Researcher creates malicious, router-controlling website
Filed under: Networking
Previous
myTouch 3G hands-on (with video!)
Olympus E-P1 hands-on, test shots, and mini-review
Wii MotionPlus impressions
HTC Hero hands-on
MacBook Pro (mid 2009) in-depth impressions
Amazon Kindle DX review
Engadget Podcast 153 - 07.03.2009: Independence Day edition
Breaking news Feed
- Sony Ericsson Rachael UI video leaks out, Kiki comes for the ride
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Google announces Chrome OS, coming to netbooks second half of 2010
- LG teases next-generation Chocolate for August unveiling
- Sony Vaio W netbook now official in US, coming August for $499
- Palm Pre official on O2 and Movistar in Europe, launch "in time for holidays"
- Creative Zii and Zii EGG touchscreen players with HD cameras served up by FCC
- Sony announces VAIO W... netbook!
- Sony Ericsson "Rachael" Android XPERIA handset unveiled?
- Sprint matches Verizon's pace, launching BlackBerry Tour on July 12
Featured stories Feed
- Ask Engadget: What's the best nettop out there now?
- HTC Hero vs. T-Mobile myTouch 3G... fight!
- Switched On: With Google, this is not your father's OS war
- myTouch 3G hands-on (with video!)
- T-Mobile's myTouch 3G launch event: pre-orders now available
- Verizon BlackBerry Tour 9630 review
- How would you change the Palm Pre?
- Ask Engadget: Best Bluetooth mouse out there?
- D-Link's Xtreme N DIR-685 storage router hands-on and impressions
- Olympus E-P1 hands-on, test shots, and mini-review
- webOS 1.1 rumored to be on the way to Pres shortly, sounds boring so far
- Sprint mandating WiFi on future smartphones, WLAN-lovin' BlackBerry Tour coming next year
- Google CEO Schmidt avoids the dog food, captures memories with BlackBerry
- Nokia 5800 XpressMusic gets America-flavored firmware update
- HTC's Hero appears in soft and sensuous pink
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Entertainment
- Finance
- Sports
- Also on AOL
Reader Comments (Page 1 of 1)
AJ in the East Bay @ Apr 8th 2008 1:39AM
"we suggest you change that default password"...
and not use D-Link and Linksys.
I LOVE THE CAPS LOCK KEY @ Apr 8th 2008 1:55AM
Not such the case. The hack mentioned above requires the hacker to know or guess the password of the admin. I use a D-Link DGL-4300 and have it set to deny WAN administration requests, I also use a complex password to prevent un-authorized access. I still feel fairly safe at this point.
hello @ Apr 8th 2008 2:17AM
guess what? ur not. THERE IS ALWAYS A WAY TO HACK YOU. its just a matter of time.....
also, u mention that u deny WAN admin, but have you thought about the possibility of the malicious website to use YOUR computer as a proxy, thus enabling access to LAN? (i'm supposing that your router can be admined thru ur LAN. It can, rite...?)
I LOVE THE CAPS LOCK KEY @ Apr 8th 2008 2:32AM
It's kind of tough when the router also denies ping requests. Though almost nothing in digital technology is rarely ever 100% secure.
Hax Or @ Apr 8th 2008 10:18AM
All your routers are belong to us.
alur @ Apr 8th 2008 10:41AM
@I LOVE THE CAPS LOCK KEY
The issue here is probably that the javascript connects to your router, not the website in questions, thereby connecting to the router through LAN. Every router I've ever seen denies WAN access anyway.
imatt @ Apr 8th 2008 11:41AM
Or use dd-wrt firmware and your own login/password combo and be safe from this attack.
Jeremy W @ Apr 8th 2008 1:43AM
If router manufacturers were smart, they simply wouldn't allow the routers to work until the password was changed. Just have the router direct all requests to a special internal page, so the user doesn't even have to type in a URL or put in a CD. It'll take 2 seconds of the user's time, and make the network much more secure.
AJ in the East Bay @ Apr 8th 2008 1:45AM
Not a bad idea, Jeremy.
KangMin @ Apr 8th 2008 2:18AM
not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers...
Jeremy W @ Apr 8th 2008 2:30AM
You don't need to be computer capable to type a password into two boxes that are put in front of you automatically. That's the whole point I was trying to make, it needs to be completely seamless. Plug in the router, fire up your web browser, and the first thing you see is a page asking you to change the password. Until you change it, you can't browse the Internet. Couldn't get any easier than that.
Dustin @ Apr 8th 2008 3:45AM
"not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers..."
@ KangMin:
This is like me saying 'I hate paperwork, so I leave my tax returns, social security card, and credit card numbers in any public place I go'. I suppose you're saying people don't have the common sense to know they are risking themselves by not thinking of these things.
Whatwas Thatagain @ Apr 8th 2008 6:17AM
The Customer Support problems caused by mandatory password changing would probably be significant. I can imagine a huge percentage of customers forgetting passwords that were thought up on-the-fly to satisfy the mandatory-change dialog.
If I were a manufacturer I'd just (continue to) say "user beware" and leave it at that.
Jeremy W @ Apr 8th 2008 12:12PM
The users who would forget the password are likely the users who would never have a need to access the router's web interface in the first place.
01 @ Apr 8th 2008 4:19PM
even if this happened, I bet I could guess the new passowrds pretty quickly..
"Admin" instead of "admin"
"linksys" instead of "Linksys"
you get the idea...security is only as good as the user who is really using it, simply forcing a password change isn't really going to cut it for most of the users out there (my parents, your parents, the person at work that doesn't understand the difference between reply and reply-all)
Jeremy W @ Apr 8th 2008 8:58PM
Having an easily guessable password is still much better than having a default password. When you have a default password, an attacker KNOWS what the password will be in many cases. If there is no default password, the complexity of the attack increases exponentially.
