Researcher creates malicious, router-controlling website
by Joshua Topolsky 
posted Apr 8th 2008 at 1:35AM
Filed under: Networking
Previous
ASUS UL80Vt review
HP Envy 15 unboxing and hands-on
Motorola DROID review
Crazy-hinged Dell Adamo XPS hands-on!
BlackBerry Bold 9700 hands-on and impressions
HTC's HD2 hands-on
Sony Ericsson XPERIA X10 hands-on
Nokia vs. Apple: the in-depth analysis
Engadget Podcast 170 - 11.08.2009
Breaking news Feed
- Palm's Pixi TV spot heads in a new direction, bids adieu to creepy redhead
- Zune HD Marketplace now loaded with free 3D games
- Saygus VPhone to bring video calls and a bit of chub to Android and Verizon
- Kindle for PC app out now, Mac version to soon follow
- Nokia N900 is now shipping!
- Mac OS X 10.6.2 update out on the prowl (update: Atom support is gone)
- Motorola Motus gets FCC approval, Sholes Tablet looking legit
- RIM unveils tighter Adobe partnership, new app payment platform, OpenGL ES support, more
- DROID and DROID Eris now cash sentient on Verizon
- BlackBerry Curve 8530 now official on Sprint
Featured stories Feed
- Regen's ReNu solar panel system in the flesh
- Switched On: Next steps toward the IP tuner
- ASUS UL80Vt review: thin and light on a budget
- Limited edition 'Modern Warfare 2' Xbox 360 unboxing
- Zune HD 3D games video hands-on
- Saygus VPhone video hands-on
- Imation Pro WX Wireless USB hard drive reviewed
- Saygus VPhone to bring video calls and a bit of chub to Android and Verizon
- HP Envy 15 unboxing and hands-on
- PowerGenix NiZn rechargeable AA batteries: finally, some cells worth buying
- Fujitsu's splitting F-04B cellphone gets tested, found to contain no Energon cubes
- ViewSonic VPC08 keeps Windows XP, clamshell style alive
- Palm Pixi arrives early for the people of Walmart
- Windows Marketplace for Mobile updates tackle piracy, adds online store for non-mobile browsers
- Flash 10.1 coming to webOS in first half 2010, says kinder, gentler Adobe page
- Don't miss this video of Martin Scorsese gushing over Blu-ray at Blu-Con
- Motorola might be looking to sell set-top business, we've got $5 on it
- Black Friday ads leaking all over town, we've rounded them up
- HDTV Listings for November 11, 2009
- Ask Engadget HD: How do I get the best audio from my PS3, without HDMI?
- Awaken 1.2 for iPhone adds options to alarm clock app
- Facebook app developer is through with the iPhone, blames App Store approval process
- Microsoft manager admits to copying 'Mac look and feel,' MS denies
- Google to deliver free airport Wi-Fi for the holidays
- iPhone leads Apple past Nokia to #1 in mobile phone profits
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Finance
- Entertainment on AOL
- Lifestyle on AOL
- Sports on AOL
- Travel on AOL
- Also on AOL
Reader Comments (Page 1 of 1)
AJ in the East Bay @ Apr 8th 2008 1:39AM
"we suggest you change that default password"...
and not use D-Link and Linksys.
I LOVE THE CAPS LOCK KEY @ Apr 8th 2008 1:55AM
Not such the case. The hack mentioned above requires the hacker to know or guess the password of the admin. I use a D-Link DGL-4300 and have it set to deny WAN administration requests, I also use a complex password to prevent un-authorized access. I still feel fairly safe at this point.
hello @ Apr 8th 2008 2:17AM
guess what? ur not. THERE IS ALWAYS A WAY TO HACK YOU. its just a matter of time.....
also, u mention that u deny WAN admin, but have you thought about the possibility of the malicious website to use YOUR computer as a proxy, thus enabling access to LAN? (i'm supposing that your router can be admined thru ur LAN. It can, rite...?)
I LOVE THE CAPS LOCK KEY @ Apr 8th 2008 2:32AM
It's kind of tough when the router also denies ping requests. Though almost nothing in digital technology is rarely ever 100% secure.
