factory.

  2. Who cares by mveloso · · Score: 1

    If you care enough to compromise the upstream WAN the router is fucked anyway.

  3. Bugs? by Spazmania · · Score: 1

    Bugs? In a Belkin product? Say it ain't so!

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Bugs? by Tyrannicsupremacy · · Score: 1

      Now that's a little unfair. The chance of the suspect being black is largely based on region. As we all know, black suspects rarely appear on national news, regardless of what heinous crimes they may commit. Only in the most scandalous and shocking cases do we see them reported nationally.

      --
      http://i.cubeupload.com/T6cyLu.png
    2. Re:Bugs? by Anonymous Coward · · Score: 1

      Now that's a little unfair. The chance of the suspect being black is largely based on region. As we all know, black suspects rarely appear on national news, regardless of what heinous crimes they may commit. Only in the most scandalous and shocking cases do we see them reported nationally.

      National stats: black males are around 7% of the population. They are charged with 50% of the murders. Even if half of all those charges are dropped (theyre not), they are disproportionately violent. Mostly against other blacks.

    3. Re:Bugs? by Spazmania · · Score: 1

      That's because whites get a job working for the store and -then- they steal from it.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  4. A semi workaround by fustakrakich · · Score: 1

    Turn off all automatic upgrades. Do it manually, verifying the source in the process.

    --
    “He’s not deformed, he’s just drunk!”
  5. Is there an uptick? by KGIII · · Score: 1

    There was just a vulnerability reported not long ago on Slashdot and another one was just a few weeks before that as I recall. Is there an uptick in crappy code or is there just more eyeballs on routers now than there used to be?

    --
    "So long and thanks for all the fish."
    1. Re:Is there an uptick? by KGIII · · Score: 1

      The whole IoT is going to be grand, isn't it?

      --
      "So long and thanks for all the fish."
  6. Sounds like what we need by The-Ixian · · Score: 1

    is a firewall for the firewall.

    I just don't understand how people who design commodity networking gear can be so bad at network security.

    I am by no means a network expert, but it seems as though some of these things are just common sense....

    - Don't have ports open to the Internet ("stealth" or otherwise) by default
    - Don't use unencrypted protocols... period
    - Don't enable wireless by default

    Seems like just doing those things our routers would be a lot safer than they are now.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Sounds like what we need by gstoddart · · Score: 1

      I just don't understand how people who design commodity networking gear can be so bad at network security.

      Really? Pick any of the following:

      Lazy, incompetent, cheap, unaccountable, indifferent, greedy

      Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.

      At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.

      --
      Lost at C:>. Found at C.
    2. Re:Sounds like what we need by Grishnakh · · Score: 1

      I just don't understand how people who design commodity networking gear can be so bad at network security.
      I am by no means a network expert, but it seems as though some of these things are just common sense....

      To you maybe, but not to a manager.

      - Don't have ports open to the Internet ("stealth" or otherwise) by default

      But then their back doors won't work.

      - Don't use unencrypted protocols... period

      But then some idiot customers will complain.

      - Don't enable wireless by default

      But this makes it easy for idiot customers.

      Seems like just doing those things our routers would be a lot safer than they are now.

      Yes, but these things all have rational reasons behind them, which managers demand, and which increase profitability for the company. Consumers don't care about security, they just want it to work out-of-the-box and be easy. As long as it says it's "secure", that's good enough for them. It's just like the TSA and other security theater: people want to be told that they're safe, and the want to see stuff that makes it look like they're being kept safe, even if in reality they're not safe at all and all those security measures are completely worthless because the security protocols have wide-open back doors.

    3. Re:Sounds like what we need by Grishnakh · · Score: 1

      Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.

      At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.

      It's a company's **job** to be greedy. Their sole purpose is to make money, so anything that detracts from that is by definition a bad thing.

      The reason they have shit security is because their customers don't care about it, don't value it, and don't demand it. Customers want things that are cheap, and easy-to-use. Making something highly secure goes against both of these, both in developer effort needed, and in eliminating features that make things easier for consumers but are inherently insecure.

    4. Re:Sounds like what we need by Voyager529 · · Score: 1

      is a firewall for the firewall.

      I just don't understand how people who design commodity networking gear can be so bad at network security.

      Another response to your inquiry handles the cynical/pragmatic answer, but there's another half to it: Unfortunately, 'commodity networking gear' has to work for the same type of people who install 'flashlight' apps on their phones that require access to contacts and GPS. If you and I had our druthers, SOHO routers would ship with DD-WRT or PFSense out of the box...but unfortunately, these boxes get sold at Wal-Mart...to the kinds of people who buy routers at Wal-Mart.

      I am by no means a network expert, but it seems as though some of these things are just common sense....

      Pull 100 people off the sidewalk and ask them if any of these sentences mean anything to them. Odds are good that an unfortunate Saturday afternoon involving whiskey and a circular saw would leave you with enough fingers to count the number of people who could provide an explanation to these concepts. Thus the "common" in "common sense" doesn't really seem to apply.

