back to article Worm breeds botnet from home routers, modems

Security researchers have identified a sophisticated piece of malware that corrals consumer routers and DSL modems into a lethal botnet. The "psyb0t" worm is believed to be the first piece of malware to target home networking gear, according to researchers from DroneBL, which bills itself as a real-time monitor of abusable …

COMMENTS

This topic is closed for new posts.
  1. PReDiToR
    Alert

    How novel

    An attack vector that takes advantage of weak passwords? Who would have thought it?

    SRSLY. When will people learn that "password" is not the same as "Pa$sW0rD, is ... $eCuRe" ?

    Password Hasher (Firefox extension) makes seriously strong passwords. Up to 26 characters. Put "router" in as the site tag, your own unsalted phrase and out the other end you get a magnificent password that you don't actually have to remember; you can always recreate it from the two pieces of information you know.

  2. Kanhef
    Boffin

    weak passwords by default

    The standard username on home routers is 'admin'; on some it can't even be changed. The default password is almost always either 'password' or 'admin'. Most people will not change this. Clearly there is a problem here. It would be much better to use the router model as the username and serial number for the password. As long as the login page/prompt doesn't divulge anything about itself, the name/password space is too large for a brute-force attack to be effective.

  3. Adam Azarchs
    Stop

    Re: Password Hasher

    yes, and as soon as enough people start using password hasher, the password crackers will start running their passwords through the same hasher. It is, after all, just a hash. Much better to use a random password (as opposed to a hash, which only appears random to humans) and an app like PasswordSafe. Or better yet, public key login, which can be made arbitrarily secure by simply lengthening the key (modulo client security concerns. Yes, the private key password is still a concern, but if the attacker has access to the private key file you've already got problems).

  4. Anonymous Coward
    Anonymous Coward

    Password/admin

    Yes the passwords for most routers are not changed but then the web interface is usually, by default, only accessible from the users side and the telnet etc interfaces are usually disabled by default. In the 'default' case not sure still how so many are taken over?

  5. Eugene Goodrich
    Paris Hilton

    What is non-obvious to us may be stark relief to hackers

    "As long as the login page/prompt doesn't divulge anything about itself..."

    Typically the login pages/prompts spill out the make, model, and even hardware revision of the device. And even if they didn't, attackers can work it out by how many bytes are in the page, how long the page takes to load, what the self-signed SSL cert looks like, and if necessary how the device responds to a carefully-selected smattering of invalid requests.

    We must assume bad guys know exactly what they're attacking. Or, the scripts they run do.

    It's not all doom and gloom, of course. Manufacturers hardened payphones and put ignition locks on cars; they can give home routers belts and suspenders as soon as they're sufficiently bothered. (Actually, most routers I've seen won't allow configuration from the WAN interface by default anyway. The customer has to be going in and turning that on, presumably at their ISP's tech support's direction...)

    Paris because she, too, divulges things about herself.

  6. Flocke Kroes Silver badge

    Kernel update time

    Many years ago when Windows zombies tried to brute force my machines, I wrote a small script to block access from any IP address for 10 minutes that failed 3 ssh logins in a minute. The dictionary-like attack stood no chance because my team used decent password (according to cracklib). The real purpose of the script was to reduce the amount of wasted bandwidth.

    These days, there are kernel modules to make the script superfluous. I am surprised modern routers do not use them.

    It would be nice if I could send an IP address to my ISP, and have it blocked there.

  7. Lee
    Stop

    This is not news...stop it.

    I've never heard of this type of attack before. Welcome to the Internet.

    "HEY, THE SKY IS FALLING. BUY MY SOFTWARE! (which has bugs)"

  8. TeeCee Gold badge
    Thumb Down

    @Kanhef

    "......serial number for the password."

    Really? Can it be that you've already forgotten the BT Home Hub fiasco? You know, where they did exactly this and forgot that a simple WLAN query in clear would get the thing to tell you what its serial number was (AFAIR a little beyond the necessary for WiFi spec, but certainly within the spirit of it)?

    "....router model as username....."

    Yup, obscure that. Given that a) a large number of models already use it as the SSID and b) again, the spec says that a WiFi access point should disclose the type of equipment in use when queried (which is where BT went the extra mile).

  9. Frank

    @Kanhef re. weak passwords

    "..the name/password space is too large for a brute-force attack to be effective."

    Using these two items as the 'out of the box' name/password combo is indeed a lot better than using 'admin/system' for every router sold. However, the namespace of your suggested combination is very much smaller than the english dictionary and is nicely structured to enable hackers to create a simple algorithm for a structured attack. People need to be educated to change the passwords.

