Feeds

back to article Flaw could expose 'millions' of home routers

Millions of household routers are susceptible to a flaw that creates a handy means for hackers to hijack surfing sessions or hack into home networks. Craig Heffner, a researcher at security consultancy Seismic, is due to detail the flaw and release a proof-of-concept tool at the Black Hat conference in Vegas later this month. …

COMMENTS

This topic is closed for new posts.
Happy

Change password...

Then

Find the user manual to change your routers password, also apply at least WPA2 security whilst you are there.

Most routers are accessed via 192.168.0.1 192.168.1.1 or 192.168.100.100 or sometimes 192.168.1.254

Don't use Mckinnon style passwords!

1
0
Gold badge
Black Helicopters

Great advice, thanks

Now how do I change the password if my ISP won't tell me what the existing one is?

And how do I use a different router, if they won't tell me the login details I need to access my ADSL account?

Basically:

Internet connection means all sorts of s**t will come to your door.

Wireless means all sorts of s**t will end up on your network.

0
2
Silver badge
WTF?

@BristolBachelor

Change your ISP. No way would I stay one more second with an ISP that treated me like that.

6
0
Flame

WPA2...

Is not possible if you own a Nintendo DS or one of it's current variant :(

0
1
Bronze badge

Add your own router...

on your side of the ISP's router. Use NAT and add as many machines as you like on your home network. The ISP's router does the ADSL login, as, as far as it is concerned, it's connected to a single device on your side.

Of course, you pay the electricity bill for both routers, about £10-20 a year. Not very green.

Then the attacker has (assuming you've fallen for the exploit script - try installing NoScript) a choice of two routers to attack. You've got a strong password on yours, but the ISP's still has the old password. Better not trust it for anything other than providing bandwidth, configure your DNS servers on your router yourself.

0
1

ISP won't tell you the password

Some ISPs (O2, for example) force-changed their router passwords to be the serial number, so try using that one.

0
0
Paris Hilton

Not very green?

"Of course, you pay the electricity bill for both routers, about £10-20 a year. Not very green."

What's not very green? What do you mean?

0
2
Silver badge

@ BristolBachelor

Don't you need the password in order to log in and administer the router? Set options, etc?

If your ISP is really that lame or controlling, tell your provider you want in or you're going to up sticks and move (stuck in a contract? tell them you will hold them responsible for the costs of recovering your computers if their router is compromised...).

Having said that, go to the login screen and set the user name to "admin" and the password to "admin". You'd be surprised|disheartened at how often that works...

PS: My Livebox seems to screw itself up and need a complete factory-reset about once every six months. Not hard to do, but... come on... who the hell are you with that won't tell you your account login details either?

1
0
Stop

Wow!

Security Researcher discovers issue with routers configured to use default username \ passwords and IP addresses.

HOLD THE FRONT PAGE!

0
1
Anonymous Coward

try reading the fscking links next time

No. Security researcher find another way to access those piss poorly secured routers. This isn't slashdot, you're supposed to read the damn links.

And just for a change the answer is not 'run NoScript', though it probably will be about 30min after he spills the beans.

0
0
Coat

Change password...?

Guess it's not a good idea to use 'admin' & 'password' as the log in credentials to my router then?

0
0
Joke

Sigh...

..only an idiot would use them, you need to make it alpha-numeric.

Try Password1 or Password01 for extra security.

0
0
Anonymous Coward

What list?

Er, can't see the full list. Pointer, anyone, please?

0
0

Re: Can't find the link

http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

0
0
NJS
Welcome

Full list is available here

http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

0
0
Paris Hilton

Didn't I read this last week?

And I could have sworn it was here. But search (here or at Google News) doesn't find it.

Anybody want next weekend's lottery numbers? Drop me a note on Monday and I'll let you know.

Where's the "confused" icon. Oh, I know...

0
0
Anonymous Coward

amusing

interestingly enough, my little Piece-O-Shit™ $16 Trendnet isn't listed as vulnerable

Anon so the router bogeyman can't find me. [dons tinfoil headwear, just to be sure]

0
0
Anonymous Coward

Just checked a WRT54GL

put in the WAN IP address into browser - took me to router admin page, this seem a bad idea as external IP address is known to websites you visit (hopefully internal address is harder to to get)

my temp solution is to use port forwarding to sent port 80 to unused ip address on my network

0
0
Bronze badge
Big Brother

Don't Panic Mr Mannering

A lot of routers will send the admin page if a device behind it requests the WAN IP, test from outside your network (from your 3G phone for example).

