back to article Flaw could expose 'millions' of home routers

Millions of household routers are susceptible to a flaw that creates a handy means for hackers to hijack surfing sessions or hack into home networks. Craig Heffner, a researcher at security consultancy Seismic, is due to detail the flaw and release a proof-of-concept tool at the Black Hat conference in Vegas later this month. …

COMMENTS

This topic is closed for new posts.
  1. David McMahon
    Happy

    Change password...

    Then

    Find the user manual to change your routers password, also apply at least WPA2 security whilst you are there.

    Most routers are accessed via 192.168.0.1 192.168.1.1 or 192.168.100.100 or sometimes 192.168.1.254

    Don't use Mckinnon style passwords!

    1. BristolBachelor Gold badge
      Black Helicopters

      Great advice, thanks

      Now how do I change the password if my ISP won't tell me what the existing one is?

      And how do I use a different router, if they won't tell me the login details I need to access my ADSL account?

      Basically:

      Internet connection means all sorts of s**t will come to your door.

      Wireless means all sorts of s**t will end up on your network.

      1. Steve Roper
        WTF?

        @BristolBachelor

        Change your ISP. No way would I stay one more second with an ISP that treated me like that.

      2. Allan George Dyer

        Add your own router...

        on your side of the ISP's router. Use NAT and add as many machines as you like on your home network. The ISP's router does the ADSL login, as, as far as it is concerned, it's connected to a single device on your side.

        Of course, you pay the electricity bill for both routers, about £10-20 a year. Not very green.

        Then the attacker has (assuming you've fallen for the exploit script - try installing NoScript) a choice of two routers to attack. You've got a strong password on yours, but the ISP's still has the old password. Better not trust it for anything other than providing bandwidth, configure your DNS servers on your router yourself.

        1. Anonymous Coward
          Paris Hilton

          Not very green?

          "Of course, you pay the electricity bill for both routers, about £10-20 a year. Not very green."

          What's not very green? What do you mean?

      3. Dale 3

        ISP won't tell you the password

        Some ISPs (O2, for example) force-changed their router passwords to be the serial number, so try using that one.

      4. heyrick Silver badge

        @ BristolBachelor

        Don't you need the password in order to log in and administer the router? Set options, etc?

        If your ISP is really that lame or controlling, tell your provider you want in or you're going to up sticks and move (stuck in a contract? tell them you will hold them responsible for the costs of recovering your computers if their router is compromised...).

        Having said that, go to the login screen and set the user name to "admin" and the password to "admin". You'd be surprised|disheartened at how often that works...

        PS: My Livebox seems to screw itself up and need a complete factory-reset about once every six months. Not hard to do, but... come on... who the hell are you with that won't tell you your account login details either?

    2. Anonymous Coward
      Flame

      WPA2...

      Is not possible if you own a Nintendo DS or one of it's current variant :(

  2. Anonymous Coward
    Stop

    Wow!

    Security Researcher discovers issue with routers configured to use default username \ passwords and IP addresses.

    HOLD THE FRONT PAGE!

    1. Anonymous Coward
      Anonymous Coward

      try reading the fscking links next time

      No. Security researcher find another way to access those piss poorly secured routers. This isn't slashdot, you're supposed to read the damn links.

      And just for a change the answer is not 'run NoScript', though it probably will be about 30min after he spills the beans.

  3. DI_Wyman
    Coat

    Change password...?

    Guess it's not a good idea to use 'admin' & 'password' as the log in credentials to my router then?

    1. Anonymous Coward
      Joke

      Sigh...

      ..only an idiot would use them, you need to make it alpha-numeric.

      Try Password1 or Password01 for extra security.

  4. Anonymous Coward
    Anonymous Coward

    What list?

    Er, can't see the full list. Pointer, anyone, please?

    1. NJS
      Welcome

      Full list is available here

      http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

    2. Dan Howarth

      Re: Can't find the link

      http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

  5. An ominous cow heard
    Paris Hilton

    Didn't I read this last week?

    And I could have sworn it was here. But search (here or at Google News) doesn't find it.

    Anybody want next weekend's lottery numbers? Drop me a note on Monday and I'll let you know.

    Where's the "confused" icon. Oh, I know...

  6. Anonymous Coward
    Anonymous Coward

    amusing

    interestingly enough, my little Piece-O-Shit™ $16 Trendnet isn't listed as vulnerable

    Anon so the router bogeyman can't find me. [dons tinfoil headwear, just to be sure]

  7. Anonymous Coward
    Anonymous Coward

    Just checked a WRT54GL

    put in the WAN IP address into browser - took me to router admin page, this seem a bad idea as external IP address is known to websites you visit (hopefully internal address is harder to to get)

    my temp solution is to use port forwarding to sent port 80 to unused ip address on my network

    1. jubtastic1
      Big Brother

      Don't Panic Mr Mannering

      A lot of routers will send the admin page if a device behind it requests the WAN IP, test from outside your network (from your 3G phone for example).

