*sigh* Sometimes I hate computers...
July 16, 2010 10:53 AM   Subscribe

"Millions" Of Home Routers Vulnerable to a Web Hack At the upcoming Black Hat Conference, to be held on July 29th in Las Vegas this year, a security researcher and ethical hacker named Craig Heffner will reveal a software tool to exploit a large-scale vulnerability in most home routers that will give users outside of the network access to the device.

The attack is a type of DNS Rebinding, and would allow a hacker to monitor and control internet traffic that goes through a compromised router. This is an issue, as many home users rarely interact with a router to change its default password or update its firmware. Could this be an increasingly large issue at the consumer level as more external devices move online?
posted by codacorolla (40 comments total) 9 users marked this as a favorite

 
This is what I hate about Friday nights...
posted by randomkeystrike at 10:58 AM on July 16, 2010


The good news for a lot of geeky people like myself is that the second this info is dropped, someone will be adding code to DD-WRT, OpenWRT, Tomato, etc. to fix the exploit way, way faster than the corporations that manufactured the routers will get around to releasing patched firmware.
posted by caution live frogs at 11:10 AM on July 16, 2010 [3 favorites]


Woot - I use Netgear! It doesn't seem to be on the list.
posted by symbioid at 11:11 AM on July 16, 2010


Trendnet FTW. But I'll be forwarding to my Linksys-using family. Thanks!
posted by longdaysjourney at 11:17 AM on July 16, 2010


Looks like I'm going to be putting DDWRT on my WRT54GL sometime toni

+++
ATH0
NO CARRIER
posted by deezil at 11:22 AM on July 16, 2010 [3 favorites]


This is an issue, as many home users rarely interact with a router to change its default password or update its firmware.

Woohoo! Being a network guy finally pays off.
posted by splice at 11:24 AM on July 16, 2010


Seems like part of the issue is that router manufacturers are allowing their systems to be configured with a default password permanently. If they simply change this to only allow default passwords through the initial setup, and then force folks to change them before activating the damn thing, many of these attacks would go away. It isn't like these routers are dumb plug n play anyway, you always have to configure something on them.
posted by jenkinsEar at 11:25 AM on July 16, 2010 [1 favorite]


Is my understanding correct that this attack would also need your router be using the default gateway IP address (ie, x.x.x.1)?
posted by charred husk at 11:26 AM on July 16, 2010


Some routers (mine) come with random default passwords that are written on a sticker on the router itself. Somewhat safer than making every single password "linksys".
posted by GuyZero at 11:28 AM on July 16, 2010 [1 favorite]


I need to upgrade my router anyway [to something that a) works and b) will run openwrt et al]. Maybe now is the time.
posted by DU at 11:35 AM on July 16, 2010


Wait until the Google Streetview dudes gets a hold of this.
posted by Elmore at 11:38 AM on July 16, 2010 [4 favorites]


Is my understanding correct that this attack would also need your router be using the default gateway IP address.

I'm getting the same vibe from the article. It basically uses a site to spoof itself as your default IP, and trick the router into thinking that instructions are coming from you (when they're coming from the site, in reality). Although, if you don't bother (or don't know) to change the password, I don't see you digging any deeper into the hardware.

I think this is one of those things where people who know and care won't be affected, but it will be one more mysterious catastrophe for people who don't, and are suddenly infected with malware.
posted by codacorolla at 11:39 AM on July 16, 2010 [1 favorite]


So if every router ships with a password of "router" and your particular router's password is "router," then your router's not secure.

Hello.

My thinking is basically 3 passwords: 1: easy-to-remember for general web logins (forums, metafilter, etc.) 2: easy-to-remember, but too weird for typical brute-force attacks for secure, sensitive stuff, like banking sites and bill paying 3: super-hard bizzaro random combination of lowercase, uppercase and numbers for hardware.

That way, if someone ends up with any one of the first two via some sort of web security breach, they still won't get hardware access. That STARTS with the router.
posted by Devils Rancher at 11:47 AM on July 16, 2010


Why is it so difficult for the manufacturers to have a "You must specify a new password" in their setup process? It would save a world of hurt.
posted by CheeseDigestsAll at 11:58 AM on July 16, 2010


Cheese: I don't know. They should. I guess because if the user gets a virus they blame themselves, and if a user has to go through hoops they don't understand to use their internet they blame the manufacturer, so it becomes an equation of "piss the user off the least while still offering as much security as possible". Most users aren't setting up their own networking gear anyway... it's probably whoever installs their cable. The cable guy might be a tech savvy person who cares about his customer's well being, he might be required by the ISP to get a unique password, or neither may be the case and he might be trying to get back to his truck ASAP.
posted by codacorolla at 12:10 PM on July 16, 2010 [1 favorite]


Attn: Nerds of the world

People don't care about this stuff, and even if they did, they'd not remember yet another password.

Best,
IT Security Professional
posted by Threeway Handshake at 12:12 PM on July 16, 2010 [2 favorites]


I think this is the gist of it:

Lots of people leave their wireless router's configuration logon at it's factory default, and that's normally not a problem because that page is only presented to users on the home side the router, instead of the far (internet) side of the router.

