lesopp
join:2001-06-27
Land O Lakes, FL
edit:
April 8th, @10:45AM
| So What
Disable outside management, or turn off the http server on the router, or limit outside management access to SSH, or lock it down to a combination of the previously mentioned items and only permit access from specific IP addresses. |
|
booticon
join:2007-07-31
East Lyme, CT | Or just change your router password to something other than the default. |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to lesopp
The 'so what' is the fact that many people don't lock down or change defaults as we've all been ranting and raving about for years so a remote web based exploit has potential to impact lots of people and networks.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper
|
|
evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
edit:
April 8th, @10:48AM
| reply to lesopp
This attack uses CSRF to own the router... It's not about the outside getting in, it's about CSRF being used to repoint DNS to hostile servers so MITM attacks or DNS redirection (for phishing; likely) can be easily created.
In theory one could also load Linux powered firmware that would attack nearby APs using brute-force password guessing techniques after association to them as a client; of course this becomes less trivial if the AP is running WPA/WPA2. That would be more "wormlike".
Essentially, own a device with CSRF and use it to own nearby APs. |
|
Skeedatl
Ah, push it - push it real good
Premium
join:2007-12-26
The Cloud | reply to lesopp
You're talking about the same people who refuse to run antivirusware, patch their systems and open every email attachment that says some hot Russian teen wants anal from them. |
|
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| Not always.
My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password...
This hack I assume will educate those users,. |
|
Skeedatl
Ah, push it - push it real good
Premium
join:2007-12-26
The Cloud | Then wouldn't up to date AV defs detect this hostile javascript? |
|
joker5656
join:2006-06-23
Greenville, SC
 ·Charter Pipeline
| it would for a short time. but your antivirus is only as good as the programmer. Hackers will find ways around one thing then another after the other has been fixed. its a love/hate relationship your AV Company plays with Hackers and vise versa. |
|
Corydon
Cultivant son jardin
Premium
join:2008-02-18
Denver, CO
clubs:
·Comcast
| reply to Karl Bode
said by Karl Bode  :My mother for instance will patch systems, update anti-virus and anti-spyware, avoid opening attachments etc....but probably would never think to change her default WRTG54S password... In my family, I generally end up being the one who does things like setting up new routers. A lot of people who are comfortable with the "basics" of computer security mentioned above are really a bit uncomfortable with setting up something like a router. After all, there are a number of layers of security in a router, especially a wireless router, that must be configured. Setting up WPA-PSK (with a strong passphrase), MAC address filtering, etc. on both the router and the computers in the home is generally something that's still a bit beyond the average user.
And I'm just going off the top of my head so I could be wrong, but doesn't most firmware from the major companies prompt you to change the admin user ID and password as part of the setup process now?
On the other hand, I still see unsecured wireless routers in my neighborhood that are broadcasting "NETGEAR" as their SSID, so I'd imagine that their password is still blank too. |
|