But If you're still getting the Admin page from outside then you need to log in and turn that shit off pronto, also have to wonder what you're getting out of this site besides the fear.

1
0
FAIL

re: Don't Panic Mr Mannering

No panic - but it is a bad idea for router to respond to WAN address from the LAN with the same response - as that means the attacker can easily workout where your routers admin configuration page is - you have of course moved your router off the default 192.168.0.1/192.168.1.1 haven't you

1
0
Silver badge

@ AC

That's normal. I have a DynDNS account on which I sometimes run a local server. It would be nice to log into my server from my own machine by sort-of bouncing the request off the internet - helps me check I've opened up the router firewall correctly.

But every time I try, I get the router's login page. It only works if I use an external intermediate, such as http://freeproxyserver.net/

0
0
Bronze badge

To see the list look at the embedded spreadsheet here:

http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

0
0

Here is the list

http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

Or this link might take you straight to it

https://spreadsheets.google.com/pub?key=0Aupu_01ythaUdGZINXQ5Vi16X3hXb3VPYkszNXM0YXc&hl=en

0
0

Of course you could always block incoming from 192.168.*.*

You could always implement a firewall rule to perform IP filtering on anything coming from the WAN side to block any addresses from the local LAN. After all, nothing from the WAN should be using the standard class C reserved addresses 192.168.0.0 - 192.168.255.255. Just block all of those addresses from inbound WAN traffic.

1
2
Thumb Down

@Highlander

But the malicious traffic actually comes from your own PC, not from the Internet. The filtering you suggest, while theoretically a good idea, is of no use here.

Anyway the "special use" IP-adresses (RFC 5735) are not likely to hit your front door, since sane ISPs are unlikely to accept these in the DFZ.

0
0
TJK
FAIL

/16 is not /24

"After all, nothing from the WAN should be using the standard class C reserved addresses 192.168.0.0 - 192.168.255.255"

That would be a Class B, not a Class C.

/pedant

0
0
Anonymous Coward

/16 != Class B

So there.

/Bigger Pedant

0
0
TJK

How so?

Standard CIDR notification, a /16 network has a subnet mask of 255.255.0.0 which is a Class B network.

Or are you refering to the original designation of Class address spaces whereby everything above 192.0.0.0 is a Class C? (up until multicast)

0
0

Yes, thank you, I know, but you can't endit after posting.

letters

0
0

Thank you, next time I will actually read before commenting...

I had not read sufficiently to realize that the attack was browser and not router based.

0
0
Happy

@TJK

No, a /16 network isn't always a Class B network. The Class B networks start with binary "10", and cover the range from 128.0.0.0 to 191.255.255.255. In classful addressing their natural netmask is 255.255.0.0, i.e. /16 in CIDR notation.

The network 170.56.77.0/24 (CIDR-notation) is a /24 subnet of the Class B network 170.56.0.0. And 192.168.0.0/16 (CIDR-notation) is a supernet of the Class C networks 192.168.0.0 through 192.168.255.0.

Everyone please forget everything about classful addressing.

0
0
Boffin

My router's on that list

but then i'm not stupid and won't be lured to some dodgy website (probably chinese) hosting this malicious code. Plus I changed the default username/password to something a lot more secure as soon as a got my router.

It only stupid gullable people (the type that readyily click on adverts) who will fall for this and frankly they deserve to be hacked.

Anonymous for obvious reasons

0
0
Silver badge
Boffin

The trouble is

That if one of your regular, trusted web sites contains its own security holes, the bad guys could inject the attack code there and then use that to subvert your router. The days have gone when all you needed to do was to stay away from porn, hacking and Russian-hosted web sites.

3
0

you *are* joking, one hopes

A small script can easily be tucked away on a legit website. Local government

websites are good target environments for trying to inject malware. An ad with

a malicious payload embedded was successfully put into the NYTimes queue

not long ago.

The attack runs a trusted script on your PC, so you needn't click on anything

to be popped.

As for the unlisted Trendnet.... Untested too, but I have a suspicion that AC

here would be happy to buy it as a hardened router. You can include the

spreadsheet as evidence.

0
0
Gold badge
FAIL

I'm safe; I don't use the internet

So you missed all the news about most of the malicious content on the net NOT being on pron sites? It seems that you stand a better chance of catching users by putting your malware on "normal" sites like BBC, CBS, etc. A lot of which are vulnerable to having extra content added because of the way they work.4

So no, you are not likely to suffer if you do not use the internet...