This attack, by a machine on the internet side of the router, hijacks a machine on the home side (to some degree). Then the home-side machine reaches out to the router make nefarious changes to the router, on the orders of the machine that is out on the internet side.

This is consistent with Hefner's assertion that "the trick isn't how to exploit the router. It's how to get access to it."

So all it really does is let a machine out on the internet try to use the router configuration page as if the machine was really sitting on the "home" side of the router.

If that's the case, then it's trivial to thwart: use anything but the default password. That's it.
posted by NortonDC at 12:43 PM on July 16, 2010


NortonDC: True. The problem is that a lot of people don't, and in doing so, are giving free rein to the resources of their computers. Read that as: opening up new frontiers for botnets. This is where computer insecurity in the individual starts to affect computer security in the larger ecosystem.

Further complicating this is that router security isn't something that even people who think of themselves as "computer savvy" (which is to say, people my age who have grown up with computers and don't feel intimidated by them) might think of. That's a whole lot of new systems that are suddenly vulnerable.

That's my take on it at anyway.

As one of the "nerds of the world" I'm not surprised that the average person don't "care about this stuff" (it takes a certain love for computers to actually do that), but it's at a certain point it begins to become my problem.
posted by codacorolla at 12:50 PM on July 16, 2010


Why is it so difficult for the manufacturers to have a "You must specify a new password" in their setup process? It would save a world of hurt.

No, it would exchange one world of hurt for another, as users forgot their password and called tech support.
posted by me & my monkey at 1:33 PM on July 16, 2010


The solution to the horror of having users change their passwords from default upon setup and losing the Starbucks receipt on which they have written this valuable information is to have, when powered on, one of those 16x2 character displays show the administrative password on the underside of the router. Maybe with some buttons so you could scroll through various passwords.

Seriously, if you can reset everything to default with physical access via jamming a straightened paperclip into some hole, why not show the password with physical access? You'd probably have to have something where, once you punch the button to have it displayed, some internal register makes that this has been looked at, similar to chassis intrusion detection, but I think that would be good enough in most cases.
posted by adipocere at 1:48 PM on July 16, 2010 [4 favorites]


My question is that the router is the end of a chain of vulnerability. How can I protect my browser and other software from DNS Rebinding?
posted by KirkJobSluder at 1:59 PM on July 16, 2010


Set you PCs to use explicit public DNS server s that are not your router or set the DNS settings in your router's DHCP config to point at something that's not the router, like Google Public DNS.
posted by GuyZero at 2:40 PM on July 16, 2010 [1 favorite]


Soooo, say I'm running DD-WRT. What do I have to do to fix this on my router once it is identified?
posted by Justinian at 2:42 PM on July 16, 2010


GuyZero: My concern is that the vulnerability is claimed to bypass the protections used by Open DNS, which makes me suspect that Google might also be vulnerable. But I'm not certain we can know until we actually see the vulnerability in question.
posted by KirkJobSluder at 3:06 PM on July 16, 2010


Aha I knew that smashing my Netgear WGR614 into tiny little pieces was the right thing to do. I buried the pieces in the garden and check on them frequently because you can never be too sure.

And now this? I have no regrets.
posted by Sutekh at 3:40 PM on July 16, 2010 [1 favorite]


From the vulnerability testing table:

DD-WRT N/A N/A

So I'm feeling smug, unless that means they didn't test DD-WRT. In which case--what about DD-WRT?
posted by snuffleupagus at 4:53 PM on July 16, 2010


Erp. The table scrollbars were broken on my phone. In a real browser, it indicates DD-WRT was sucessfully exploited. Yikes! Hopefully this gets patched fast.

Can we look for evidence of this through the router's shell?
posted by snuffleupagus at 4:55 PM on July 16, 2010


I thought routers were forcing a password reset now. It seems like the last 2 I've used did that, and I just assumed it was standard. I think you can revert back to the factory standard password by hitting the physical reset button, but generally, I'm surprised this is still a problem. Maybe it's just that there are a lot of older routers out there, or maybe it's just that I was remembering wrong.
posted by willnot at 5:05 PM on July 16, 2010


I'm not sure what you're asking, willnot, but this exploit doesn't care about your password.
posted by snuffleupagus at 5:58 PM on July 16, 2010


That is, if I read the article correctly, it can still cause harm even if it can't access the router configuration, because it can do other things on your LAN through browser side scripting.

But maybe I'm imagining it to be worse than it actually is.

In my thinking, a good precaution for now would be to secure any currently unpassworded network shares available on your LAN.
posted by snuffleupagus at 6:01 PM on July 16, 2010


Hrrm. I've reread this a couple times now, and it's leaving me uncertain. Does the DNS rebind exploit require obtaining access to the router, or does performing the DNS rebind permit access to the router as if on the LAN? Because if it's the latter, it would seem the attacker could then do other things as if on the LAN.

Note also that the article says that (either way) access to the router config is obtained by using either the default password or "other" methods.
posted by snuffleupagus at 6:07 PM on July 16, 2010


I've reread this a couple times now, and it's leaving me uncertain. Does the DNS rebind exploit require obtaining access to the router, or does performing the DNS rebind permit access to the router as if on the LAN? Because if it's the latter, it would seem the attacker could then do other things as if on the LAN.