    Made up words with numbers in them are best for home use and can be written neatly on a piece of paper and stuck to the bottom of the router. (You make the final three characters easily remembered and leave them off the written password so the kids can't crack it). This is all you need in a domestic setup.

  10. General A. Annoying
    Thumb Down

    Not only passwords...

    but usernames that can't be changed in some cases. (my router was 'admin' for both u/n & p/w, how nuts is that?)

  11. David Edwards
    Thumb Up

    Sky were good

    I was impressed that sky put a unique and secure password on the router when they shipped it, with a sticker on the bottom. Fairly idiot proof.

  12. Ash
    Flame

    Again...

    The problem is user education.

    I say those who get hacked should get fined. "OH NOEZ I JUZT WANTID MYSPASS DUN PUT MEZ IN JAILZORZ!!2!!11" isn't a defense. They need educating, and they just don't want to learn.

    Maybe making them culpable is the only way.

  13. Andraž Levstik

    @Adam Azarchs

    Considering it's a salted hash it's not that easy ;)

  14. Richard Kay
    Boffin

    hardware authenticators

    Software password security will only get you so far before the limited capacity of human password memory is insufficient for brute force password guessing techniques. Locking out a guesser temporarily after a certain number of bad guesses helps, but this adds complexity. The solution has to be a standardised protocol for hardware authenticators so that everyone can carry their own around on a keyring and plug it into a USB or use Bluetooth. This will use public key cryptography and an embedded secret key within a tamper resistant device which no-one needs to know.

    With enough support behind a fully open protocol the cost comes down to where every security application can implement it and everyone can carry one. If the key device can recognise the fingerprint of the owner so much the better.

  15. Anonymous Coward
    Anonymous Coward

    Salted? Hashed? Why bother?

    Why not some random characters, written on a Post-It not stuck to the modem? We're mostly talking home routers here, not businesses. Until they write a worm which can read my handwriting on the outside of the box what more do you need?

    Dunno what the protocol is where these modems/routers are, but Sky here used to (may still do) issue routers with an admin password which they didn't tell you - but was widely known. As a result, users couldn't secure the router (well, unless they asked Google what the password was) but any hacker would have had no trouble getting into it. And the WEP (or WPA, can't remember) was also pre-set to SKYXXXX where XXXX were the last four digits of the serial number. Not that hard to brute-force!

  16. Conor Turton

    Easily defeated

    Reading up on it, one merely has to untick the box to allow remote administration and then as long as local access can't be gained (via unsecured wifi for example) , then there's no chance of this happening.

  17. Anonymous Coward
    Anonymous Coward

    re. weak passwords by default

    The only problem with this scheme is that it would require the manufacturers to go through a process where they read the serial number from the device and input the serial number as the password into the device firmware before flashing it. This would potentially add a lot of cost (relatively speaking) to cheap devices.

    The idea of using model numbers won't work either as it only makes the default password slightly harder to guess than "password".

  18. Lionel Baden

    lol

    well i would say 40% of home routers are still

    admin

    admin

    But gj on setting up an attack from the actual routers :)

    i want my old adsl modem back :) much better than these fancy shmancy i try to do everything apart from making toast !

    Actually i would like a router that can make toast ! then it wouldnt look out of place in the kitchen !!

  19. Estariel

    Which stuff?

    Any chance we can hear which makes of modem, or which ISP/cable companies are affected?

  20. Anonymous Coward
    Anonymous Coward

    Customer PC

    I repaired a customer's PC last week - when I switched it on and watched the firewall logs, it tried the following against the default gateway address (caught by our firewall: IP addresses anonymised). Most of these appear to be router exploits.

    ==> /var/log/squid/access.log <==

    GET http://192.168./setup.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_device.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./SysInfo.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./Status.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./setup.cgi? - DIRECT/192.168.33.1 text/html

    GET http://192.168./con_wel.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./BAS_ether_h.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.php - DIRECT/192.168.33.1 text/html

    GET http://192.168./SetupDHCP.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./login.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./hpppoe.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./advance/ad-admin-system.htm - DIRECT/192.168.33.1

    text/html

    GET http://192.168./install.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./hwizard.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./help_Main.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_devic.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.stm - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./start.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./Home/h_wizard.php - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./install.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./hwizard.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./help_Main.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_devic.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.stm - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./start.htm - DIRECT/192.168.33.1 text/html

  21. g e

    Serial numbers

    Are pretty darn predictable, you'll only need to have one such router and its serial number to have the modelno (username) and a sequentially generated password by way of the serial number.

