Thursday, December 4, 2008

Home firewalls and routers vulnerable to hacking . . . still

Old bug, old news, and apparently STILL not being corrected by the Internet Service Providers that distribute these things to their customers. Unknown at this time is whether some of the combo Cable-Modem and Fiber routers have the same issue. (My bet is -- yes!)

The short story: the default login to most firewall/routers browser based configuration panel from the LAN side is unsecured - we're talking a known admin user and no (or a factory default that's widely known) password. The customer almost never logs in to change or set a new password, and the service tech that installs the router doesn't either.

This issue has also been around for a loooong time for retail Wi-Fi or Wired firewall/routers: the admin passwords for all brands and models are well-known (and it's a very short list) and if never changed by the customer they are vulnerable to this hack.

See http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777 for the full article. Excerpts below:

~~~snip~~~
A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT&T's DSL service.

The vulnerability isn't isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don't require authentication to access their configuration menu, he says. "I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks," Hamiel says. The attack uses HTTP POST and GET commands on the modems, he says.

CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices. "CSRF, in general, is a very old issue," says Hamiel, who blogged about the hack this week. "Most of the vulns found today are old. That's the point: Nobody seems to learn lessons anymore."

A CSRF attack on a DSL router could be launched from a social networking site, Hamiel says, using an image tag on a MySpace page, for example. "Everyone who viewed my MySpace page with AT&T DSL and the Motorola/Netopia DSL modem would be owned," he says.

~~~ snip ~~~

What can a hacker do to you once they have access to your routers configuration page?

1) They can create false DNS entries that will point you to their site instead of -- say -- your banks.

2) They can login to your home or small business network and snoop on your shared files.

3) If your computer has no password, or an easy password, they may directly login to your computer behind your firewall and install backdoor Trojans and use your broadband to send out more virii, spam and malware to others.

4) They can use your system as a proxy while they go do really bad things on the Internet. Later you get served papers (or the officers kick down your door at midnight) for crimes you did not know were being done on your connection.

Etc. Etc. Etc . . .

Lesson for the day (and most of my direct readers already do this, so pass the word to your family, friends and neighbors):

When you buy or take delivery on a DSL, Cable or auxiliary Wi-Fi or Wired router, log onto it at least once and change the Administrator password.