      But If you're still getting the Admin page from outside then you need to log in and turn that shit off pronto, also have to wonder what you're getting out of this site besides the fear.

      1. Anonymous Coward
        FAIL

        re: Don't Panic Mr Mannering

        No panic - but it is a bad idea for router to respond to WAN address from the LAN with the same response - as that means the attacker can easily workout where your routers admin configuration page is - you have of course moved your router off the default 192.168.0.1/192.168.1.1 haven't you

    2. heyrick Silver badge

      @ AC

      That's normal. I have a DynDNS account on which I sometimes run a local server. It would be nice to log into my server from my own machine by sort-of bouncing the request off the internet - helps me check I've opened up the router firewall correctly.

      But every time I try, I get the router's login page. It only works if I use an external intermediate, such as http://freeproxyserver.net/

  8. Anonymous Coward
    Anonymous Coward

    To see the list look at the embedded spreadsheet here:

    http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

  9. mfraz

    Here is the list

    http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

    Or this link might take you straight to it

    https://spreadsheets.google.com/pub?key=0Aupu_01ythaUdGZINXQ5Vi16X3hXb3VPYkszNXM0YXc&hl=en

  10. Highlander

    Of course you could always block incoming from 192.168.*.*

    You could always implement a firewall rule to perform IP filtering on anything coming from the WAN side to block any addresses from the local LAN. After all, nothing from the WAN should be using the standard class C reserved addresses 192.168.0.0 - 192.168.255.255. Just block all of those addresses from inbound WAN traffic.

    1. prathlev
      Thumb Down

      @Highlander

      But the malicious traffic actually comes from your own PC, not from the Internet. The filtering you suggest, while theoretically a good idea, is of no use here.

      Anyway the "special use" IP-adresses (RFC 5735) are not likely to hit your front door, since sane ISPs are unlikely to accept these in the DFZ.

      1. Highlander

        Thank you, next time I will actually read before commenting...

        I had not read sufficiently to realize that the attack was browser and not router based.

    2. TJK
      FAIL

      /16 is not /24

      "After all, nothing from the WAN should be using the standard class C reserved addresses 192.168.0.0 - 192.168.255.255"

      That would be a Class B, not a Class C.

      /pedant

      1. Anonymous Coward
        Anonymous Coward

        /16 != Class B

        So there.

        /Bigger Pedant

        1. TJK

          How so?

          Standard CIDR notification, a /16 network has a subnet mask of 255.255.0.0 which is a Class B network.

          Or are you refering to the original designation of Class address spaces whereby everything above 192.0.0.0 is a Class C? (up until multicast)

          1. prathlev
            Happy

            @TJK

            No, a /16 network isn't always a Class B network. The Class B networks start with binary "10", and cover the range from 128.0.0.0 to 191.255.255.255. In classful addressing their natural netmask is 255.255.0.0, i.e. /16 in CIDR notation.

            The network 170.56.77.0/24 (CIDR-notation) is a /24 subnet of the Class B network 170.56.0.0. And 192.168.0.0/16 (CIDR-notation) is a supernet of the Class C networks 192.168.0.0 through 192.168.255.0.

            Everyone please forget everything about classful addressing.

      2. Highlander

        Yes, thank you, I know, but you can't endit after posting.

        letters

  11. Anonymous Coward
    Boffin

    My router's on that list

    but then i'm not stupid and won't be lured to some dodgy website (probably chinese) hosting this malicious code. Plus I changed the default username/password to something a lot more secure as soon as a got my router.

    It only stupid gullable people (the type that readyily click on adverts) who will fall for this and frankly they deserve to be hacked.

    Anonymous for obvious reasons

    1. Chris Miller
      Boffin

      The trouble is

      That if one of your regular, trusted web sites contains its own security holes, the bad guys could inject the attack code there and then use that to subvert your router. The days have gone when all you needed to do was to stay away from porn, hacking and Russian-hosted web sites.

    2. noodle heimer

      you *are* joking, one hopes

      A small script can easily be tucked away on a legit website. Local government

      websites are good target environments for trying to inject malware. An ad with

      a malicious payload embedded was successfully put into the NYTimes queue

      not long ago.

      The attack runs a trusted script on your PC, so you needn't click on anything

      to be popped.

      As for the unlisted Trendnet.... Untested too, but I have a suspicion that AC

      here would be happy to buy it as a hardened router. You can include the

      spreadsheet as evidence.

    3. BristolBachelor Gold badge
      FAIL

      I'm safe; I don't use the internet

      So you missed all the news about most of the malicious content on the net NOT being on pron sites? It seems that you stand a better chance of catching users by putting your malware on "normal" sites like BBC, CBS, etc. A lot of which are vulnerable to having extra content added because of the way they work.4

      So no, you are not likely to suffer if you do not use the internet...