    Identify that model of router remotely (nmap will do this from its MAC over the internet?) and the rest is down to counting serial numbers till you get in...

    Not the best idea.

  22. Anonymous Coward
    Boffin

    How daft do you have to be

    How daft do router users/vendors need to be to allow logons (admin logons, ffs) from the Internet-facing side of the router, rather than from the LAN side?

    Is this really happening?

  23. Anonymous Coward
    Boffin

    That's pretty clever.

    You have to admit, that's actually pretty smart.

    Why bother compromising computers when you can compromise the network hardware itself? Leaving the average luser completely unaware that anything is amiss, at least until it's too late.

    Unlike most home computers, routers tend to be left on 24/7, presumably making for a much more reliable botnet. While I certainly don't approve of it, I take my hat off to the guys who have come up with this one.

  24. Anonymous Coward
    Anonymous Coward

    No Title

    Wouldn't the admin interface have to be accessible from the WAN side in order for this attack to work? So we are presumably looking at a relatively small number of vulnerable devices.

    Aside from the specific device detailed in the PDF how many other routers are vulnerable?

  25. Adrian Midgley

    write it on the router casing

    For this threat model, make a seriously complex unmemorable password, and write it on the label of the router.

    Cover that if you feel a need.

  26. hj

    Good thing you can check if you're infected

    By trying to log in to your router.... Personally i think it would be smarter to keep those ports open / daemons running. Can not for the life of me remember when i opened a console on my router to check which processes were running. But if i can't get in anymore, i will just reset my machine.

  27. Anonymous Coward
    Anonymous Coward

    title

    It's a work of art.

    wow...just wow

  28. Toastan Buttar
    Thumb Up

    You've got to hand it to the malware creators.

    They do write some seriously cool hacks.

  29. Toastan Buttar
    Unhappy

    @Ash

    "The problem is user education."

    Nay, nay and thrice nay ! It's been shown that ISPs which serve the home market can ship routers which are plug-and-play yet secure out-of-the-box without requiring any user involvement. Blaming consumers for not knowing how to securely tie down a router is little more than trolling.

  30. Anonymous Coward
    Anonymous Coward

    Routers should be like DECT phones

    You can usually only register a dect phone after physically pressing a button on the base station. Maybe routers should have a similar button that only allows remote access of any sort if instigated with say 5 minutes of the button being pressed.

  31. Dave Bell

    Everyone seems to do dumb things sometimes

    The default config on my old BT Voyager looks pretty decent. And I do my admin from a computer connected by ethernet. I also have various other settings tweaked at IP level, so I'm not in a crazy panic.

    I shall still check.

    It seems every company sometimes does something dumb, usually when some manager makes a pet idea stick. The trouble with the recession is that the BT/Phorm cabal are unlikely to see a better job, anywhere.. Current dumbness is sticking.

  32. Charles
    IT Angle

    Re: Not only passwords...

    Usernames aren't the big issue. After all, the UNIX world has its 'root' and contemporary Windows have their "Administrator' accounts. SOMEWHERE you need a "top user" account for the sake of logistics. 'admin' is no different. It's the password that's the big deal, but then again, we have to consider the memory retention of the average user. Scrambled passwords are hard to remember...as could be the means of recalling them. People keep telling others to use notepads or post-its or key fops...that is until they realize people can lose THEM, too. How are you going to set up a system for authenticating the legitimate owner of the device without having to rely on a rather fickle aspect of the human mind?

  33. Chris

    LAN side...

    What's the potential for a machine on the LAN side inadvertently running a script which attacks the router from there?

  34. Filippo Silver badge

    Access from WAN

    Are there actually routers that allow admin access from the WAN side? Or is this trick based on infecting a computer on the LAN first?

  35. Robert Hill
    Thumb Down

    Finally, a router exploit

    I have been worried about some type of router exploit for some time, but I always figured it would take the form of hijacked flash upgrade from the router manufacturer's website, not an external attack.

    Fortunately, Be Online has put rather strong passwords assigned by default onto each of their routers, on a sticker - so I feel pretty safe. But it is a rather strong lesson to tighten up everything...the attacks are definately getting stronger and more sophisticated....

  36. Peter Kay

    More sophisticated than URL probing

    Some of the attacks are somewhat more sophisticated than probing URLs, and can work even if the management interface is disabled on the WAN side. This is not news; what's news is that up until now it's a reasonably uncommon attack.

    The solution is to make sure the firmware is up to date, or if you're suitably paranoid, to put your router in bridging mode so the connection is terminated on a secure firewall; it then becomes quite tricky to access any admin functions on the router.

