Would not knowing the password make a difference? I think 99% of people I know have the default settings up.
admin/admin = win.
A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers. According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that …
I saw (or imagined) something like this coming a year or so ago and took precautions. Since I was already a linux user, I edited my hosts file so as to contain the IP addresses of all my critical sites, therefore I avoid doing DNS lookups for those sites at all. Not that I'd be silly enough to enable uPNP anyway, or not use a very strong password on my router, or not change the web port, or not restrict access addresses, or not use a gateway/IPS, or not tailor all my firewalls, or not have an unique e-mail address for each critical function, or ....
OK, so I'm a bit paranoid, but I plan on NEVER getting phished, pharmed, vished, hacked or cracked.
*It really shouldn't have to be this hard, should it?!*
Actually windows has a hosts file as well, this is probably a good idea for sites that you need to be secure, like paypal, the bank, ebay, amazon (One click shopping has a price).
I guess you need admin privileges to change the hosts file on windows as well?
>Not that I'd be silly enough to enable uPNP anyway
I got caught out by this, since I didn't really know what used it, and it was defaulted on.
I seem to have survived however...
@Re: Belt, suspenders and a piece of string:
You play your game, and I'll play mine :)
I'm assuming the average Linux user knows how to do this (or ask someone), but the average Windows user will be completely lost.
What I'd like to see is a customer going into a bank and getting a CD-ROM which will setup their hosts file with any necessary addresses and configure any other common apps such as adding bookmarks to their browser. Perhaps it could even conduct a basic PC security audit. I suppose there'd be some liability questions the bank may be shy of, though.
do router manufacturers use default passwords ? Surely it's not rocket science to have a system to generate a random code and print it on a label to put in the box ?
Maybe they're advised by the same team who implemented the locks on the 1970s Ford Escorts ......
Paris Hilton because of a very weak connection to a town bicycle
Actually, you'd be better off editing your /etc/resolv.conf instead.
Several months ago, I upgraded the firmware on my Netgear router, and then discovered that the router was now advertising itself as a DNS proxy server to all of the connected machines instead of telling them to talk directly to my ISP's DNS servers.
Because of crappy coding by someone at Netgear, every DNS lookup took several seconds, and no addresses were cached by the router, so web browsing was as slow as if I had a 28kbps dialup connection.
Fortunately, I run Linux, so I simply edited /etc/resolv.conf to replace the router's IP address with those of my ISP's DNS servers.
Oh, and I disabled UPnP when I first set up the router.
I already recommend that route to anyone who has had malware issues in Windows - it's not worth the risk of hoping the often-most-useful removal utils (i.e. those supported and recommended by sites like CastleCops - and usually written by mere mortals for free distribution) are 100% effective, given the speed at which new variants can update themselves.
That said, it's a great idea - and for the small cost of knocking out a few discs sounds like a winner to me !
Question is - which do they use, and how well supported is the hardware across the distribs... Ubuntu is fairly good, but I suspect Knoppix (especially the DVD release) has better support for hardware - but then you have the issue of crap USB modem drivers rearing its' ugly head.
Perhaps all the UK banks could get together and split the cost, putting their IP addresses in - but it may then highlight any deficiencies in their own websites which may (or may not) fail under linux due to bad coding or reliance on unsafe / non-standard IE extensions (did I hear Barclays had issues recently, possibly with Safari ?)
Never paid much attention to uPNP, but that would explain why when I installed a beta of Vista my router settings suddenly got destroyed altered, I lost connection and no other devices could connect to my wireless network - even though it was password protected. Luckily, I had a suspision about it at the time and turned uPNP off - but I always thought I was just being paranoid.... obviously not! lol
So I caved and got my kids an xbox 360 for Christmas. And oldest son has an older xbox as well. So what happens next is an example of why you shouldn't trust your kids like I do^H^Hdid.
- Son #1 (on college break) says, "hey, what did you change the router password to?"
- I tell him.
- A couple of days later I hop on the router. I *know* I had UPnP disabled.
- Surprise! UPnP is enabled.
- Ayup: he did it to enable the xbox Live feature.
So - not knowing exactly what this particular spawn of Redmond needs to work, I do the requisite search. "xbox 360 upnp router configure" and go to two different but promising-looking links:
This site basically says, "just enable UPnP, stupid."
This site says, "make sure UPnP is OFF" and then tells you what you need to port-forward for xbox live.
A third site I looked at was in between:
It lists three options, but (unfortunately) #1 is to enable UPnP. #2 is to set up port-forwarding, and #3 is to plop your xbox into the router's DMZ if it can do that.
Two out of three giving bum dope. A shame. All in the name of the Gaming Experience(sm). Kudos to the one that tries to get it right.
Using the serial number as the default password would seem the way to go, to me. It's unique, somewhat random and unknowable to a remote attacker. More importantly it's printed on the device (not just the box), so you can't possibly lose it. Naturally an alphanumeric serial numbering scheme would be preferred.
Yes OK, someone looking at your router could potentially compromise it, but if they have physical access to your router then the breaching of same is the least of your concerns.
Be a bit of a pain wouldn't it though? CD for each bank, paypal, ebay, amazon, dabs etc.. with a reboot each time?
And you'd have to explain your network configuration to the CD every boot.
They should have put a magnetic layer in CD's so that you have a small amount of writable storage, would've been useful.
I wonder how all those unsecured wireless routers cope with upnp attacks....
BTW You can put fixed DNS addreses into windows as well, probably easier than linux for that.
"Its as simple as putting a meta refresh to some 192.168.1.1 page in an external internet page, and boom, you'd be exploited."
It's a bit harder if you also change your home network IP range, NAT all addresses in your firewall, and hard code the MAC addresses into your DHCP server license.
Personally, I don't do internet banking over WiFi.
Paris Hilton because of the "it's a bit harder" statement at the beginning.
nsswitch.conf, resolv.conf and host.conf are the files to watch in Linux - resolv.conf points to your nominated nameserver (it's what you tell it during setup) and typically, nsswitch.conf and host.conf point to 'files' (i.e. /etc/hosts) first *then* dns; in a default desktop setup they don't need editing. To get this to work, you do need to edit you hosts file .... but checking config files won't hurt.
Plenty of software installs bookmarks - just about every game I know and many major application suites - they're usually in the appropriate start menu group - why would this be any different - I've not seen any problems yet. I thought I was supposed to be the paranoid one?
@AC '@Reply2' (both of you):
Who mentioned CDs in the post? I said *go into the bank* for a reason. Any branch will do.
Would like to see that demonstrated - it would be interesting. But even if you do save passwords (I don't, I think it's a bad idea) isn't a master password supposed to stop that?
@AC 'If Linux was truly user friendly...'
Oh, not that again! I'm just using Linux as *my* example and am suggesting a similar process could be automated (for the great majority of OS's).
Some of you chaps are just making stuff up, I swear. :)
"Who mentioned CDs in the post? I said *go into the bank* for a reason. Any branch will do."
my point still stands. Some numpty will get a CD in the post, with a lovely covering letter saying " ... in order to maximise the ease and convenience with which BastardBank customers may manage their online accounts, we have decided to post CDs to our customers to save them the trouble of having to visit a bank in working hours.
In order to celebate this improvement in our services, the 1000th person to connect to their account using their CD will win a cash prize ....."
"BTW You can put fixed DNS addreses into windows as well, probably easier than linux for that."
Probably not. One command from CLI.
print "nameserver 192.168.1.1" > resolv.conf
Where 192.168.1.1 is the name server you wish to define, change as your network requires. (Use official name servers from your ISP, not your default router else you gain nothing from this exercise.)
Um, they put in default passwords because life would suck if they didn't.
I don't know how many times I've walked in..."We need you to fix the network" "No problem I say, what's the router password." "No one knows and the person who set it up has left."
Well, the only thing to do is a hard reset, use the default password and start over at that point. Thank God for default passwords. Just change the blooming password when you set it up, but do NOT take away my defualt passwords.
C'mon guys, using a hosts file (and not trusting DNS) is not the solution to this problem. We have this little thing called SSL which was designed years ago to prevent problems exactly like this. The key is education - users need to know in broad terms what SSL is and why they need to get worried if the browser issues a warning to them. I often hear arguments about average users "not understanding this stuff". If they want to use the technology and not get ripped off they are going to have to understand it.
One way to secure routers would be to only allow config from a directly attached machine on a serial port. You'd attach your PC to that port to configure the device and then log out and remove the cable. Now nothing can play with the router settings whatever it tries.
Wireless and net connections can only see some reports on the router or just route through it. Maybe a small bit of config could be allowed on the LAN side via SSH but only a small subset and nothing that would fundamentally change the router's behaviour.
Can't see that working with the great unwashed though.
I believe BT did something like use a random password and print it on the Home Hub box, but they've had to change it I think because it was flawed in some way. Can't remember the details. Might have been the WEP key though.
Of course using WEP is flawed anyway, but you know the reason why? Because WPA would cause too many costly support issues. That's probably the reason why most manufacturers just use the default passwords too. Simplifies support as they know most people don't change them.
As for UPnP, when it was announced, I knew it was asking for trouble. Again a nice idea in theory to make networking "easy" for idiots, and maybe it is, but it also invites hackers. Basically if you make it easy for anyone to use, it's insecure. Make it difficult, it's secure but also almost impossible for idiots to use. Maybe idiots should just be banned from the Internet!
in my 20 years in systems and support, it has become obvious to me that the vast majority of Windows users (and most users in general, for Mac, Linux/UNIX, and most other platforms) have absolutely no idea how, why, when or where to change system values in the OS (any version). this is why TweakUI was created, for allegedly easy-to-use Windows, back in the day.
hell, most of them don't even know how to change settings on their mobile phones (much like their VCR/DVD/HDDisc players, that always blink 1200).
for the AC who said that Linux is not user-friendly, you made a completely meaningless statement. our hero, Joe Sixpack (he of the default router subnet, default password, and enabled UPnP), has never seen the admin page of his router, doesn't know it exists, how to use it, or why it matters. he also doesn't know that [insert windows root directory here]\system32\drivers\etc\hosts exists, how to use it, and why, or even what to edit it with (no extension, so Windows will ask what app to open). if you try to explain it to him, he will glaze over in under 5 seconds (i timed it), and will urgently need a beer to revive him.
given any sequence more involved than clicking on icons, 99% of the population is instantly lost (the ones who know enough to be dangerous, are usually the worst). in this respect, UNIX is no different than Windows for the IT-ignorant user (which describes most people): it is black magic, and geeks are its priesthood.
if you're ever sadistically bored sometime, try to explain the mechanics of DNS to non-technical friends, or, better yet, strangers (use the uninterested ones for bonus points), and see if they can edit the hosts settings effectively. the syntax of the hosts file is not user-friendly anyway, it is geek-friendly: /etc/hosts is a UNIX convention, a relic from the original Windows development team's UNIX background, which is why every Mac and Linux/UNIX box has that file, for that same purpose.
ease of use is relative to one's level of expertise. there is a large minority of the population in most industrialized nations, that is still completely ignorant, and even fearful, of computer technology. ease of use of Windows is relative, like ease of use of Mac (better interface anyway), or ease of use of the Linux/UNIX GUIs (there are many, some much easier than others).
personally, i like the AS/400 command line. given admin rights, the damage i can do is about like a UNIX box, but will usually impact the entire company.
PH icon: she is empty and meaningless, like AC's MS-type marketing FUD. happy trails.
"As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible."
Bloody scary, this one, whatever the mean to penetrate ... Also, I agree it's only a bonus to hackers, since average Joe will leave the default passwd anyway. The only way to make it better is via S/N provided of course the S/N is printed on the box, since the documentation will be lost anyway.
Hmm. My 3com router has uPnP enabled, but I don't use uPnP for anything on my network. However, turning it off stops my router connecting to BT business broadband!! It just will not connect when uPnP is disabled - doesn't even attempt to. No idea on this - not savvy enough I guess. However, I do have non-default subnet and non-default PW. Perhaps I should call BT tech support and ask them. On the other hand, don't think I can be bothered............
Wasn't there a similar attack method like this years ago that just modified the hosts file on Windows anyway? It's essentially the same scam but a different method (attacking the router instead of the OS)
It still all comes down to education:
* Not opening unsolicited emails
* Looking for the SSL padlock in the corner for anything remotely sensitive
Without all this, even the most secure banking set-ups (2 factor auth for example) can still be exploited.
It's no use blaming router manufacturers etc - they pretty much need uPNP to let anything work (Messenger, Skype, basically anything that works as a primitive server). Most people commenting on here would know to set up port-forwards as and when required, but we make up <1% of the userbase.
Having last worked as a computer consultant 20 years ago I can still set up your DEC terminal or high speed printer on a Xenix box but how can I tell if my router has uPNP? Just because it does not mention it in the config hasn't convinced me that it is not enabled by default.
Is there a list somewhere or do I have to buy yet more stuff? 2Wire 2700HG from ebay
Oh! did I say that Kubuntu rocks :)
Yes, I'm leaving now............
As a member of the 'great unwashed" (the 99% that is not the glorious 1% that is you), all I can say is eff-off. If everyone just refused to conduct any business on the 'net until security became automagically a non-issue, I figure it would take only a few weeks for this problem to be solved - because no business = most of you out work.
But people will carry on doing business on the net so you don't have to worry - so carry on admiring yourselves.
Solving how exactly the DNS poisioning is occurring is not the point.
As Robert Brockway and others pointed out, ...
Why are people putting their credentials into a form that their browser is surely warning has an invalid certificate (if the spoof site is emulating the SSL layer), or doesn't have the padlock (if the spoof site is not).
The fact that probably the MAJORITY of the population will freely enter their banking credentials into bogus forms ought to stop banks from setting up internet banking in the first place.
please note that i meant absolutely no disrespect to "the Unwashed", as you put it. i am equally ignorant of the finer details of agriculture (for example), as the 99% are of IT. the ignorance of the masses pays my bills.
unfortunately for the wonderful 99%, i am not the only one who profits. the cablecos and telecoms who provide these devices in wide-open configuration, offer no advice on the topic, and rarely fix the bugs, are the parties abusing the consumers in this case (elsewhere, it is usually the salespeople: "No, it's all ready to go, just plug it in, you don't need to change a thing!"). i can fix some of the issues they create, but it will cost you a bit. alternatively, it may cost you far more if you happen to be one of the tens of millions of people who are ripped off (and there are many scams, more every day).
the fact is that IT (any flavor) requires proper configuration and occasional monitoring; periodic revision, upgrades, and maintenance; and safe usage instructions for the end user. the only thing i have seen that comes close to the required appliance-like level of functionality is this:
nothing else i have seen, Mac, Windows, or Linux/UNIX, comes close to the support and administration these guys offer.
Are unfortunately a fact of life. The crazyness abounds. In my case, I take it as an advantage. My mother-in-law's condo has someone nearby that has a nice wireless router. When I went there about 1 year ago (it could be more) I opened up my laptop and found it. Nice and open. Not wanting to spoil the party, and to insure that the door STAYS propped open for me to come by next time, I found that I could access the router thru its defaults. Wonderful things these wireless routers! Just to insure that the next time (I was there last month, and it was still open) it would be wide open, I went into setup and added a password, made sure WEP was off, and set the SSID as well. I suspect that the "owners" of the router have no cares at all, as their computer works quite well (wired, or not I just don't know). I'm happy as a clam, and provided a service to those around who want a nice wireless connection.
Of course, on my router, it has a non-standard IP address (not 192.168.x.1), has uPNP off and has a password. The access is limited by the range of the wireless (minimal in a stucco house!). Haven't had a problem!
This posting on Heise Security's site about frame spoofing shows that just checking the certificate does not give you a 100% guarantee that you're sending your credentials to the right site.
This article might be a bit old now (I haven't tested the links) but the fact that it's still happening (links below) show that this attack vector hasn't gone to bed yet.
My motto is if your bank uses frames on their credentials entry page, don't use their internet service or move to another bank.
In fact this applies to any site that requests user credentials. And to access my tiscali web mail, guess what? Credentials are sent in the clear. Great!
People! Lock down your routers. Steps to follow with a router.....
I've only read about half of these comments so far. From what I've read it sounds to me like some of our fellow readers need a lesson in how to lock down a home router. You don't need Linux and you don't need a MAC, nor do you need a live CD to be safe, you just need to take some basic steps. (Oh, and before I get flamed I have an AIX box, a Linux box and a WIN 2000 box in addition to 2 WIN XP boxes connected to my home router. 3 of them using wireless.)
1. Change your admin password.
2. Even if your ISP requires DHCP hard code your DNS entries on the router.
3. Turn off DHCP.
This will require hard coded IP addresses on all of your machines connecting to your router. This in turn will require you to hard code DNS entries on those machines.
4. Change the IP address range that your router is setup for. You have 2 choices 10 dot IP addresses or 192.168 addresses. This gives you a multitude of address ranges to choose from. Don't leave it at the default of 192.168.1.0
5. If it's a wireless router set it up so that it will only accept connections from the MAC addresses that you enter.
6. Change the SSID and don't broadcast it. (Though this doesn't really have anything to do with this article.)
7. Never, never enable uPNP. In fact read up on all of the things that are enabled by default....50% of them you will not want enabled.
PNP, while convenient is a dangerous thing, kind of like autoplay being enable for CD/DVD drives.
Something that really peeves me, is to open a box and find nothing inside but the device I purchased (modem, router, hard disk, CPU, sound card, or whatever) and a piece of paper giving me instructions on how to physically install the device and absolutely nothing else. Oh and a varying amount of advertising material.
Then when, after the usual swearing, I find (usually with more swearing as I search through a website link by link (nothing being intuitive)) and download a copy of the manual, I discover instructions only marginally more useful than the help in the average BIOS: "Select enable to enable option x. Select disable to disable option x." with no bloody clue whatsoever as to what option x actually does.
I want manuals like those of the days of yore. Manuals that would tell you what you were doing, before you did it and didn't work on the assumption that if you really want to do this, you've shelled out hundreds/thousands of quid for the appropriate Cisco, or M$ accredited course.
that the internet thingummy design is flawed.
If MS designed an OS that was this prone to hacking etc, people would be bitching about it on esteemed technical forums such as El Reg.
The internet should not be hackable via uPNP router fiddling any more than an OS should serve as a breeding ground for worms, trojans and other nasties.
Where's an Al Gore devil-icon so we throw poo at him? (since he calima Al:Internet == Windows:Bill)
Yes, I too remember the good old days. The MS manual was a good 200 to 300 pages long instead of this little 30 page getting started thing you get now. And hardware manuals were a minimum of 50 - 60 pages. Not to mention that everything you needed to rebuild your machine came on disk, instead of in some hidden partition that you need to figure out how to make recovery disks from. Guess we can thank the "pirates" for that attitude...... That and the dumbing of the world!
MSDOS bit me on the arse big time with it's RECOVER command and inadequate documentation way back when I knew my Apple inside out and back to front and not much of anything else except for the "everything" every 16 YO knows.
Mum brought her work comp home having accidentally deleted a critical file. I read through the documentation found RECOVER which was described as being for recovering "lost" or damaged files. "Lost" = "deleted" seemed about right so I blythely typed in RECOVER *.* and my 16 YO self felt pretty bloody chuffed until I typed DIR once the hard drive finished chugging away.