Hax Or @ Apr 8th 2008 10:18AM
All your routers are belong to us.
alur @ Apr 8th 2008 10:41AM
@I LOVE THE CAPS LOCK KEY
The issue here is probably that the javascript connects to your router, not the website in questions, thereby connecting to the router through LAN. Every router I've ever seen denies WAN access anyway.
imatt @ Apr 8th 2008 11:41AM
Or use dd-wrt firmware and your own login/password combo and be safe from this attack.
Jeremy W @ Apr 8th 2008 1:43AM
If router manufacturers were smart, they simply wouldn't allow the routers to work until the password was changed. Just have the router direct all requests to a special internal page, so the user doesn't even have to type in a URL or put in a CD. It'll take 2 seconds of the user's time, and make the network much more secure.
AJ in the East Bay @ Apr 8th 2008 1:45AM
Not a bad idea, Jeremy.
KangMin @ Apr 8th 2008 2:18AM
not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers...
Jeremy W @ Apr 8th 2008 2:30AM
You don't need to be computer capable to type a password into two boxes that are put in front of you automatically. That's the whole point I was trying to make, it needs to be completely seamless. Plug in the router, fire up your web browser, and the first thing you see is a page asking you to change the password. Until you change it, you can't browse the Internet. Couldn't get any easier than that.
Dustin @ Apr 8th 2008 3:45AM
"not everyone is computer-capable like that though... that's why they come with easy setup disks. most, if not all, engadget readers prolly go through the typicall 192.168.1.1 to change settings such as pw: admin. some people still hate computers..."
@ KangMin:
This is like me saying 'I hate paperwork, so I leave my tax returns, social security card, and credit card numbers in any public place I go'. I suppose you're saying people don't have the common sense to know they are risking themselves by not thinking of these things.
Whatwas Thatagain @ Apr 8th 2008 6:17AM
The Customer Support problems caused by mandatory password changing would probably be significant. I can imagine a huge percentage of customers forgetting passwords that were thought up on-the-fly to satisfy the mandatory-change dialog.
If I were a manufacturer I'd just (continue to) say "user beware" and leave it at that.
Jeremy W @ Apr 8th 2008 12:12PM
The users who would forget the password are likely the users who would never have a need to access the router's web interface in the first place.
01 @ Apr 8th 2008 4:19PM
even if this happened, I bet I could guess the new passowrds pretty quickly..
"Admin" instead of "admin"
"linksys" instead of "Linksys"
you get the idea...security is only as good as the user who is really using it, simply forcing a password change isn't really going to cut it for most of the users out there (my parents, your parents, the person at work that doesn't understand the difference between reply and reply-all)
Jeremy W @ Apr 8th 2008 8:58PM
Having an easily guessable password is still much better than having a default password. When you have a default password, an attacker KNOWS what the password will be in many cases. If there is no default password, the complexity of the attack increases exponentially.
GPS @ Apr 8th 2008 1:43AM
so the download running on my computer can be stopped remotely???
BigD145 @ Apr 8th 2008 1:58AM
Is this firmware dependent or hardware dependent?
A.C.E.R. @ Apr 8th 2008 2:17AM
I think it's mostly jackass dependent.
Jordan @ Apr 8th 2008 2:29AM
The answer to your question is: Yes.
Teqonix @ Apr 8th 2008 2:20AM
I think I'm feeling fairly secure - got my router set to the non-default password, plus I use Noscript when browsing on Firefox, so good luck getting this attack past me unless you're on a website I frequent a lot.
alex @ Apr 8th 2008 2:25AM
For mr 'I USE THE CAPS KEY', the summary states that the exploit uses java to access the router, so the access would be from a user's browser, aka, the browser's PC, and not a WAN administration.
Besides one can always put linux on their linksys router and one will be safe until hackers write an exploit which copies the WebIF administration scripts...
ethana2 @ Apr 8th 2008 5:15AM
Our eHome router firmware is horrible and pathetic, and the thing crashes every day.
...I'm going to search for a guide on flashing the firmware..
time to look up its specs!
ethana2 @ Apr 8th 2008 5:24AM
No luck. *sigh*
henry @ Apr 8th 2008 2:42AM
"1...2...3...4...5? That's amazing, that's the same combination I have on my luggage!"
bjrcboy @ Apr 8th 2008 4:06AM
Heh... I see what you did there.
monkfishbandana @ Apr 8th 2008 2:46AM
I wonder if the read link is safe...