  37. Anonymous Coward
    Boffin

    @AC 09:30 re. weak passwords by default

    "The only problem with this scheme is that it would require the manufacturers to go through a process where they read the serial number from the device and input the serial number as the password into the device firmware before flashing it. This would potentially add a lot of cost (relatively speaking) to cheap devices." -- no it wouldn't.

    It is fairly standard practice in the electronics industry, when building anything with a Flash-programmed microcontroller, to load some special firmware for end-of-line testing. This doesn't do the job the widget is meant to do in real life, but merely reads the inputs and cycles the outputs. By coupling outputs back to inputs you can see if they are all functioning correctly -- not sticking at 0 or 1 -- and all operating independently -- only the output that's supposed to be on, is on. If the unit passes this test, it is then reflashed with the actual firmware as the final part of the procedure before an inspection label is printed; if the unit fails, it will be sent for manual rework, where a fixed amount of time is allotted to attempt to repair it before it is scrapped.

    It wouldn't be at all difficult to have the serial number and password updated automatically each time a unit was done.

  38. Anonymous Coward
    Coat

    Denial of service

    >Once the malware takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web access. It then makes the devices part of a botnet.

    With such a behaviour it cannot be much of a threat. The worm simply begs for a reset. A worm like that isn't worth the salt on its hash.

  39. Anonymous Coward
    Anonymous Coward

    May be connected

    We use a reasonably strong password on our router (now very strong!) but did recently observe extraordinarily high upload usage that we couldn't explain at the time. Suspect a connection to this worm in retrospect. Perhaps we weren't actually hacked, but this was just the extra traffic that attempts generated, which probably would skew towards heavier upload than download from our point of view.

  40. Anonymous Coward
    Anonymous Coward

    re Again...

    "the users are stupid and should be punished" is a recurring feature on this forum.

    How many people know (or care) what a router is? How many of those know that it's even got a password? Why on earth would anyone even think about changing it's user / pass? You might as well tell someone who's just bought a kettle to change the fuse on it because the bad guys might have compromised the original one. Then there'd be a load of techies up in arms about users not RTFM, saying they ought to be hung etc etc.

    It's a consumer durable. It's meant to work properly. It hasn't been made so you can go around bragging about how clever you are, the customer has paid good money so they can achieve their aims; get over yourselves.

    What we have here, my geekies, is a crap piece of kit and some manufacturers that need putting out of business.

  41. Nigel
    Flame

    Give us back our write-protect switches!

    When are manufacturers of embedded devices going to give us back the write-protect switch?!

    This is a consequence of penny-pinching at its worst. In the good old days, firmware always used to be protected. To re-flash a device one had to manually un-protect it, flash it, and re-protect it. With the switch shipped in "protect", any device-hacking could be un-done just by resetting or power-cycling the device. But the switch cost five cents and "confused the users". So to increase profits, and to make users who drool feel happier, they did away with it. Now, the pigeons are coming home to roost.

    It's not just bankers who should have a retrospective 90% tax applied to them. Anyone who sanctioned the removal of an essential and fool-proof safety measure to save a few cents should be taxed into poverty. Or worse. And the legislators should mandate that any device with flash-able firmware should once again be equipped with a manually operated write-protect switch.

  42. steogede
    Stop

    @Conor Turton and Re: How Daft...

    > Reading up on it, one merely has to untick the box to allow remote administration and then as long as local access can't be gained (via unsecured wifi for example) , then there's no chance of this happening. (Conor)

    > How daft do router users/vendors need to be to allow logons (admin logons, ffs) from the Internet-facing side of the router, rather than from the LAN side? (How daft)

    Virtually all routers have 'remote configuration' turned off by default (however there are some manufacturers who are stupid enough to leave it turned on by default). As AC@09:53 demonstrated, the most likely attack vector for a worm like this isn't directly over the Internet. Rather, it will first infect a PC, then infect the router from the LAN side using the obvious password which hasn't been changed because either the user or the manufacturer thinks that the LAN is safe.

    Unticking the remote administration box is a good idea, if you aren't planning to use it. However the most important thing to do (as everyone has said), is to ensure that you set a strong password. Assuming the manufacturer hasn't left any undocumented back doors, you will be much safer (you may want to check this with nmap and/or a good search engine).

  43. Anonymous Coward
    Alert

    You saw it all here first..

    Yes thats right folks, I predicted this very thing about 18 mnonths ago in these very comments on an El Reg story.... maybe some influencial are reading these comments too!

    anon 'cos it were not me who wrote this nasty...

