Search My Blog

Friday, July 16, 2010

“Millions” Of Home Routers Vulnerable To Web Hack « The Firewall - Forbes.com

"Millions" Of Home Routers Vulnerable To Web Hack

July 13, 2010 - 1:37 pm
Andy GreenbergBio | Email
Andy Greenberg is a technology writer for Forbes. 

The upcoming Black Hat security conference in Las Vegas offers an annual parade of security researchers revealing new ways to break various elements of the Internet. But few of the talks have titles quite as alarming as one on this year's schedule: "How to Hack Millions of Routers."

Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner's exploit could have their router hijacked and used to steal information or redirect the user's browsing.

Heffner's attack is a variation on a technique known as "DNS rebinding," a trick that's been discussed for close to 15 years. "There have been plenty of patches over the years, but this still hasn't really been fixed," he says.

The hack exploits an element of the Domain Name System, or DNS, the Internet's method of converting Web page names into IP address numbers. (When you visit Google.com, for instance, a domain name server might convert that name into the IP address 72.14.204.147.) Modern browsers have safeguards that prevent sites from accessing any information that's not at their registered IP address.

But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.

Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.

That DNS trick isn't new, and browsers have installed patches for earlier versions of the exploit. But Heffner says he's tweaked it to bypass those safeguards; He won't say exactly how until his Black Hat talk. "The way that [those patches] are circumvented is actually fairly well known," says Heffner. "It just hasn't been put together like this before."

Heffner tested his attack against 30 router models and found that about half were vulnerable. Here's his chart of which are and aren't subject to attack. ("Successful" in the far right column means that the router was successfully hacked.)



Routers Tested : Sheet1



.

Vendor Model H/W Version F/W Version Successful













.

ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES

.

ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES

.

ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES

.

ActionTec GT701-WG E 3.60.2.0.6.3 YES

.

Asus WL-520gU N/A N/A YES

.

Belkin F5D7230-4 2000 4.05.03 YES

.

Belkin F5D7230-4 6000 N/A NO

.

Belkin F5D7234-4 N/A 5.00.12 NO

.

Belkin F5D8233-4v3 3000 3.01.10 NO

.

Belkin F5D6231-4 1 2.00.002 NO

.

D-Link DI-524 C1 3.23 NO

.

D-Link DI-624 N/A 2.50DDM NO

.

D-Link DIR-628 A2 1.22NA NO

.

D-Link DIR-320 A1 1 NO

.

D-Link DIR-655 A1 1.30EA NO

.

DD-WRT N/A N/A v24 YES

.

Dell TrueMobile 2300 N/A 5.1.1.6 YES

.

Linksys BEFW11S4 1 1.37.2 YES

.

Linksys BEFSR41 4.3 2.00.02 YES

.

Linksys WRT54G3G-ST N/A N/A YES






.

Linksys WRT54G2 N/A N/A NO

.

Linksys WRT160N 1.1 1.02.2 YES

.

Linksys WRT54G 3 3.03.9 YES

.

Linksys WRT54G 5 1.00.4 NO

.

Linksys WRT54GL N/A N/A YES

.

Netgear WGR614 9 N/A NO

.

Netgear WNR834B 2 2.1.13_2.1.13NA NO

.

OpenWRT N/A N/A Kamikaze r16206 YES

.

PFSense N/A N/A 1.2.3-RC3 YES

.

Thomson ST585 6sl 6.2.2.29.2 YES

Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won't prevent his exploit, Heffner adds.

Read more...
http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

Don

No comments: