back to article It's 2015 and default creds can brick SOHO routers

A hacker has detailed a series of tricks that can silently reboot or brick routers or activate admins functions. Many routers including Netgear and Surfboard models look to be affected, with most attacks requiring just victims' default universal credentials to be applied. Applications security bod Joseph Giron detailed how …

  1. Otto is a bear.

    How nice

    Apart from the obvious, never leave the router passwords set to the default values, is there actually a SOHO router that is safe to use.

    I do love it when we get the doom and gloom, without the recommendation on what to do, somehow I don't think we can rely on the router vendors or telcos to fix these things any time soon, unless of course market forces prevail.

    I don't suppose they reported the router that was hardest to break into did they?

    1. John Robson Silver badge

      Re: How nice

      Don't use a SOHO router?

      Modem into a linux box?

      Of course my WAP is probably as bad as the routers anyway...

      1. Anonymous Coward
        Anonymous Coward

        Re: How nice

        Not everybody is willingly to spend hundreds of $ for an "enterprise" router, nor they would able to configure it themselves - thereby they are forced to rely on the ISP router and its configuration.

        And not everybody has a spare PC running all the time (maybe making noise, consuming power and increasing fire risks), nor has the skill to configure it as a router and firewall.

        That is true for AP as well - I spent some $$$$ to get one (which is only an AP) which allows to associate each SID to a different VLAN (and also spent some $$$$ for a managed switch to configure those VLANs - and the needed ACLs), for example the Sky decoder can access the Internet but can't access anything else (it's a PC inside my LAN I have no control about what it does... and it can also download software from its satellite connection....) I use WPA2 + Radius for authentication but for that SID used by devices who cant use WPA2 Enterprise (and thereby set to a restricted VLANs). But that's an "expensive" setup that also requires some expertise to put it all together (DHCP, DNS and RADIUS don't run on the router also, requiring another device to buy, setup and configure), well beyond the average user one.

        Most will have a single SID AP, an unmanaged switch probably built into the AP or router (or the all-in-one device they use...) thereby they need to rely on the security of that single device - and because those devices are also more common, so integrated, and widely deployed, they are also a far better target for some criminal activities - but you can't really blame the user for not adopting what from his or her perspective are just too expensive and too complex setups, unsupported by their ISP.

        After all we IT nerds need to trust someone else also in matters we have no expertise of. If the ISP rents routers, it and its supopliers need to take care of its security. As I do expect my bank to be secure because I can't setup my own....

    2. Michael Habel

      Re: How nice

      On that note have these Hackers ever tried to break anything made by AVM (i.e Fritzbox)?

      I'm not sure about the UK or other parts of the EU, but they're a pretty big deal here in Germany.

      1. big_D

        Re: How nice

        @Michael Habel

        Yes, they have. there was a serious hole last year, which was quickly patched, which let remote hackers gain access to the router and use it to make internationa, premium rate VOIP calls!

        I wasn't hit, but I patched it within a day of the exploit being known and patched by AVM.

    3. Anonymous Coward
      Anonymous Coward

      Re: How nice

      And also unless you really need it for some good reason, don't allow the router to be managed from the WAN interface. The issue is those people who don't own their own router need to leave it open for the ISP to manage it.

    4. big_D

      Re: How nice

      One problem is that probably 9 out of 10 routers are never locally configured these days, at least here in Germany.

      The ISPs push the configuration down the line when the router is first turned on and the router is auto configured for Internet connection and VOIP trunking.

      Most people then use the WLAN password printed on the bottom of the router, usually after they've used their "phone a friend" joker to find out that the WLAN password printed on the router is the password they need to type into their notebook, smartphone or tablet!

      They don't know what an IP address is, or that the router itself has one and that they can "talk" to the router and configure it to work how they want...

      1. Michael Habel

        Re: How nice

        Have an up vote!.... Sadly this is all too true... Since I've recently changed providers from what used to be Arcor, now Vodafone, to 1&1. Which uses a 12 Digit Code that pings their Server for all the configuration Settings...

        I have to say I don't like it. Since I'm paying for an ISDN Hookup.. But, having all my Phones routed over the VoIP. Worse yet this pre-configuration seems to lock me out of actually being able to activate said ISDN Numbers.

        On the other hand, they are both faster, and cheaper (for now...), then Vodafone.

        1. big_D

          Re: How nice

          ISDN is dying. The hardware suppliers are not renewing their maintenance contracts with the telcos, so the telcos are moving to VOIP. AFAIK Telekom's contracts run out in 2018/2019. Until then all residential and business lines will need to be migrated to VOIP.

          Unless the customer fights for it, they will no longer get ISDN, they will get VOIP when they get a new residential line. This has been the case for the last 4 or 5 years. I switched from Telekom to EWE Tel in 2012 and they cut off the ISDN and switched my numbers over to VOIP.

          Companies are a little different, Telekom's new VOIP-trunking solution for businesses will be coming online next year and they will then have 2 years to transition all of their business customers to VOIP.

  2. Lionel Baden

    I've said it before.

    I still dont know if its right though. If somebody were to go round bricking / attacking every device available online, customer and then in turn the companies might take security a little more seriously !!

    Yes if this affected me, i t would be a massive pain and i would but upset and angry, but how long till i directed that anger towards the manufacturer.

  3. DreadPirateRobot

    OpenWRT on my own router which is behind a virginmedia badged netgear thing my housemates use. Dedicated wireless network for me, separate wired network too.

    I need to set some QoS up on their box to mine, they have handily left all the settings at their defaults.

