| reply to siljaline
Re: Time Warner Cable Exposes 65,000 Routers to Remote Attacks »chenosaurus.com/2009/10/20/time-···ty-hole/
quote:
For most Time Warner customers, unless you provide your own router, they will supply you with a cable modem/wifi router combo. It’s typically an SMC8014WG-SI, a pretty crappy piece of hardware in my opinion. Time Warner installs the device with their default configurations; It allows the customer to do nothing more than add URLs to be blocked. This is done via the web interface using a generic user/user account which is given to the customer. Wifi networking is locked into WEP mode and a random string of hex as the network name and key. If you want to use any sort of port-forwarding or advanced network configurations, forget about it.
I was asked by a friend to help change their wifi network name and password to something easier to remember. In addition to changing the network name, I wanted to change the default WEP encryption to WPA2. We all know WEP encrypted networks can be cracked within minutes. After poking around using the customer account, I found that access to the admin features of the router has been disabled via Javascript. You heard me correct, the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges. By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.
It just gets better from here. The extra features that I now had access to included a little item called “Back Up Configuration File”. When I clicked it, a text dump of the router’s configurations was saved to my desktop. Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack. Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.
Now you can now put two and two together and realize that this has opened a gaping hole on every single Time Warner customer’s network that uses the SMC8014. By forcing the customers to use only WEP encryption on their wifi network, they are allowing anyone to penetrate the network with ease. Also by using a fixed format for the SSID, it’s extremely easily tell which wifi network is using the device. Once inside, anyone can access the router’s web interface and login with the admin account. What makes this even scarier, is the fact that the web interface is accessible from anywhere. From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks. Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.
--
Scott Brown Consulting |
