lesopp
join:2001-06-27
Land O Lakes, FL
1 edit | So What
Disable outside management, or turn off the http server on the router, or limit outside management access to SSH, or lock it down to a combination of the previously mentioned items and only permit access from specific IP addresses. |
|
booticon
join:2007-07-31
East Lyme, CT | Or just change your router password to something other than the default. |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to lesopp
The 'so what' is the fact that many people don't lock down or change defaults as we've all been ranting and raving about for years so a remote web based exploit has potential to impact lots of people and networks.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper
|
|
gaforces
United We Stand, Divided We Fall
join:2002-04-07
Santa Cruz, CA
| Change your router password!
I read about this a couple months ago in the security forum.
One of the members had a proof of concept linked there.
This only affects routers with the default password.
--
There is no greater sign of a general decay of virtue in a nation, than a want of zeal in its inhabitants for the good of their country. ~ Joseph Addison |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
|  Not at risk if you changed default password on router
There is some risk for all those people who neglected to change their password from the default when installing their router at home.
But for anyone who had the brains to change their passwords, this is a a non-event.
--
My BLOG .. .. Internet News .. .. My Web Page |
|
evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
1 edit | reply to lesopp
Re: So What
This attack uses CSRF to own the router... It's not about the outside getting in, it's about CSRF being used to repoint DNS to hostile servers so MITM attacks or DNS redirection (for phishing; likely) can be easily created.
In theory one could also load Linux powered firmware that would attack nearby APs using brute-force password guessing techniques after association to them as a client; of course this becomes less trivial if the AP is running WPA/WPA2. That would be more "wormlike".
Essentially, own a device with CSRF and use it to own nearby APs. |
|
Dogfather
Premium
join:2007-12-26
Laguna Hills, CA | reply to lesopp
You're talking about the same people who refuse to run antivirusware, patch their systems and open every email attachment that says some hot Russian teen wants anal from them. |
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
1 edit | reply to TKJunkMail
Re: Not at risk if you changed default password on router
said by TKJunkMail  :There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site.
How many routers are using session versus cookies for verifying successful authentication? |
|
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| reply to Dogfather
Re: So What
Not always.
My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password...
This hack I assume will educate those users,. |
|
Dogfather
Premium
join:2007-12-26
Laguna Hills, CA | Then wouldn't up to date AV defs detect this hostile javascript? |
|
joker5656
join:2006-06-23
Dallas, GA
·Charter Pipeline
| it would for a short time. but your antivirus is only as good as the programmer. Hackers will find ways around one thing then another after the other has been fixed. its a love/hate relationship your AV Company plays with Hackers and vise versa. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to gaforces
Re: Change your router password!
Or how about those with no password at all? The 2-Wire
3800HGV-B, which comes with all AT&T U-Verse installations
as the RG (Residential Gateway) has no password securing
settings at all by default. It is up to the user to go
into the configuration and change that, but I'll bet many
people don't even bother.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | A lot of assumptions
Wouldn't the attacker also need to know about your internal network addressing? Not only do they need to know the logon/password for your router but also the IP address. |
|
Corydon
Cultivant son jardin
Premium
join:2008-02-18
Denver, CO
clubs:
·Comcast
| reply to Karl Bode
Re: So What
said by Karl Bode :My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password... In my family, I generally end up being the one who does things like setting up new routers. A lot of people who are comfortable with the "basics" of computer security mentioned above are really a bit uncomfortable with setting up something like a router. After all, there are a number of layers of security in a router, especially a wireless router, that must be configured. Setting up WPA-PSK (with a strong passphrase), MAC address filtering, etc. on both the router and the computers in the home is generally something that's still a bit beyond the average user.
And I'm just going off the top of my head so I could be wrong, but doesn't most firmware from the major companies prompt you to change the admin user ID and password as part of the setup process now?
On the other hand, I still see unsecured wireless routers in my neighborhood that are broadcasting "NETGEAR" as their SSID, so I'd imagine that their password is still blank too. |
|
yolarry
join:2007-12-29
Creston, WV | reply to Doctor Four
Re: Change your router password!
Update them? |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs: | reply to Doctor Four
The most recent firmware upgrade that AT&T is pushing out forces the password on and will not let the user disable it. |
|
Heterman
Premium
join:2004-02-28
Fayetteville, AR | More to it?
It seems to me Mr. Kaminsky is referring to something larger, as in the DNS itself. Having an unsecure router seems to only scratch the surface of the way this exploit can be used. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs: | reply to jjoshua
Re: A lot of assumptions
If you are using your router as a DHCP server, this becomes very easy. |
|
MySpareBrain
join:2000-06-12
Pearland, TX
·Comcast
·AT&T U-Verse
 ·Vonage
·AT&T Yahoo
| reply to evilghost
Re: Not at risk if you changed default password on router
said by evilghost
Routers vulnerable to CSRF are still exploitable IF the user has a trusted session with the configuration page and accesses a hostile site.
How many routers are using session versus cookies for verifying successful authentication?
[/BQUOTE :Don't most routers automatically time out the session after a period of time? If I'm in my router, and I stay on the same page for a couple minutes, when I change pages I have to login again. |
|
MySpareBrain
join:2000-06-12
Pearland, TX
·Comcast
·AT&T U-Verse
·Vonage
·AT&T Yahoo
| reply to TKJunkMail
said by TKJunkMail :There is some risk for all those people who neglected to change their password from the default when installing their router at home. But for anyone who had the brains to change their passwords, this is a a non-event. Yeah but then there are those who change the password then forget what they set it to. Or, they have their friend or kid do it for them and they don't remember what it was set to either. |
|