GPS @ Apr 8th 2008 1:43AM
so the download running on my computer can be stopped remotely???
BigD145 @ Apr 8th 2008 1:58AM
Is this firmware dependent or hardware dependent?
A.C.E.R. @ Apr 8th 2008 2:17AM
I think it's mostly jackass dependent.
Jordan @ Apr 8th 2008 2:29AM
The answer to your question is: Yes.
Teqonix @ Apr 8th 2008 2:20AM
I think I'm feeling fairly secure - got my router set to the non-default password, plus I use Noscript when browsing on Firefox, so good luck getting this attack past me unless you're on a website I frequent a lot.
alex @ Apr 8th 2008 2:25AM
For mr 'I USE THE CAPS KEY', the summary states that the exploit uses java to access the router, so the access would be from a user's browser, aka, the browser's PC, and not a WAN administration.
Besides one can always put linux on their linksys router and one will be safe until hackers write an exploit which copies the WebIF administration scripts...
ethana2 @ Apr 8th 2008 5:15AM
Our eHome router firmware is horrible and pathetic, and the thing crashes every day.
...I'm going to search for a guide on flashing the firmware..
time to look up its specs!
ethana2 @ Apr 8th 2008 5:24AM
No luck. *sigh*
henry @ Apr 8th 2008 2:42AM
"1...2...3...4...5? That's amazing, that's the same combination I have on my luggage!"
bjrcboy @ Apr 8th 2008 4:06AM
Heh... I see what you did there.
monkfishbandana @ Apr 8th 2008 2:46AM
I wonder if the read link is safe...
Valgas @ Apr 8th 2008 2:48AM
Why are internet peoples so mean? Why do they want to hack my computer? All I have is black big booty bitches porn on it. And some awesome software I wrote alls by myself thats super secret and useful.
Kurian @ Apr 8th 2008 2:58AM
Ignorant indifferent morons deserver this.
ethana2 @ Apr 8th 2008 5:13AM
That's what I say alot, but--
Oh hey, internet explorer doesn't have grammar checking, does it?
Kurian @ Apr 8th 2008 5:30AM
Neither does my firefox.
Tinsel @ Apr 8th 2008 3:07AM
2Wire DSL modems and routers have had a similar DNS vulnerability for more than eight months, and the 2Wire exploit does NOT require the hacker to guess any passwords. http://www.securityfocus.com/bid/27246
The 2Wire hack completely bypasses any password set on the router and is being actively exploited in the wild - see http://www.dslreports.com/forum/r20156920-DNS-Hijack-on-2wire-routers
AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there's a large installed base. So far, AT&T/2Wire have yet to do anything about this hack.
Eldiablo @ Apr 8th 2008 3:30AM
Wow, loving the 2006 throwback Engadget...
karts41 @ Apr 8th 2008 3:37AM
Admin01.
no longer safe password.
loosely_coupled @ Apr 8th 2008 3:58AM
If you are reading engadget, which would most likely identify you as a geek or at least have geek-like-tendencies, then you are an idiot if you don't put a password on your router. You'll have a clever neighbor rig the setup to enable bandwidth priority on his IP address and disable logging so you can't catch him. Not that I would know anything about that.. I'm just saying...
Phoenix @ Apr 8th 2008 4:45AM
I have a problem with that they mentioned this in the blog in the first place. Won't this cause more people to try to access the back door made available by those who neglect to change the default password? It's like telling kids 'don't play with gasoline and lighters' when those can be easily found and accessed.
RijilV @ Apr 8th 2008 11:18AM
Exactly how else should people be notified about security problems? Should we setup a secret cabal that closely watches over us to protect us from unknown threats? Maybe they can use the stars to predict what new security threats are out there.
Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it.
Computer security is also alot like lock security. The locksmiths around the country are very open about which locks fail and about how long it will take an attacker to get through such and such safe. This is so when you go out and buy a lock for your house, you have a reasonable expectation of the security it supplies, not the word of the manufacture who would love if you gave them your money.
More-over, this "dns rebinding attack" assumes your DNS cache is going to honor zero second TTLs. Granted hosts are expected to maintain this behavior, but many DNS caches won't honor this and will set a 300 second TTL, which effectively defeats this attack.
Zhalfim Deyn @ Apr 8th 2008 11:43AM
@RijilV
"Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it."
best...comparison...ever...
purana @ Apr 8th 2008 6:56AM
As if you wouldn't change the default password as the first thing you do when you setup a router. I can't believe people would be stupid enough not to change the password.
erislover @ Apr 8th 2008 9:48AM
You must live a life of eternal surprise.
John @ Apr 10th 2008 1:59AM
...and not the pleasant kind either.
Kizorblade @ Apr 8th 2008 7:25AM
Admin
Administrator
Password
Pass
If you have any of these as your passwords, then you need to change it.
analyzewithin @ Apr 8th 2008 11:15AM
I am still astounded as to the number of people in my neighborhood alone that do not even bother putting a password up in the first place. Forget changing it... they're completely unsecured. gah.
Big Sam @ Apr 8th 2008 11:32AM
Hasn't this been around for a while? Change the default password folks! And Firefox/NoScript FTW. And listen to the Security Now podcast.
Covert Tron @ Apr 8th 2008 12:00PM
If your router has a default password, you deserve to get owned anyway.
Grant @ Apr 8th 2008 1:00PM
If your not smart enough to change your default password on something like your router, you probably wouldn't have any idea why every URL you type in forwarded you to Truckdriverpowerfisting.com, and just assume thats what the internet has become.
I'm not really impressed though, since most routers have the option to change your DNS server in it's browser accessible settings, and as long as you have set up your own DNS server with all entries forwarding to the same addresses, you get the same result.