Researcher will enable hackers to take over millions of home routers
By Sean Hollister 
posted July 21st 2010 6:33AM
posted July 21st 2010 6:33AM
posted July 21st 2010 6:33AM
A look back on popular stories from today in a specific year.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
@UnixSystemsEngineer
DNS rebinding uses a local machine to accomplish this exploit so turning off WAN management won't help. This is as much of a problem with browsers and their plugins as it is with the routers.
@UnixSystemsEngineer Yes, you can install dd-wrt without changing the password.
I subscribe to the "security via obscurity" philosophy. I use a very uncommon text-based Soviet-surplus diesel-powered router. No one wants to hack it.
Then again, I'm currently having trouble visiting any sites that have a 5 in the address.
"more than half" !? So the ones that were not vulnerable were the ones that changed the default password??
@bonedog73
On the linked spreadsheet 17 of the router models tested were successfully hacked and 13 failed. I assume they left them all on default settings.
I believe the password is the best is a leet password, like mine! XP who agrees?!
Y'know, I would be a lot more appreciative of this guy's efforts if he could, y'know, TELL US HOW TO PREVENT THE ATTACK FIRST. Do I turn off dnsmasq and just send my ISP's nameservers? Does my lack of default passwords already have me secure? Am I screwed no matter what with DD-WRT and need to move to a new firmware? Tell us how we lock the door before you tell everyone how to kick it down, kthx!
Changing the default password on any device should be the *first* thing that you do when you recieve it.
As for home users who are ignorant of the technology - it's really no excuse. When you buy a piece of equipment, you should educate yourself about all its features and everything that needs to be done so it will operate in a safe and secure manner. Of course, as anybody who's worked tech support well knows, with internet users this never happens.
Really the blame here falls on the router vendors - they know from experience how technically inept their customer base is. Rather than sink the money into the appropriate technologies to allow the equipment to update itself without confusing configuration, they simply leave the customer in the dark.
From a technical standpoint, the solution is ridiculously simple: have the router scrape an address belonging to the manufacturer to check for critical security patches/new firmware. Install these automatically, preferrably during the wee hours of the morning to avoid service disruption (although firmware upgrades take only 2-3 minutes). Implement public-key cryptography to guard against malicious DNS spoofing by third parties trying to install their own firmware.
This distribution channel would be used for critical patches only, to prevent unneccessary disruption every time a new revision is released. Even if it updated with every revision, a few minutes of downtime every three to four months isn't a lot - Windows Update does far more than that each week and nobody questions it.
Too late to do it for this exploit, but the vendors really ought to include something like this in the next revision.
time to study some cisco.