  12. Mike Flex

    Re: Just checked a WRT54GL

    Well login then and turn off admin access from the WAN side.

    1. Anonymous Coward
      Anonymous Coward

      re: Well login then and turn off admin access from the WAN side.

      re:Well login then and turn off admin access from the WAN side.

      it is not the admin access from the WAN side - which is port 8080 and is off.

      It accessing the web admin from port 80 using the routers WAN IP address instead of the routers LAN address. It is trivial to get the WAN IP address and use it in an attack script created server side, it is harder to get the local routers LAN port - therefore a more complex script and requires something like JAVA.

  13. Anonymous Coward
    Anonymous Coward

    "if one of your regular, trusted web sites ... gets compromised"

    It doesn't even have to be one of your regular trusted web sites that gets hacked itself; if one of them uses an external ad server (or something functionally equivalent), and that gets compromised, that's sufficient.

    Unlikely? Maybe, maybe not. It has already happened here once at The Register, though right now I can't find a link... might not have been an external adserver, might have been an internal load balancer, same basic principle applies.

    And then there was the perfectly respectable TV aerial repair outfit I needed to call one New Year following some windy weather. Their website had been got at over the holiday.

    Anybody thinking these kind of problems are restricted to dodgy websites and that they don't use them therefore they're safe needs to reconsider.

  14. Nexox Enigma

    Hehehe

    ...and people said I was crazy spending all that time (just a couple hours really) building myself a pair of openbsd routers...

    Lets see the browser-based openssh / vlan hopping attacks...

  15. Anonymous Coward
    FAIL

    Why bother if you're on Virgin!

    That shitty DLINK router Virgin are sending out...

    Default login admin, default password blank!

    DNS/DHCP on by default!

    Wireless encryption and MAC filter both off!

    So as soon as Joe Public plugs it in, instant free wireless hotspot!

    1. copsewood
      Alert

      Virgin DLINK routers

      When they sent me one after I complained about something else and they upgraded my line speed, I continued using my existing router. I configured the DLINK one as a seperate wireless access point with WPA2 and very strong passwords. User manual comes on a CD. Easy enough to read it and set it up as required, but not much use for ungeeks who don't read manuals. Those who just plug it in and expect a secure default configuration probably get what's coming to them, though the defaults could be improved by printing strong passwords on labels stuck to the machine (different for each router) , configuring WPA2 by default and turning off UPnP.

      The reason they don't is probably that sending them out secure increases the support desk traffic , and it probably costs a few pence more to have different passwords on every one they send out.

    2. Anonymous Coward
      Thumb Up

      Has its uses

      And instant free plausable deniability when hit with a 'copyright infringement detected at your ip' notice. Awesome!

  16. Barracoder

    What's up MAC?

    So I suppose if I only permit specific MAC addresses on my router I should be ok, right?

    1. Ross 7

      No

      No, that would secure you against the attack, but it would have the same effect as unplugging your PC from the router which again would secure you from the attack but have rather noticable side effects.

      The attack on the router comes from *YOUR* PC (your browser to be specific). If you block your MAC bye-bye internet. There are a number of possible hardening solutions you can use. e.g. force your browser to use a non-existent proxy when accessingr your routers IP, set a decent user/pass combo on the router, change the routers IP from its usual 192.168.0.1 / 192.168.1.1 to make it harder to find etc.

      Personally I would go with more than one.

    2. Maverick
      Thumb Down

      The title is required, and must contain letters and/or digits.

      erm, because MAC filtering is as robust as chocolate fireguard mate

      try Google to learn this :)

  17. Stevie

    Bah!

    "This code uses a "Jedi-mind trick" to circumvent the same-origin policy, thereby allowing JavaScript-based malware to penetrate private home networks supported by vulnerable hardware."

    Ban XSS-facilitating, trojan-enabling, router-killing, machine-slowing JavaScript now!

  18. Matthew Collier
    Thumb Down

    NoScript not a defence??

    RE: "Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won't prevent his exploit, Heffner adds."

    I don't see how a vuln that relies on some JavaScript being run to execute the exploit, will work, when NoScipt doesn't allow the script to be run in the first place? (obviously, if it's injected into a "trusted" page, you're out of luck).

    1. Charles 9

      That's exactly the problem.

      The malware adopts YOUR OWN IP ADDRESS as its own. This tricks the browser into believing it's actually running locally on your own machine. Trying to block a script coming from your own IP address is akin to trying to ban code coming from localhost (127.0.0.1); try it and things are going to break. That's probably also why NoScript and most techniques don't work; it's basically making it so you can't trust YOURSELF anymore.

  19. Charles 9

    NoScript quick to react.

    If what I said is true and the exploit works by adopting your remote IP as its own, then NoScript's latest update (and its landmark 2.0 release) now has safeguards against that exploit.

This topic is closed for new posts.

Other stories you might like