  44. Mike Gravgaard

    Dect phone idea:

    I was thinking along the same lines - why not just have a setup button or write protect button on the bottom/side of the router and possibly whilst your at it a reset to factory defaults button on all routers.

    Mike

  45. Ken Baker
    Thumb Down

    Not so smart after all...

    Read the research paper folks:

    "Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface – meaning no username or password was required."

    It wouldn't take Keanu Reeves with a cable in his head to crack that ...

  46. Si

    Locking users out of the web interface

    Seems like a bad idea by the malware authors to me as it just means you immediately know when the router has been compromised. Far better to leave it seemingly working correctly leaving the users blissfully unaware...

  47. andy gibson

    The problem IS user education

    Why blame the router manufacturers? They get it in the neck if their equipment is too hard for the average PC owner to set up, they get it in the neck from us if the passwords are too easy.

    You don't blame Ford if someone in a Fiesta ploughs into a queue of people at a bus stop.

  48. The Fuzzy Wotnot
    Thumb Down

    Hardly surprising...

    For you geek inclined, take a stroll around your local IP neighbourhood one evening with a copy of nmap, you will be amazed at what's out there! Unlocked routers, printers, anonymous FTP servers, NAS servers simply hooked up with admin/admin as the login and dozens PC's direct attached to "da net" with all ports ready for the killing, barely hanging in there with their out of fate MS firewall up, giving the illusion of security to the ill fated user on the other side!

    This is hardly news, this is just another problem caused by allowing the world and their dog to join "da net". Should be like Radio Ham, you need to prove you have a minimum of understanding before you attach to the network, if using anything more technological that a TV based browser device!

  49. Anonymous Coward
    Anonymous Coward

    WAN side...

    It's not WAN side, it's from the LAN the computer gets infected and they go from there.

    Because people don't run virus killers or the windows malware removal doo-dah on their router, the infection is safer there than on the machine.

    Come on, it's not hard is it?

  50. Anonymous Coward
    Anonymous Coward

    Grok WAN or not...

    "It's not WAN side, it's from the LAN the computer gets infected and they go from there."

    That's obvious *now*, from the *comments* (eg yours and the one re server logs etc).

    Why wasn't it obvious from the *article*?

  51. Matt
    Stop

    Sky

    also have a back door in their routers, that allows the firmware to be updated remotely, it doesn't need to know the admin password, I know cause I've changed mine but still got updated. whats to say some low paid tech guy didn't "lose" the access to this backdoor? I'm pretty sure other ISP's probably do the same sort of thing with their routers too. set any password you want it doesn't mean they can't get in.

    but then all these routers run Linux which we all know is so secure there should be no problem.........

  52. Mike

    Why do we need strong passwords?

    Why on earth is it that ANY system today allows enough password attemps that passwords need to be 'strong' to be secure. It is mostly trivial to implement increasing lockout times depending on number of failed attempts, making any brute-force attack impractical.

    Insistance on users having 'strong' passwords is a major PITA just means most people can't remember them, or can;t use things they can remember easily, so write them down.

  53. Anonymous Coward
    Anonymous Coward

    @AC: Grok WAN or not...

    Actually I'm wrong, reading the article that particular model of router was wide open by default.

    Looks like someone noticed a gaping software bug.

  54. AWeirdoNamedPhil
    Boffin

    Here's what I do at home

    Keeping in mind that I'm a weirdo, after all, and somewhat paranoid...

    1. I replaced the crap cablemodem my ISP issued with an aftermarket Motorola that was much nicer. It has a button on top; you push the button, and the cablemodem disconnects from the network. You push it again, and you're back online. It's a marvelous feature. When I'm not actually sitting in front of the computer, I take the cablemodem offline.

    2. Behind the cablemodem, I have a D-Link 4-port ethernet router with NAT firewall. It was about $75. I changed the passwords of the user accounts to random alphanumeric strings and I configured two new firewall rules called "paranoia1" and "paranoia2". The first one drops all incoming TCP packets that aren't part of an established/related connection. The second one drops all IP packets in the same way. It's been a while, but I'm pretty sure I turned off remote administration. Also whenever the logs fill up the space on the device, I have it email them to me so I have a permanent record. I download them to disk when I check email.

    3. On my PC, I run Ubuntu and I've configured the local firewall to disallow everything incoming unless it's part of an established/related connection. The Ubuntu firewall is called "UFW", for "Uncomplicated Firewall" and the GUI for it is called "GUFW"... It's really just iptables with a frontend, though. It seems to work pretty well. I have NMAP and I check my PC's open ports periodically, just in case someone's managed to do something weird. No issues yet though.

    I wonder... Maybe I should double-check my cablemodem? I don't THINK it has a remote administration facility... I'll find out tonight.

