Clicky

'); //]]>

How to Secure Your Router Against a Hack Compromising Many Popular Routers

By  |  18 Comments

2010-07-14_1709

Security expert Craig Heffner from Seismic, a company specializing in security consulting, will be sharing the details of a security flaw that opens up many common household routers to a hack. The revelation will be part of the Black Hat Conference in Las Vegas at the end of the month. Black Hat is a gathering of technologists who are interested in security issues, some from the corporate world and some from the darker side of the issue. Heffner’s talk is entitled How to Hack Millions of Routers.”

According to Forbes, Heffner will release code that can be used to get into popular routers from Linksys, Dell, and Verizon FIOS or DSL. If a user visits a web site with the code, malicious hosts can gain access to information or send a browser to another site.

The way the hack works is extremely technical. If you want all the details check out the Forbes blog post. Simply put, it exploits the way Domain Name Systems (DNS) work. The DNS address is kind of like a web page’s phone number. When you type in Notebooks.com a request is sent to a computer connected to the Internet called a DNS server. It looks up the address Notebooks.com. The DNS server then gives the browser the right Internet Protocol address (IP address) so that it can find the actual computer containing the site’s web pages. An IP address is a series of four numbers ranging from 1 to 255. For example, where I live in NC Google’s IP address is 74.125.47.105. It changes based on your locality.

Each web site can have more than one IP address. The trick is fool the router into giving up its address as if it were the secondary IP address for that site. Then the malicious code hidden in the site can gather access from the router like your login information as if your local network were part of that site. Forbes says this isn’t new, but has been patched repeatedly. However, Heffner has found a new way to exploit the system to gain access to most of the popular consumer routers. One of those that is vulnerable is the popular Linksys WRT54G routers.

You should go to the Forbes site and find out if your router has been tested. Towards the end of the post is a table listing some of the routers tested with for the vulnerability.

2010-07-14_1659

To secure your router do the following:

  1. Change your password to a strong one. You do this by logging into the configuration page of your router, usually something like 192.168.1.1. Get specific instructions from your manufacturer’s website. Here is a site that will generate very strong passwords for you. The length should be set to at least 8 characters and include letters (both upper and lower case), numbers, and maybe even punctuation marks. Do not include words or names.
  2. Go to your router’s support site and get the latest firmware and install it. This is different for each router. Some routers have a link in the router’s configuration page (see below).
  3. Be careful which web sites you visit. Porn and pirated software pages are notorious for including this kind of code.

2010-07-14_1703

“One comfort for users may be that Heffner’s method still requires the attacker to compromise the victim’s router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device’s software or by simply trying the default login password. Only a tiny fraction of users actually change their router’s login settings, says Heffner. ‘Routers are usually poorly configured and have vulnerabilities,” he says. “So the trick isn’t how to exploit the router. It’s how to get access to it.’” (Andy Greenberg, Forbes)

Some may ask why would Heffner reveal this information? He believes it is the best way to force companies to update their software. As you notice from my router above, D-Link has not updated the firmware in a long time. Fortunately, most D-Link routers are not on the list of vulnerable routers.

The source for this was Dwight Silverman of the Houston Chronicle.

Kevin loves notebooks, tablets, gadgets and photography. He grew up with computers starting out on a Vic 20 and Commodore 64. The first computer he owned himself was an 8086 Compaq Deskpro. His foray into tablet computing began when he bought a Samsung Q1 Ultra. The smartphone market opened up for him with his Palm Treo 600.

18 Comments

  1. Napalm

    July 16, 2010 at 2:41 pm

    People needed to be told this? Seriously? Disable administration to the router via Wi-Fi and if you don't already have a strong password on your router you are just begging for trouble.

  2. Knyte

    July 16, 2010 at 2:49 pm

    Napalm, you and I know that – but our aunties who live far away tend to buy stuff that works out of the box – which is nearly always insecure. The cautionary word still needs to get out to develop awareness.

  3. Lol

    July 16, 2010 at 2:59 pm

    Aaaand… Since this exploits flaws in the default firmware, I assume that it doesn't affect OpenWRT.

  4. Never assume

    July 16, 2010 at 3:15 pm

    If you go to the Forbes blog post, you'll see that OpenWRT _is_ vulnerable.

  5. JP

    July 16, 2010 at 3:22 pm

    I wonder. If I upgrade the software of my linksys WRT54 to tomato, is it still vulnerable?

  6. Drew

    July 16, 2010 at 3:33 pm

    Thanks for the article but I was confused by the scroll bars in the “routers tested” image. I figured blocked javascript was preventing it from scrolling properly & it took a while to realize it was just an image.

    Yes, I'm an idiot for not realizing it was an image earlier BUT it would be best to crop out any perceived UI functionality from images in the future! :-)

  7. Drew

    July 16, 2010 at 3:33 pm

    Thanks for the article but I was confused by the scroll bars in the “routers tested” image. I figured blocked javascript was preventing it from scrolling properly & it took a while to realize it was just an image.

    Yes, I'm an idiot for not realizing it was an image earlier BUT it would be best to crop out any perceived UI functionality from images in the future! :-)

  8. Anon

    July 16, 2010 at 4:13 pm

    most routers are on a standard gateway address – hidden i frames,password managers in the browser and dumb webadmin software on the router (ie just feed it a url string to make changes) can really help get around the stong password authentication.