    One thing that I wonder is how long it will take for someone to work out how to get the WPA2 key from the default BSSID. I am sure that the keys are just some hash using the MAC address and BSSID.

    1. Michael Habel

      Cause changing the WPA2 Key is sooooo hard ain't it?

      If anything I may be guilty of running the same 64 Character HEX String for the best part of 8 odd years now. But, that's cause I'm to lazy to change it.

      1. big_D

        If you know that you can change it in the first place... I would bet most of my family wouldn't have a clue what a WPA2 is, let alone how to change it.

        It is all very well, that we deride the use of default password by the manufacturers and that people don't change them, but for most people the router is just another device that is plugged into the wall and turned on, they don't have the first clue about what it does, or that they should "manage" it.

        1. sgp

          Exactly. It is one of the few things I still help my family and friends with.

          Now for all the subsequent other -small- computer and internet issues they ask help for, I only know about networks. Very, very local networks.

        2. Michael Wojcik Silver badge

          It is all very well, that we deride the use of default password by the manufacturers and that people don't change them, but for most people the router is just another device that is plugged into the wall and turned on, they don't have the first clue about what it does, or that they should "manage" it.

          All the SOHO routers I've bought in the past several years have come with "Quick Start" cards and software for Windows and OS X that walks the owner through setup, including changing the goddamned default credentials. Now, no doubt there's a group of people out there who 1) wouldn't be able to figure that out on their own, 2) are running neither Windows nor OS X, and 3) can't follow the alternative browser-based instructions. But that group is kind of small.

          I'm not buying this "oh, ordinary folks can't figure out how to change the default creds" bullshit. Manufacturers, for all their faults, have made that pretty fucking easy on a lot of models, from what I've seen. If you can sign up for Twitter or whatever the social-networking flavor of the week is, you can follow a single page of written instructions for configuring your new router.

  4. Mystic Megabyte

    I need to upgrade

    I just checked and the latest firmware for my router is dated 2010 :(

    Any recommendations for a new one?

    1. Ed Jackson

      Re: I need to upgrade

      Asus RT-AC66U

    2. Tom Chiverton 1 Silver badge

      Re: I need to upgrade

      Vigor

  5. Snorlax Silver badge
    1. Michael Wojcik Silver badge

      Re: It's 2015 and you need to come up with some new headlines

      It's 2015 and everything is still terrible, including headlines.

      And comments.

  6. Irongut Silver badge

    In other words bears are catholic

    So how much research did it take this "hacker" to figure out that if you know the admin login for a router you can change the settings?

    I'd like to publish some papers of my own:

    * If you know the admin credentials you can brick Windows

    * If you know the admin credentials you can brick MacOS

    * If you know the admin credentials you can brick Linux

    * If you know the admin credentials you can brick a nuclear submarine

    * If you know the admin credentials you can brick name a thing

    1. AlgoRythm

      RE: In other words bears are catholic

      Better title, 'This is actually a big deal, but the author didn't research it well enough to convery why'

      The misfortune cookie hack is actually deeper than that...and more malicious since 99% of telco's deliberately leave that tcp TR-069 port open as a standard. To figure out the default creds used by that (VERY) obsolete (10+ yr old version of the TR-069 daemon is consistently used, despite patched releases made available by the boston company to the router manufacturers) required unpacking a firmware set and beating on the on the port with details gleaned from firmware.

      On affected devices, more recent firmware just installs different wallpaper over the same tcp 7547 holes.

      Best fix...stop using these crap CPE boxes for routing....put it into bridging mode (no IP at all) and let something patchable behind it do the DHCP honors.

  7. thomas k.

    remote admin

    Doesn't the danger usually involve having Remote Administration enabled?

    1. Charles 9

      Re: remote admin

      Not if you use a drive-by attack to set up a proxy connection between you and the router from the inside. Also, many routers have demonstrated exploits that can expose the admin console to the WAN side.

    2. AlgoRythm

      Re: remote admin

      Actually the ISPs sending you the gear, and the big box stores providing ISP-X compatible router gear not so helpfully open the exploitable port for you. It's only point of security being that most skiddies won't know to either scan for, or what to do with, port 7547.

      And there are - zero/nada/zip - firmware/fixes to close it off. New patches to ownable routers still leave the same port open with same listener. One particularly annoying router vendor has a web gui option to turn TR-069 off..and obliging displays that you checked the box...but doesn't actually turn it off.

      Fix? Turn off Internet visible IP addresses completely...let something behind the router serve your public IP...heck a lot of APs (Cisco RV120 for instance) are at least securable. Alternatively...look up the details on the misfortune cookie advisory and pointedly don't buy anthing from their list of shame.

  8. madgabz

    PLEASE! Add some perspective!!!

    It's the usual sensationalist, doom-wielding article! WHY THE F*** don't you include some statistics about how many people were ACTUALLY affected by said security flaws? At least, when you ARE bringing statistics on the table, don't be so bloody single-minded! It doesn't really add to the credibility to leave out crucial information...

  9. Misky
    Holmes

    Top Solution

    Unplug interweb, go live in cave.

    Or just assume like I do that the LAN/WLAN is already compromised and secure everything to a level worthy of the data it holds. Then have a plan for when it all goes wrong.

    Having a families worth of phones, laptops, tablets, TV’s, Media stations at home, all hooked up to a WLAN, you have a myriad of potential attack vectors that someone can use. The wife opening zero day viruses in phishing emails, dodgy apps little jim-bob downloads on his iThing to cheat in Minecraft, darling Sarah handing out her Google-drive password to mates to share her mp3’s, through to someone hacking your ADSL router. So many routes in, it’s safer to assume you’ve already been compromised in some way and go from there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like