  55. Anonymous Coward
    Anonymous Coward

    Why hack the password

    When the properly written bit of malware on a PC on the LAN side can wait for the login credentials to be passed, often in the clear, and then capture them or hijack the session.

    And as for locking out the users, most users wouldn't notice, they don't look at the router at all. Hey the interwebby thing works and that's about it.

  56. James O'Shea
    Jobs Halo

    smug. again

    my home net has a Motorola modem, the username and password for which were changed to Something Else before I even connected the cable to the outside. It also has an Apple AirPort router... which does NOT have a HTML control page. To control it you MUST use Apple's AirPort Utility, which doesn't like connecting to a router that's not on the LAN. I killed the default SSID, changed the username and password, made sure that SNMP over WAN was turned off by default (it was) and turned on WPA security _before_ turning on the wireless connection. And I put the Motorola into bridge mode, so it can't hand out IPs. And I changed the default DHCP start address on the AirPort to <redacted>, and the default LAN side address on the Motorola to <redacted again>. All of which means that for someone outside my network to get on, they have to:

    1 search for the non-standard SSID

    2 figure out that I have an AirPort and use not merely AirPort Utility, but the correct version; using the wrong version will have Unexpected Results.

    3 work out my WPA passphrase. (<redacted number of characters>, mixed caps, common, numbers, symbols, based on a phrase from non-Indo-European language <name redacted> with deliberate misspellings. Good luck...)

    4 work out my admin username. (mixed caps, common, numbers, symbols, based on a phrase from a _different_ non-Indo-European language. Different continent, in fact...)

    5 work out my admin passphrase. (mixed caps, common, numbers, symbols, based on a _third_ non-Indo-European language. Yes, from yet another different continent.)

    6 to access the Motorola, they have to figure out the _different_ admin username and password (set as above, just different languages...) and work out that I've turned off the remote admin features. If _I_ want to admin that modem, I have to reset it to factory standard, something difficult to do without physical access, and extremely obvious in effect afterwards 'cause they wouldn't possibly be able to know how to reset it to my settings afterwards, and if it's not in bridge mode my Internet connect stops working.

    I suppose that it can be done, but it won't be easy.

  57. This post has been deleted by its author

  58. Anonymous Coward
    Anonymous Coward

    @James O'Shea

    You forgot to mention your router wears two sets of underpants, just in case...

  59. Anonymous Coward
    Anonymous Coward

    Router admin passwords

    My ISP actually prompted me to change the admin password on the router as part of the (manual) setup procedure - I actually went back in later and changed it to a serious paranoid password, and I don't actually leave the thing switched on when I'm not actually using it!

  60. A J Stiles
    Unhappy

    @ andy gibson: Car analogy

    "Why blame the router manufacturers? They get it in the neck if their equipment is too hard for the average PC owner to set up, they get it in the neck from us if the passwords are too easy.

    You don't blame Ford if someone in a Fiesta ploughs into a queue of people at a bus stop."

    But before you are allowed to drive a car on the Queen's Highway, you need to obtain a licence; the availability of which is contingent upon demonstrating your ability to operate a car properly.

    Blocking administrative access from the WAN side cannot make routers totally immune to tampering, because there's always the possibility that malicious code could be executed on a machine on the LAN side. And if the router is wireless-capable, insist for it to be over a wired connection.

    I do agree with earlier posters that reflashing the firmware ought to require some physical act to be performed in hardware to enable it; such as changing the position of a jumper on the board, or pressing a button and then connecting within a timeout. But hey, what do manufacturers care? Once they've got your money, they're fine!

  61. Michael Necaise
    Unhappy

    open source firmware

    What the article forgot to mention is that this mostly affects MIPS devices running open source firmware. Generally it's not the OEM firmware because most OEM firmware will not allow root / Admin access via the WAN port(s) (although there are a few poorly written examples running on devices in general use). Apparently MANY too many people installed the OpenWRT, WRT-DD, or Tomato project firmware, used easy to guess passwords, and made ssh, http, telnet, etc., available on the WAN port. Many too many people also left older revisions running with known vulnerabilities. The worm takes advantage of either.

  62. Anonymous Coward
    Thumb Down

    @Robert Hill

    "Fortunately, Be Online has put rather strong passwords assigned by default onto each of their routers, on a sticker - so I feel pretty safe."

    Hmm... you missed the scandal a year or two back, where they left a backdoor in their routers that allowed their support staff access to the router. The backdoor took some effort to find, but was do-able. They were standard across the routers. They changed it (I believe) to only allow it from specific IP addresses (their support sites) - but let's face it, IP spoofing isn't the hardest thing in the world to do.