0
0

Re: Just checked a WRT54GL

Well login then and turn off admin access from the WAN side.

1
0
Anonymous Coward

re: Well login then and turn off admin access from the WAN side.

re:Well login then and turn off admin access from the WAN side.

it is not the admin access from the WAN side - which is port 8080 and is off.

It accessing the web admin from port 80 using the routers WAN IP address instead of the routers LAN address. It is trivial to get the WAN IP address and use it in an attack script created server side, it is harder to get the local routers LAN port - therefore a more complex script and requires something like JAVA.

0
0
Anonymous Coward

"if one of your regular, trusted web sites ... gets compromised"

It doesn't even have to be one of your regular trusted web sites that gets hacked itself; if one of them uses an external ad server (or something functionally equivalent), and that gets compromised, that's sufficient.

Unlikely? Maybe, maybe not. It has already happened here once at The Register, though right now I can't find a link... might not have been an external adserver, might have been an internal load balancer, same basic principle applies.

And then there was the perfectly respectable TV aerial repair outfit I needed to call one New Year following some windy weather. Their website had been got at over the holiday.

Anybody thinking these kind of problems are restricted to dodgy websites and that they don't use them therefore they're safe needs to reconsider.

2
0

Hehehe

...and people said I was crazy spending all that time (just a couple hours really) building myself a pair of openbsd routers...

Lets see the browser-based openssh / vlan hopping attacks...

0
0
FAIL

Why bother if you're on Virgin!

That shitty DLINK router Virgin are sending out...

Default login admin, default password blank!

DNS/DHCP on by default!

Wireless encryption and MAC filter both off!

So as soon as Joe Public plugs it in, instant free wireless hotspot!

2
0
Alert

Virgin DLINK routers

When they sent me one after I complained about something else and they upgraded my line speed, I continued using my existing router. I configured the DLINK one as a seperate wireless access point with WPA2 and very strong passwords. User manual comes on a CD. Easy enough to read it and set it up as required, but not much use for ungeeks who don't read manuals. Those who just plug it in and expect a secure default configuration probably get what's coming to them, though the defaults could be improved by printing strong passwords on labels stuck to the machine (different for each router) , configuring WPA2 by default and turning off UPnP.

The reason they don't is probably that sending them out secure increases the support desk traffic , and it probably costs a few pence more to have different passwords on every one they send out.

0
0
Thumb Up

Has its uses

And instant free plausable deniability when hit with a 'copyright infringement detected at your ip' notice. Awesome!

1
0

What's up MAC?

So I suppose if I only permit specific MAC addresses on my router I should be ok, right?

0
1

No

No, that would secure you against the attack, but it would have the same effect as unplugging your PC from the router which again would secure you from the attack but have rather noticable side effects.

The attack on the router comes from *YOUR* PC (your browser to be specific). If you block your MAC bye-bye internet. There are a number of possible hardening solutions you can use. e.g. force your browser to use a non-existent proxy when accessingr your routers IP, set a decent user/pass combo on the router, change the routers IP from its usual 192.168.0.1 / 192.168.1.1 to make it harder to find etc.

Personally I would go with more than one.

0
0
Thumb Down

The title is required, and must contain letters and/or digits.

erm, because MAC filtering is as robust as chocolate fireguard mate

try Google to learn this :)

0
0
Silver badge

Bah!

"This code uses a "Jedi-mind trick" to circumvent the same-origin policy, thereby allowing JavaScript-based malware to penetrate private home networks supported by vulnerable hardware."

Ban XSS-facilitating, trojan-enabling, router-killing, machine-slowing JavaScript now!

0
1
Thumb Down

NoScript not a defence??

RE: "Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won't prevent his exploit, Heffner adds."

I don't see how a vuln that relies on some JavaScript being run to execute the exploit, will work, when NoScipt doesn't allow the script to be run in the first place? (obviously, if it's injected into a "trusted" page, you're out of luck).

1
0
Silver badge

That's exactly the problem.

The malware adopts YOUR OWN IP ADDRESS as its own. This tricks the browser into believing it's actually running locally on your own machine. Trying to block a script coming from your own IP address is akin to trying to ban code coming from localhost (127.0.0.1); try it and things are going to break. That's probably also why NoScript and most techniques don't work; it's basically making it so you can't trust YOURSELF anymore.

0
0
Silver badge

NoScript quick to react.

If what I said is true and the exploit works by adopting your remote IP as its own, then NoScript's latest update (and its landmark 2.0 release) now has safeguards against that exploit.

0
0
This topic is closed for new posts.