      - Don't have ports open to the Internet ("stealth" or otherwise) by default

      Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.

      - Don't use unencrypted protocols... period

      That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.

      - Don't enable wireless by default

      A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.

      Seems like just doing those things our routers would be a lot safer than they are now.

      Yes. Now put one of your routers in the hands of the general public, and see exactly how far 'security' gets them - Their iPads don't connect, Skype doesn't work on their desktop, and certificate authorities get to determine who lives and who dies on the internet.

      For places where your line of reasoning is practical, there is SonicWALL, Cisco, Smoothwall, and Barracuda. For home users, there's Asus and Netgear.

    5. Re:Sounds like what we need by The-Ixian · · Score: 1

      - Don't have ports open to the Internet ("stealth" or otherwise) by default

      Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.

      I meant this from the perspective of the router itself. All too often routers have remote management turned or ports that appear filtered to a scan but are really just waiting for a "magic packet" in order to initiate a remote console.

      - Don't use unencrypted protocols... period

      That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.

      Again, from the perspective of the router. When you go to check for new firmware, use encrypted protocols.

      - Don't enable wireless by default

      A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.

      Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion, or do as you suggest, enable wireless but use a unique password clearly labeled on the device itself.

      --
      My eyes reflect the stars and a smile lights up my face.
    6. Re:Sounds like what we need by The-Ixian · · Score: 1

      The thing is, they don't necessarily need to be that good at network security. They can write the crappiest code in the world but it doesn't take a genius to create a simple iptables rule to block all new incoming traffic. Or to use HTTPS when checking for new firmware. The little Linux distro they are probably using (because they are cheap) has this functionality. No extra coding or time required.

      It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disconnect?

      --
      My eyes reflect the stars and a smile lights up my face.
    7. Re:Sounds like what we need by The-Ixian · · Score: 1

      But surely if the product starts to function in a degraded manor because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...

      --
      My eyes reflect the stars and a smile lights up my face.
    8. Re:Sounds like what we need by Grishnakh · · Score: 1

      But surely if the product starts to function in a degraded manor [sic] because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...

      That's not a problem for two reasons:

      1) People are stupid. They'll just buy another one, blame "the hackers", etc.

      2) Even if the company's reputation gets dragged through the mud, it won't matter because the CEO will have already left with his golden parachute. The only thing that's important is the next quarter's financials.

    9. Re:Sounds like what we need by gstoddart · · Score: 1

      It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disconnect?

      Was I unclear?

      Lazy, incompetent, cheap, unaccountable, indifferent, greedy

      Choose any of the above. It really is that simple.

      --
      Lost at C:>. Found at C.
    10. Re:Sounds like what we need by Grishnakh · · Score: 1

      Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion

      A CD??? What is someone who only has iPads and iPhones supposed to do with a CD? Or what about someone whose laptop doesn't have an optical drive (which is a lot of them these days)?

      Next, you're going to suggest they ship with a floppy disk.

  7. Someday no 3rd party firmware by kamaaina · · Score: 1

    Saw this posted

    http://hackaday.com/2015/08/31...

    It is for 5GHz but if they can get away with 5Ghz why not 2.4

    So if that ever happens, I may become a criminal, flashing my own router to protect myself.

    1. Re:Someday no 3rd party firmware by mattventura · · Score: 1

      1. Buy PC hardware (SuperMicro atom board of your choice off ebay + PicoPSU is a great starting point): $100-150
      2. Get PCIe > miniPCIe adapter with antennas included ~$25
      3. Get wifi card that supports AP mode: $30-100 depending on how much you want to spend.
      There, for as low as $150 you have a device that can run whatever OS you want and will have far better routing performance than a crappy home router (their CPUs are so awful that they need NAT accel hardware to NAT at line speeds). The only thing you miss out on is fancy wifi features like beamforming, but worst case you can just get a standalone AP instead of a wifi card. Plus you never have to worry about locking yourself out or a bad flash bricking it since you're just booting off a thumb drive.

  8. Re:I have bought 5 Belkin products by techno-vampire · · Score: 1

    In the router options, it no mechanism for setting the router to not require a password.

    Even if you ignore the fact that this "sentence" has no verb, it still isn't clear what you mean. Are you saying that there's no way to set the router up so that it doesn't require a password (good) or that you can't set it to require a password (bad)?

    --
    Good, inexpensive web hosting
  9. My Belkin router is spamming me... by slazzy · · Score: 1

    http://www.theregister.co.uk/2... http://yro.slashdot.org/story/...

    --
    Website Just Down For Me? Find out
    1. Re:My Belkin router is spamming me... by amicusNYCL · · Score: 1

      That's always the first thing I think of when I hear "Belkin". I haven't bought any of their products over the last 12 years. I didn't know many people still did, I'm a little surprised they're still making things with their brand on them.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  10. I asked Belkin about a similar issue by laughingskeptic · · Score: 1

    I attempted to report a similar issue to Belkin last October via their forums and asked if they would be providing an update. They not only deleted my post, they deleted the account that I had to set up to make the post. I took that as an emphatic 'NO', there would not be an update.