    The password on the sticker is a WPA key - not the web interface password. Think that's still blank by default.

    AC since I'm a customer and Be booted the member off their network who discovered the hole and published it.

  63. DR

    @ only the lan side

    I rather suspect that this is based at affecting routers from the WAN side.

    What you say, but you can't get to that.

    My home router sits behind a cable modem, that is accessible from the WAN side, becase virgin can access it.

    your BT router is accessible from the WAN side, else how would have BT enabled their wireless hotspots with a firmware upgrade pushed overnight?

    I agree, my netgear router that sits behind the cable router can't be accessed from it's red interface unless I specifically enable it. that doesn't mean that the hardware that I don't control but is still sitting in my house can't be compromised.

  64. Eddie Johnson
    Happy

    As many have said

    As many have said disabling administration from the WAN side is the solution. In my Linksys it is disabled by default. When you go to enable it the on page help says, "Remote Router Access : Allows you to access your router remotely. Choose the port you would like to use. You must change the password to the router if it is still using its default password." So I have to go to a non default password.

    So all the factory default solutions you guys are floating are not the answer - all it takes is 2 things. Design it as Linksys has, requiring the user to change the password plus, here is the biggy - force the luser to choose a complex password. If other routers are designed as mine are the fault lies squarely upon the lusers who are enabling this and using stupid passwords.

  65. Anonymous Coward
    Anonymous Coward

    Re: Re: Not only passwords...

    >>>>>

    Scrambled passwords are hard to remember...as could be the means of recalling them. People keep telling others to use notepads or post-its or key fops...that is until

    <<<<<

    Use the first letter of a phrase, that's not at all diffucult to recall

    The Owl And The Pussycat Went To Sea In A Beautiful Pea Green Boat

    toatpwtsiabpgb

    A bit more difficult to recall but more secure, uppercase the first and last letter, every other letter, every third one or whatever. Use $ instead of S, 0 for 0, 1 for i then stick on an underscore and a number.

    Mr Humphrey Stroked Mrs Slocombes Pussy Which Was Unusual For Him

    Mh$m$pwwufH_999

    Failing that, as has already been mentioned, home users can use any old garbage and write it on the router.

    I feel that the problem is not the integrity of the password rather that most users do not alter it. The people hacking these routers probably just try a few of the more common default username / password combinations before moving on to the next router, why waste time trying to hack into a router that's had it's default password changed when there are relatively more with the default settings.

    A simple solution which wouldn't be too difficult nor cost much to implement would be to put a limit of say three uses on the default password before the router locks and needs a hardware reset. However in most cases this wouldn't be enough as I believe home user just plug these things in and they work, they don't usually mess about with configuring the device and as such don't realise that the thing has a password. Or if they do then they think changing the WPA/AES passphrase is enough.

    A more effective solution would be to have the router locked from the factory and force the user to at least tick an enable check box in the configuration which is greyed out until the password has been changed in order to unlock it.

    The problem with these solutions is that home users in general are not IT savvy and just want a router that works out of the box so it will be a brave manufacturer who would make it difficult for the great unwashed in this plug and play world. Plus ISPs generally like to be able to mess about with your router as and when they please which is why external administration is not disabled by default on routers provided by ISPs.

    The only real solution is to educate the users but alas they don't want to be educated.

  66. vincent himpe

    open source

    that is a problem. it's like giving everybody the plans to the fortress. sooner or later someone will find a flaw.

    these security appliances like firewalls should be completely closed source.

  67. jake Silver badge

    @Charles @vincent himpe

    Charles wrote: "After all, the UNIX world has its 'root' and contemporary Windows have their "Administrator' accounts."

    Wrong. Competently set up boxen have a root-level or Administrator-level account named anything but root or Administrator.

    Vincent, come back and discuss security with regard to open source when you've taken a few courses on the subjects, m'kay? Ta.

  68. Anonymous Coward
    Stop

    Tech is getting to clever

    When all your tech is getting more and more clever and all you tech items can be connected to your other tech items and your mates tech items and the rest of worlds tech items. This sort of stuff is obviously going to be a big problem and its only going to get worse.

    I am just dreading the day when my future car gets hacked and I end up dead because of it. I just want a dumb car with big mechanical control levers and no brains or memory that can become corrupted or be exploited.

  69. A J Stiles
    Boffin

    @ vincent himpe

    "it's like giving everybody the plans to the fortress. sooner or later someone will find a flaw."

    Ah, but the probability that any given flaw will be found by a "good" person will always be greater than the probability that it will be found by a "bad" person.

