New Attack Targets "Millions" of Home Routers
New Attack Targets "Millions" of Home Routers
Posted 07/21/2010 at 5:50am
| by Paul Lilly
9
Comments
Print
Stop whatever it is you're doing and visit your router manufacturer's website. Once there, drill down to the firmware section and bookmark that page, and then get in the habit of checking it regularly. The reason? Millions of routers are about to become extinct (sort of).
At this year's Black Hat security conference in Las Vegas, one of the items on the agenda is "How to Hack Millions of Routers," an alarming keynote in which Craig Heffner, a researcher with security firm Seismic, plans to release a software tool he says is capable of cracking half of all routers in existence.
This isn't a new technique, but an altered version of "DNS rebinding," something that has been talked about for more than a decade.
"There have been plenty of patches over the years, but this still hasn't really been fixed," Heffner says.
In short, the hack exploits part of the Domain Name System (DNS) so that when an unsuspecting visitor surfs to a compromised site, their browser ends up hijacked, giving the attacker access to their router settings. Browser makers have already patched earlier versions of this attack, but according to Heffner, it's all for naught.
"The way that [those patches] are circumvented is actually fairly well known," Heffner explains. "It just hasn't been put together like this before."
More info here, including a small sample of routers Heffner has demonstrated this attack on.
More like this
TheZomb
July 21, 2010 at 10:58am
So what if you change the password on your router's config page from admin, admin. I really don't see how this will affect anyone that isn't already in danger of someone driving up to their house and changing their routers firmware from a laptop.
jgrimoldy
July 21, 2010 at 9:43am
Sooo, what next?
What is the hacker going to do? Set up port forwarding? Change the router's DNS settings? Is there something that a hacker can do to the router that won't be obvious when you check the config? I'd imagine that most readers of MPC know how to check their config and they'd notice port forwarding that they didn't set up. They'd also notice a change in their DNS. They'd certainly notice if their admin credentials stopped working...
So, what is it? Can the hacker do something to the router that you wouldn't notice when checking the config?
Can cascading routers (router into router) on a home network thwart this?
aviaggio
July 21, 2010 at 10:04am
How long after seeing unusual behavior before you suspected the router? I'm thinking it would be pretty far down the list because most people, even MaxPC readers, are unaware they can be hacked. Your system could be compromised for weeks, perhaps even months, before you even realize there is a problem.
Biceps
July 21, 2010 at 9:27am
So, can anyone tell me which routers are immune to this type of attack? That would most likely be the most useful information here.... so that instead of constantly updating the firmware in my outdated router, I can just go buy one for which it isn't an issue. Anyone?
fusa
July 21, 2010 at 11:02am
As long as you change the router's login and password from the default to one that isn't easy to guess, all routers are immune. The attack first has to compromise your browser, then try to gain access to the router through the browser.
aviaggio
July 21, 2010 at 10:00am
The chart in the article shows not all routers are susceptible, including all of the D-Link's he tested.
huhhuh
July 21, 2010 at 7:11am
I had first major problem with my now 6 month old DIR - 825.
I tried to get to few different .com websites from my mac including facebook and flicker, but none were available - all were redirected to dns default set by my router something like dlink search.
It persisted for few hours, until i rebooted it.
Featherhead
July 21, 2010 at 6:48am
Is this effective against routers running DD-WRT? Or Tomato or other for that matter? It didn't sound like he had tested it.
fusa
July 21, 2010 at 7:30am
DD-WRT is on the list of tested firmwares and the hijack was successful, same for OpenWRT. Tomato wasn't listed.
Although after reading DD-WRT's forums, their current version isn't vulnerable, unless you use the default login and password. That is required to be changed anyway.
Connect with MaximumPC
Featured Content
We introduce Intel's latest class of tablet killers and review 4 of the first Ultra...
Where have all the memorable videogame enemies gone?
This month's issue
Feature
11 Hardware Hacks
Feature
Overclock Your CPU
How-To
Supercharge Your Smartphone
Build It
A Powerful $830 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Here's what the @horse_ebooks bookmarklet (http://t.co/brE6898A) does to Maximum PC: http://t.co/Y6OhO6zk2 hours 26 min ago
- maximumpc: Microsoft on Patents: Can't We All Just Get Along? http://t.co/g0vginvG4 hours 47 min ago
- maximumpc: Google Drive Cloud Storage: Is Google Preparing To Muscle In On Dropbox? http://t.co/lCWzeYmS5 hours 12 min ago