Whoopsie. FILE0000.???, FILE0001.??? .... (??? coz it's been a lot of years and my first action on any new DOS machine from then on was DEL RECOVER.COM)
I was damned fortunate that there were less than 512 files on that machine.
I borrowed a boot disk and disk editor from a philistine (non apple) friend and with absolutely no knowledge of the disk structure whatsoever, rebuilt that sucker from scratch. The hard way. I sorted out which of those files were once directories and figured out the partition table and the links to it, but the rest was beyond me, so I recreated the directories with MKDIR, populated them with empty files of the proper names, cross linked everything to those empties and then zeroed out the recovered files in the root directory. About halfway through I cottoned onto little sigma and deleted files and did what I set out to do in the first place.
Oh and I bought a book that explained MS disk structures among other things as soon as I could scrape up the cash. I figured out rather quickly that what I spent several hours doing, could have been done in minutes with the right knowledge.
(Paris, 'coz the experience left me feeling rather blond.)
Just to clarify, although uPNP may (or may not) provide a vulnerability that attackers could use in this type of attack, the real-world attack in question used a design flaw in the 2Wire router. This did not involve uPNP and neither did it require a cracked password.
More details at http://www.computershopper.co.uk/news/159414/hackers-attack-broadband-routers.html
...firmware on yer cr*ppy generic cheapo connexiant based routers....DDWRT on a WRT54G V7 is pretty good, makes it a little more challenging to exploit...or spend some serious cash on decent hardware alternative (Cisco IOS based).. As someone else suggested, using your own internal HOSTS file amongst other techniques is a good place to start - but if you couldn't figure this out for yourself with a little research and consideration then I'm afraid you are just good fodder ;)
Failing the aforementioned, just make sure you never submit your own information when online, just use someone elses - it's not like it's hard to get at these days :) (kidding, of course...)
I thought SKY routers had unique passwords assigned just before they were sent out to customers? I seem to remember a family member having bucket loads of grief trying to get into their router to check the settings, only to find out that the password was not a standard default from manufacturer, but reset by SKY. Maybe they no longer do this.
TC's tips are very useful and true, but I haven't seen the most obvious solution to this problem: turn on WPA encryption on your wireless router and use a decent password. On modern routers this is part of the default installation procedure. As far as I know, it's not possible to get into the router's admin page unless knowing the SSID/WPA password or being physically connection to it. Or am I missing something?
You don't need a default password on a router. You don't actually need ANY password on a router.
You provide a physical switch on the router labelled "Configure".
If the switch is on, then it provides the configuration page to any computer that connects, and does no routing (so you can't do anything with it apart from configure it).
If the switch is off it works normally.
Which means you have to physically access the router to configure it. Now it's as secure as your house is!
Sorry if my comments appeared to target anyone in particular. It was a general moan brought on by comments by a few others.
One good thing about their comments is that they remind me not to laugh at or complain about anyone who hasn't spent years/decades learning to do what I do!
Maybe we need an olive branch icon or a bucket of water dousing flames.
Now here is the biggest problem. Excluding attacks that enable access or make changes without the need for a password the ISP's are allowing compromise themselves. I have Comcast cable. They installed a cheap wireless router with the username "comcast" and the password "1234". They did not change this during the intstall nor did they mention it should be changed. To make matters worse they enabled the wireless and the guy told me that they were not allowed to set 128bit WEP, only 64 but that is ok because "look how long the password is!!!" rofl. He also did not give me the username or password to the router. I looked it up online in a default pw database. I logged into the router and:
- WEP is the only option. There is no WPA or WPA2.
- He used my last name as the SSID and also used the same name to generate the hash.
So, to compromise people on this very large national leading ISP the only thing needed is the broadcasted SSID. From there the network will be completely compromised in a matter of seconds. If the tech is diligent then the security is still based on WEP which again can be cracked in a few minutes regardless of what the tech says.
I have locked my router down as best as it could be and have tried to replace it with my own. So far they are not compatible with any routers beyond the ones they provide.
This post has been deleted by its author