Like having control of your connection to the internet? Don't tell Dan Kaminsky that -- the researcher has developed a method of DNS attack utilizing typical D-Link or Linksys routers that can allow hackers to gain command of your gear. The winner-takes-all maneuver, which is called a "DNS rebinding attack," functions by putting JavaScript into play that fools your browser into altering your router's configuration, thus letting the operator remotely administer the device. The concept isn't water-tight, as it takes advantage of easily-guessable router admin passwords, though Kaminsky says the enabling bug exists as a "core issue" for browsers. The attack will be showcased at tomorrow's RSA security conference, where it's hoped the demonstration will raise awareness about router security vulnerability. In the meantime, we suggest you change that default password.
posted Apr 8th 2008 1:35AM
"we suggest you change that default password"...
and not use D-Link and Linksys.
Not such the case. The hack mentioned above requires the hacker to know or guess the password of the admin. I use a D-Link DGL-4300 and have it set to deny WAN administration requests, I also use a complex password to prevent un-authorized access. I still feel fairly safe at this point.
guess what? ur not. THERE IS ALWAYS A WAY TO HACK YOU. its just a matter of time.....
also, u mention that u deny WAN admin, but have you thought about the possibility of the malicious website to use YOUR computer as a proxy, thus enabling access to LAN? (i'm supposing that your router can be admined thru ur LAN. It can, rite...?)
It's kind of tough when the router also denies ping requests. Though almost nothing in digital technology is rarely ever 100% secure.
All your routers are belong to us.
@I LOVE THE CAPS LOCK KEY
The issue here is probably that the javascript connects to your router, not the website in questions, thereby connecting to the router through LAN. Every router I've ever seen denies WAN access anyway.
Or use dd-wrt firmware and your own login/password combo and be safe from this attack.
If router manufacturers were smart, they simply wouldn't allow the routers to work until the password was changed. Just have the router direct all requests to a special internal page, so the user doesn't even have to type in a URL or put in a CD. It'll take 2 seconds of the user's time, and make the network much more secure.
Not a bad idea, Jeremy.
not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers...
You don't need to be computer capable to type a password into two boxes that are put in front of you automatically. That's the whole point I was trying to make, it needs to be completely seamless. Plug in the router, fire up your web browser, and the first thing you see is a page asking you to change the password. Until you change it, you can't browse the Internet. Couldn't get any easier than that.
"not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers..."
@ KangMin:
This is like me saying 'I hate paperwork, so I leave my tax returns, social security card, and credit card numbers in any public place I go'. I suppose you're saying people don't have the common sense to know they are risking themselves by not thinking of these things.
The Customer Support problems caused by mandatory password changing would probably be significant. I can imagine a huge percentage of customers forgetting passwords that were thought up on-the-fly to satisfy the mandatory-change dialog.
If I were a manufacturer I'd just (continue to) say "user beware" and leave it at that.
The users who would forget the password are likely the users who would never have a need to access the router's web interface in the first place.
even if this happened, I bet I could guess the new passowrds pretty quickly..
"Admin" instead of "admin"
"linksys" instead of "Linksys"
you get the idea...security is only as good as the user who is really using it, simply forcing a password change isn't really going to cut it for most of the users out there (my parents, your parents, the person at work that doesn't understand the difference between reply and reply-all)
Having an easily guessable password is still much better than having a default password. When you have a default password, an attacker KNOWS what the password will be in many cases. If there is no default password, the complexity of the attack increases exponentially.
so the download running on my computer can be stopped remotely???
Is this firmware dependent or hardware dependent?
I think it's mostly jackass dependent.
The answer to your question is: Yes.
I think I'm feeling fairly secure - got my router set to the non-default password, plus I use Noscript when browsing on Firefox, so good luck getting this attack past me unless you're on a website I frequent a lot.
For mr 'I USE THE CAPS KEY', the summary states that the exploit uses java to access the router, so the access would be from a user's browser, aka, the browser's PC, and not a WAN administration.
Besides one can always put linux on their linksys router and one will be safe until hackers write an exploit which copies the WebIF administration scripts...
Our eHome router firmware is horrible and pathetic, and the thing crashes every day.
...I'm going to search for a guide on flashing the firmware..
time to look up its specs!
No luck. *sigh*
"1...2...3...4...5? That's amazing, that's the same combination I have on my luggage!"
Heh... I see what you did there.
I wonder if the read link is safe...
Why are internet peoples so mean? Why do they want to hack my computer? All I have is black big booty bitches porn on it. And some awesome software I wrote alls by myself thats super secret and useful.
Ignorant indifferent morons deserver this.
That's what I say alot, but--
Oh hey, internet explorer doesn't have grammar checking, does it?
Neither does my firefox.
2Wire DSL modems and routers have had a similar DNS vulnerability for more than eight months, and the 2Wire exploit does NOT require the hacker to guess any passwords. http://www.securityfocus.com/bid/27246
The 2Wire hack completely bypasses any password set on the router and is being actively exploited in the wild - see http://www.dslreports.com/forum/r20156920-DNS-Hijack-on-2wire-routers
AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there's a large installed base. So far, AT&T/2Wire have yet to do anything about this hack.
Wow, loving the 2006 throwback Engadget...
Admin01.
no longer safe password.
If you are reading engadget, which would most likely identify you as a geek or at least have geek-like-tendencies, then you are an idiot if you don't put a password on your router. You'll have a clever neighbor rig the setup to enable bandwidth priority on his IP address and disable logging so you can't catch him. Not that I would know anything about that.. I'm just saying...
I have a problem with that they mentioned this in the blog in the first place. Won't this cause more people to try to access the back door made available by those who neglect to change the default password? It's like telling kids 'don't play with gasoline and lighters' when those can be easily found and accessed.
Exactly how else should people be notified about security problems? Should we setup a secret cabal that closely watches over us to protect us from unknown threats? Maybe they can use the stars to predict what new security threats are out there.
Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it.
Computer security is also alot like lock security. The locksmiths around the country are very open about which locks fail and about how long it will take an attacker to get through such and such safe. This is so when you go out and buy a lock for your house, you have a reasonable expectation of the security it supplies, not the word of the manufacture who would love if you gave them your money.
More-over, this "dns rebinding attack" assumes your DNS cache is going to honor zero second TTLs. Granted hosts are expected to maintain this behavior, but many DNS caches won't honor this and will set a 300 second TTL, which effectively defeats this attack.
@RijilV
"Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it."
best...comparison...ever...
As if you wouldn't change the default password as the first thing you do when you setup a router. I can't believe people would be stupid enough not to change the password.
You must live a life of eternal surprise.
...and not the pleasant kind either.
Admin
Administrator
Password
Pass
If you have any of these as your passwords, then you need to change it.
I am still astounded as to the number of people in my neighborhood alone that do not even bother putting a password up in the first place. Forget changing it... they're completely unsecured. gah.
Hasn't this been around for a while? Change the default password folks! And Firefox/NoScript FTW. And listen to the Security Now podcast.
If your router has a default password, you deserve to get owned anyway.
If your not smart enough to change your default password on something like your router, you probably wouldn't have any idea why every URL you type in forwarded you to Truckdriverpowerfisting.com, and just assume thats what the internet has become.
I'm not really impressed though, since most routers have the option to change your DNS server in it's browser accessible settings, and as long as you have set up your own DNS server with all entries forwarding to the same addresses, you get the same result.