  70. Anonymous Coward
    Stop

    @ the users are stupid and should be punished

    sure...when did you last climb on your roof and check your roof tiles?

    Never...

    Stupid dumb f**ker, you do realise that should your roof leak, the ceiling come in and destroy a load of things inside, you are proberbly not covered by insurance (what you didn't get the "house maintained to a resonable standard" clause).

    Or when did you last check you CV joint boots on you car?

    Ooo dodgy.....

    I know something really easy, do you check your oil and tyre pressures every week?

    Ironically, neither do most "normal" people

    Get a life children, most people are not technical and nor should they need to be. To call then stupid just shows

    a) why techies are thought of a a bunch of anal retarded twats

    b) your own ignorance

  71. jake Silver badge

    @Stu Reeves

    "sure...when did you last climb on your roof and check your roof tiles?"

    Uh ... how about twice a year? Standard maintenance .... once before the rain season, and once after. Only common sense ... I put the roof on, I better make sure it's still there, no?

    "Stupid dumb f**ker, you do realise that should your roof leak, the ceiling come in and destroy a load of things inside, you are proberbly not covered by insurance (what you didn't get the "house maintained to a resonable standard" clause)."

    You mipsselled "fucker", HTH ... And my insurance is quite comprehensive, TYVM. Cheap, too, because for the most part I never need to make a claim. Maintenance is funny that way.

    "Or when did you last check you CV joint boots on you car?"

    A couple times a year, although most of my vehicles have universal joints, not constant velocity joints..

    "I know something really easy, do you check your oil and tyre pressures every week?"

    I check the oil pressure every time I fire up the vehicle in question. If you mean the oil level, I check it when I check the tyre pressure ... Roughly every third fill-up.

    "Ironically, neither do most "normal" people"

    That word "ironic", I don't think it means what you think it means.

    "Get a life children, most people are not technical and nor should they need to be. To call then stupid just shows

    a) why techies are thought of a a bunch of anal retarded twats"

    I prefer "informed & proactive", YMMV.

    "b) your own ignorance"

    Trust me, I know the GreatUnwashed are collectively stupid (not ignorant, ignorance can be rectified thru' education, and for the most part people are not educable). I am neither, TYVM.

  72. Wortel

    @AWeirdoNamedPhil

    ===

    Here's what I do at home

    By AWeirdoNamedPhil Posted Tuesday 24th March 2009 14:17 GMT

    Boffin

    Keeping in mind that I'm a weirdo, after all, and somewhat paranoid...

    1. I replaced the crap cablemodem my ISP issued with an aftermarket Motorola that was much nicer. It has a button on top; you push the button, and the cablemodem disconnects from the network. You push it again, and you're back online. It's a marvelous feature. When I'm not actually sitting in front of the computer, I take the cablemodem offline. --snip--

    ===

    Something like this then?

    http://broadband.motorola.com/consumers/products/sb5120/

    If you actually do mean the Motorola Surfboard, then you'll find it has an unauthenticated web interface available, where you can happily fsck up your cable setup.

    Google the exact model number, too. Perhaps you are also lucky enough to find you have the model that has a flaw that lets anyone with the right knowledge crash the damn thing with a single malformed TCP packet.

    I had a Motorola Surfboard for well over 5 years and it's been nothing but trouble, I was glad to get rid of it, AND the ISP along with it!

  73. AWeirdoNamedPhil
    Boffin

    @Wortel -- nope, chum, mine's the older one...

    ...WITHOUT the html-serving capabilities. Just DOCSYS for me, thanks. I believe it's the 5101. Your troubleshooting is limited to looking at the blinkenlights and unplugging the modem to restart it when it (rarely) runs into trouble.

    I guess sometimes less is more! Mine's never given me any real trouble, although it has crashed rarely (malformed TCP packets perhaps? -- who knew?). I unplug it and replug it and go on my merry way, so I'm not too worried about that one.

    The web interface you're describing is on the 5120, which is the high-end model. There's an even higher end model, the 5121, which has VOIP.

    I can't claim wisdom here, though; I just got the one the store had on hand (pure luck in other words). Now that I know (thanks, btw) that the higher end models have "amusing features" I'll stick to the low-end. Cheaper, anyway.

  74. David Gosnell

    BT being responsible

    Good to see BT being responsible about this - not. Suspecting their Voyager 2100 to be susceptible to this vulnerability, I emailed them for advice. Several days later, got an automatic reply saying the message had been deleted unread, presumably because the model is no longer supported. Nice.

This topic is closed for new posts.

Other stories you might like