  9. frantaylor

    July 16, 2010 at 4:51 pm

    Install the RS-232 port hack on your WRT54G, disable ALL remote access to it, and administer it with a null modem cable and a terminal emulator. Pretty hard to hack! Hopefully the web admin stuff will work in lynx.

  10. Whitet

    July 16, 2010 at 5:53 pm

    # Be careful which web sites you visit. Porn and pirated software pages are notorious for including this kind of code.

    But oddly enough, porn sites are not statistically safer than regular web sites! “A study by free anti-virus firm Avast found 99 infected legitimate domains for every infected adult web site.” – http://www.theregister.co.uk/2010/06/30/unsafe_

  11. Foomius Barius

    July 16, 2010 at 10:04 pm

    Hey guys.

    Firstly, I don't see what Wi-fi access to your router has to do with this at all. This affects you if you have any kind of network access to your router, whether it be through copper ethernet or Wi-Fi! Wi-Fi is a local security risk only: someone connecting to your access point wirelessly and hacking your WPA2 key. We are talking here about a remote exploit.

    Secondly, I have a question. Do these hacks rely on the well-known internal address of the router such as 192.168.1.1? That can usually be changed to something else.

    Or do some routers actually accept HTTP connections from inside network to their external IP address (the one obtained from the ISP?) See, that would be a big problem, and something that is a legitimate router issue.

    Other than that, I don't see how router firmware can do anything to protect against this (or, at least, anything that isn't a humungous hack involving deep packet inspection). The problem is a browser vulnerability. The browser is tricked into allowing a script into accessing your router's management. Since accessing your router's management is something that is allowed from your machine, what can the router do about it? The router is password-protected. If you leave it at the default password, or a dumb password, that's that.

    The router would have to distinguish a legitimate-looking request from one that might have been generated by a rogue website. For instance, it might have to monitor DNS responses coming from the Internet port (deep packet inspection) and recognize that an attack is taking place, since a DNS response contains an internal IP.

    But this is not really fixing any security vulnerabiilty in the router; it's compensating for stupid application software inside the network which doesn't itself validate DNS responses for basic sanity. Now, admittedly, one of the jobs of a router IS to protect stupid applications inside the network. That's a basic definition of firewalling.

  12. Foomius Barius

    July 16, 2010 at 10:39 pm

    “Install the RS-232 port hack on your WRT54G”.

    Though this is not complicated, it's sufficiently difficult to be out of the motivational reach of the average user. I've researched this before. I can build hardware, but I'm too lazy to do even this.

    The TTL signals on the board are only 3V, so you have to build a little circuit to boost the voltage. Otherwise it would be just a matter of putting together a cable and running it through the plastic case.

    I did some more digging and found off-the-shelf hardware you can buy which goes directly between +3V and USB, so you can then see the device via a USB emulated serial port.

    The best way may be to order some off-the-shelff circuit which converts the 3 volt signals directly to USB.

  13. Colopure Cleanse Review

    July 22, 2010 at 8:51 am

    Does anybody if DD-WRT is vulnerable? I flashed my router with that awhile back…

  14. Hhhobbit

    August 7, 2010 at 9:59 pm

    Here is the actual list of what the exploit works on:

    http://preview.tinyurl.com/38v2ew8

    Both the DD-WRT and OpenWRT are vulnerable. Some Linux based routers have even worse problems with their defaul firmware – they allow configuration from the WAN side just like it is the LAN side.

    Your aunt Martha is not going to muck around with a hardware hack that makes it possible to only be able to configure the router via a USB connection. Just change the default password (which for a Linksys is NOTHING) to one of your own choosing! But that is just a first step:

    http://www.securemecca.com/public/HomeRouters/

    As for a router distinguishing legitimate requests from bogus ones, I don't see how it can be done – after all it is just a dumb device. All of these commodity routers / firewalls are USUALLY made to be hard and crunchy on the outside but soft and chewy on the inside. This exploit is working on the soft chewy inside, and default passwords and default settings. Most of the mixed DNS IP addresses I see have 192.168.1.3 which is the first DHCP by default with Linksys. Try anje.pt for now (2010-08-07). So change DHCP to start at 200+ and configure all of you machines that can use static IP addresses to use them but pick ones above 20 but below the DHCP range. IOW, just use some plain good old common sense which the router does not have, rummage around and tighten things done. If you have an ActionTec – get something stiffer behind it – its setting enhancers are to open up even more holes for games.

    But start by just changing the password and NOT storing it in the handy dandy password saving mechanism for the browser.

  15. private proxy

    September 18, 2011 at 6:32 pm

    Magnificent web site. Lots of helpful information here. I?m sending it to a few friends ans also sharing in delicious. And obviously, thank you for your sweat!

  16. Router Accessories

    November 1, 2011 at 1:52 am

    I simply couldn’t leave your website prior to suggesting that I extremely enjoyed the usual information an individual provide in your guests? Is going to be back often in order to investigate cross-check new posts

  17. CNC Router

    December 11, 2011 at 6:20 am

    Great paintings! That is the kind of information that are meant to be shared across the web. Disgrace on Google for now not positioning this submit upper! Come on over and seek advice from my site . Thanks =)

  18. linksys wrt54g2

    December 27, 2011 at 9:11 pm

    You really make it seem so easy along with your presentation but I to find this matter to be actually something that I believe I might by no means understand. It sort of feels too complex and very large for me. I am taking a look forward in your next post, I will attempt to get the hold of it!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>