Valgas @ Apr 8th 2008 2:48AM
Why are internet peoples so mean? Why do they want to hack my computer? All I have is black big booty bitches porn on it. And some awesome software I wrote alls by myself thats super secret and useful.
Kurian @ Apr 8th 2008 2:58AM
Ignorant indifferent morons deserver this.
ethana2 @ Apr 8th 2008 5:13AM
That's what I say alot, but--
Oh hey, internet explorer doesn't have grammar checking, does it?
Kurian @ Apr 8th 2008 5:30AM
Neither does my firefox.
Tinsel @ Apr 8th 2008 3:07AM
2Wire DSL modems and routers have had a similar DNS vulnerability for more than eight months, and the 2Wire exploit does NOT require the hacker to guess any passwords. http://www.securityfocus.com/bid/27246
The 2Wire hack completely bypasses any password set on the router and is being actively exploited in the wild - see http://www.dslreports.com/forum/r20156920-DNS-Hijack-on-2wire-routers
AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there's a large installed base. So far, AT&T/2Wire have yet to do anything about this hack.
Eldiablo @ Apr 8th 2008 3:30AM
Wow, loving the 2006 throwback Engadget...
karts41 @ Apr 8th 2008 3:37AM
Admin01.
no longer safe password.
loosely_coupled @ Apr 8th 2008 3:58AM
If you are reading engadget, which would most likely identify you as a geek or at least have geek-like-tendencies, then you are an idiot if you don't put a password on your router. You'll have a clever neighbor rig the setup to enable bandwidth priority on his IP address and disable logging so you can't catch him. Not that I would know anything about that.. I'm just saying...
Phoenix @ Apr 8th 2008 4:45AM
I have a problem with that they mentioned this in the blog in the first place. Won't this cause more people to try to access the back door made available by those who neglect to change the default password? It's like telling kids 'don't play with gasoline and lighters' when those can be easily found and accessed.
RijilV @ Apr 8th 2008 11:18AM
Exactly how else should people be notified about security problems? Should we setup a secret cabal that closely watches over us to protect us from unknown threats? Maybe they can use the stars to predict what new security threats are out there.
Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it.
Computer security is also alot like lock security. The locksmiths around the country are very open about which locks fail and about how long it will take an attacker to get through such and such safe. This is so when you go out and buy a lock for your house, you have a reasonable expectation of the security it supplies, not the word of the manufacture who would love if you gave them your money.
More-over, this "dns rebinding attack" assumes your DNS cache is going to honor zero second TTLs. Granted hosts are expected to maintain this behavior, but many DNS caches won't honor this and will set a 300 second TTL, which effectively defeats this attack.
Zhalfim Deyn @ Apr 8th 2008 11:43AM
@RijilV
"Computer security is alot like sex ed. If you don't tell people how to be safe, you're going to end up with a bunch of pregnant 15 year olds with HIV/herpes. Either that or you have to tell kids that sex is evil and to never do it."
best...comparison...ever...
purana @ Apr 8th 2008 6:56AM
As if you wouldn't change the default password as the first thing you do when you setup a router. I can't believe people would be stupid enough not to change the password.
erislover @ Apr 8th 2008 9:48AM
You must live a life of eternal surprise.
John @ Apr 10th 2008 1:59AM
...and not the pleasant kind either.
Kizorblade @ Apr 8th 2008 7:25AM
Admin
Administrator
Password
Pass
If you have any of these as your passwords, then you need to change it.
analyzewithin @ Apr 8th 2008 11:15AM
I am still astounded as to the number of people in my neighborhood alone that do not even bother putting a password up in the first place. Forget changing it... they're completely unsecured. gah.
Big Sam @ Apr 8th 2008 11:32AM
Hasn't this been around for a while? Change the default password folks! And Firefox/NoScript FTW. And listen to the Security Now podcast.
Covert Tron @ Apr 8th 2008 12:00PM
If your router has a default password, you deserve to get owned anyway.
Grant @ Apr 8th 2008 1:00PM
If your not smart enough to change your default password on something like your router, you probably wouldn't have any idea why every URL you type in forwarded you to Truckdriverpowerfisting.com, and just assume thats what the internet has become.
I'm not really impressed though, since most routers have the option to change your DNS server in it's browser accessible settings, and as long as you have set up your own DNS server with all entries forwarding to the same addresses, you get the same result.