Note also that the article says that (either way) access to the router config is obtained by using either the default password or "other" methods.


As I understand it, the attack assigns RFC 1918 addresses as secondary PTR records for a malicious HTTP server and sets the TTL for the primary IP to be very short. The victim browses to the malicious server & picks up the malicious script. Then the primary IP times out & a secondary IP (which is actually the target host in the victim private network) takes over, with the result being that the script is executed by the victim's web browser against the local target. Presumably part of the payload is some means of exporting the results to an external logging server.

Craig's just picked the console on the router for his Proof of Concept because it's the one service & host that's guaranteed to be there & highly likely to be vulnerable, but the target could be any host on the private network & in theory could be directed at any service on that host. Strong passwording on your home router is a stop-gap measure that only protects against Craig's PoC; patching the router against the attack is the only way to fully close the hole.
posted by scalefree at 7:45 PM on July 16, 2010 [1 favorite]


That is, if I read the article correctly, it can still cause harm even if it can't access the router configuration, because it can do other things on your LAN through browser side scripting.

Ansolutely. Your browser is turned into a proxy for any traffic the attacker wants to introduce onto your local network. He can scan your network for live IPs & services then target those that respond for further attacks. Router passwords are just a convenient target for Craig's proof of concept code.
posted by scalefree at 7:51 PM on July 16, 2010


There's a class of attacks that involve a web server sending Javascript to the a user's browser. The script executes on the user's browser with the user's permissions and it tries to reach out across the LAN with the user's credentials, instead of the credentials of the server that sent the script.

This is nothing like that. I know that because of Heffner's insistence that NoScript won't stop the attack.

There are going to be a few elements to this attack. One element is the payload, the other is the trick to send the payload to the router, instead of through the router.

The payload is going to be a URL intended for the user's router, specially crafted with the router's default login info and other commands embedded in the URL. DNS Rebinding is the trick that makes the IP address of the user's router the target of the URL.

When the user clicks on the custom-crafted URL (or javascript forces the link to load), the link sends the embedded default login credentials to the user's router, from the user's computer, and the link will send other nefarious commands to the router.

BUT, it's all for naught so long as your router is using anything but the default password!
posted by NortonDC at 8:05 PM on July 16, 2010


NortonDC: If it's just a URL, then DNS rebinding isn't needed, is it? I can send you a page with a link (or even an http refresh or an iframe) to http://192.168.1.1/admin/dobadthings?user=admin&password=password without using DNS rebinding. But I think most routers are at least secure enough to not have exploits triggered by a single GET request.

DNS rebinding is only needed, as far as I can tell, to get around the security restrictions placed on javascript HTTP requests. They're only allowed back to the originating server, which is why DNS rebinding is needed to get them to contact another machine. With DNS rebinding, your payload HTTP request will be accessing a machine with the same name, so it is allowed, but now with a different IP.
posted by whatnotever at 8:54 PM on July 16, 2010


Talk on Chinese Cyber Army Pulled From Black Hat
posted by homunculus at 8:58 PM on July 16, 2010


If NoScript doesn't stop it, then it seems that it can't rely on javascript http requests.

I'm totally ready to find out that I've got it all wrong, but it's hard to see how it can depend on javascript and work even on clients using NoScript.
posted by NortonDC at 9:10 PM on July 16, 2010


From Forbes:

When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address...

Potential fixes implemented in ... the Firefox NoScript plug-in won't prevent his exploit, Heffner adds.

It sounds like a script (and I see no other way for DNS rebinding to be relevant), and it says that potential fixes in NoScript won't prevent it. That doesn't discount the possibility that NoScript setup in whitelist mode, blocking the malicious script altogether, would stop it. Note that DNS rebinding can use any web technology that allows a page to execute code, which includes Java, Flash, and Silverlight, in addition to Javascript. Users don't always use NoScript to block all non-whitelisted scripts/applets/"animations."

DNS rebinding has been known for a while, and various fixes have been put in place for it. It sounds like Craig has found a novel variant of the attack that gets around those fixes, but the basic idea of the attack (which requires some way to execute code in a user's browser) remains the same.
posted by whatnotever at 4:00 AM on July 17, 2010


I saw that quote about the script. What it doesn't say is where the script runs, server or client.
posted by NortonDC at 6:32 AM on July 17, 2010


We'll have to wait & see for the details but I'm confident the concept I described is the mechanism. Assign private IPs as secondary addresses for the malicious server's hostname so when a connection to the primary IP times out the payload gets sent to a target on the private network instead of out onto the Internet where it belongs. It's the router that's being exploited, it thinks that 192.168.1.1 (or some other IP on the private network) belongs to evil.example.com, so when the browser asks it to connect to evil.example.com, it connects to the private address instead of its real IP.
posted by scalefree at 11:23 AM on July 17, 2010


« Older There is very little intrinsic value in Coco Rocha...  |  In 2060, "The Guy Who Worked F... Newer »


This thread has been archived and is closed to new comments