back to article Blackhat hack trick wallops popular routers

A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models. The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings. This bypasses the need to target …

  1. Anonymous Coward
    Anonymous Coward

    Dear El Reg

    When writing articles like this, a list of affected equipment would be a boon so we know whos particular equipment and what variant is vunerable.

    1. Sebby


      But honestly, I don't trust any of them anymore. I don't see why anyone else should either.

      Use alternative firmware, or build your own firewall box. Then you have all the pieces, you patch your own stuff, and you know exactly where you stand with the next stupid CSRF (non-)bug like this.

      It's not quite as convenient or robust though, especially the lower-power-PC route. Anyone know of hardware specifically designed for DIY firewall appliances? I'd rather handle the bits myself instead of using a firmware package.

      1. This post has been deleted by its author

        1. This post has been deleted by its author

          1. Sebby

            Re: Maybe

            Aww. Very nice. Ta!

          2. sjaddy

            Re: Maybe

            How stable has that box been? Is there a problem with it being realtek NIC instead of Intel?

            Looking into pfsense, a box that size would be great idea

            1. This post has been deleted by its author

  2. Richard Jones 1


    It would also be useful if a suggested method of status checking was confirmed so that users could easily verify that their router as still using the right DNS settings. I assume that verifying that the DNS settings are as previously wanted/set will suffice to confirm the status of the router.

    1. CAPS LOCK

      Re: Checking?

      In Linux I use nm-tool in the terminal, it shows the DNS addresses at the bottom.

      1. Chemist

        Re: Checking?

        "it shows the DNS addresses at the bottom."

        In many cases it will just point to the router . I usually embed my normal DNS server addresses in the nm settings for my access point.

        At the moment I'm still looking for a reasonably simple explanation of how this exploit works and indeed how it is triggered.

        1. Dan 55 Silver badge

          Re: Checking?

          If it's a cross site forgery then it's visiting a sote which opens a frame to the router's DNS admin page via some exploit and changing the settings from there.

          A simple way of stopping the attack would be to change the router's IP address to something else other than the default so it can't be targetted as a hard-coded value. And changing the default admin password too, although most of the commentards here should have done that already.

          1. Charles 9

            Re: Checking?

            The router's IP can be determined simply by doing some kind of internal ping on the client. The rules of DHCP and so on usually mean the weak-link client is on the same subnet as the router. And since the router's usually the hub of the home network (and therefore almost always device .1), Bob's your uncle.

            Then I think the attack bypasses the authentication done on the device, making passwords useless.

            Please inform us if this is not the case, as I've been unable to obtain particulars on this attack (or even if the CSRF is applied against the device's web-facing side directly, meaning no user intervention required).

    2. Mark 85

      Re: Checking?

      Go a step further. We're tech.. we're supposed to know. Yeah, right... But how the hell does "Joe I-have-a-router-at-home" know about these updates? Does "Joe" even care until suddenly he's hacked and takes his computer into the shiop? Would the tech in shop even ask "Joe" about his router.

      It seems that information on these router issues isn't very well disseminated.

    3. CAPS LOCK

      Re: Checking?

      And in Windows nslookup should return the DNS I.P. set by DHCP.

  3. Anonymous Coward
    Anonymous Coward

    Effort to risk

    I have a fair degree of faith in some upcoming commercial brands, more than I do in the big box-badged names.

    I have run various IP-Cop, Smoothwall, M0n0wall, PFsense etc. but consider the gradual addition of features just increased atack surface, in that respect why do people mention "BigNameOpenSource" more than X or Y which are smaller but less well featured? We quickly think (for example) "oh this can handle printers too, I could use that!", not "this has a print queque bolted on, shame".

    Consider something like the Mikrotik 109-8G-1S-2HnD-IN ( solid platform number of gig ports for the cost of some low-middling big name, about a third of the cost of the itx hardware in the comments. Sure the Wifi is 2.4G but see it as a free extra not the main reason for purchase.

    Anon becasue I don't like to say "my name is Erik and I run a DP-CiscoLink 1234, please use the correct exploits when you call"

    1. CAPS LOCK

      Re: Effort to risk

      If you're not going the stand-alone-firewall way (pfSense and so on) OpenWrt seems like the best alternative.

  4. Hyper72


    I use a Raspberry pi with Dnsmasq as DHCP+DNS server. It connects to the external DNS via DNSCrypt. Cheap, effective and fun.

    Also it's running a little setup called PiHole, to deal with ads.

  5. Anonymous Coward
    Anonymous Coward

    The only good hacker... a very dead hacker.

  6. Franklin

    Well, this bodes ill...

    ...for the upcoming Internet of Things, which ought to provide some novel and exciting attack surfaces if IoT makers care as much about security as router makers do.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like