For the first time, DNS redirection attacks against small office and home office (SOHO) routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
Perhaps it's time to demand OpenWrt compatibility? It's without backdoors by design, with continuous bug fixes, IPv6 support and unrestrained configuration capability. Embedded boxes seems to have a poor track record on bugs, transparency and robustness.
[Editor's Comment: Original Submission]
This discussion has been archived.
No new comments can be posted.
Exploit Kit Delivers Pharming Attacks Against SOHO Routers
|
Log In/Create an Account
| Top
| 20 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 27 2015, @01:36PM
OpenWRT is good. But it comes with maintenance. You need to still keep it up to date.
People want appliances that look nice on their desk. That is what the market provides. The appliance makers then differentiate themselves by adding features that get exploited. OpenWRT competes very well with replacing that. But do not mistake it for a fire and forget thing.
(Score: 4, Insightful) by Gravis on Wednesday May 27 2015, @01:49PM
the way i demand openwrt compatibility is by only buying compatible routers. seriously, do this and darwinism will do the rest.
(Score: 3, Insightful) by WizardFusion on Wednesday May 27 2015, @01:53PM
The problem with this is that most home users are using the router that was delivered to them when they first signed up to "The Internet"
It's never updated, it's never replaced. Ask any joe-sixpack home user what "firmware" is and they will look at you with a blank stare.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @02:08PM
"...darwinism will do the rest."
QED
(Score: 2) by kaszz on Wednesday May 27 2015, @02:17PM
When in the land of ignorant minds, Darwin may be your best friend ;-)
(Score: 2) by Kromagv0 on Wednesday May 27 2015, @02:40PM
This is why family members ask me for wireless routers for Christmas. Usually it is because they are having problems with the crap one they got from their ISP. I get a reasonable one un-box it, test it, install OpenWRT, and configure it so all they have to do is take it home and put it in place of their old one.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 2) by Gravis on Wednesday May 27 2015, @10:23PM
The problem with this is that most home users are using the router that was delivered to them when they first signed up to "The Internet"
It's never updated, it's never replaced. Ask any joe-sixpack home user what "firmware" is and they will look at you with a blank stare.
you can't save every moron from swallowing their own tongue, darwinism has to come into play sometime.
(Score: 0, Insightful) by Anonymous Coward on Wednesday May 27 2015, @02:33PM
the way i demand openwrt compatibility is by only buying compatible routers. seriously, do this and darwinism will do the rest.
Such bullshit rationalizing passivity.
The informed few don't change anything by silently voting for change in the face of an apathetic majority.
The squeaky wheel gets the grease.
(Score: 2) by Gravis on Thursday May 28 2015, @12:43AM
the way i demand openwrt compatibility is by only buying compatible routers. seriously, do this and darwinism will do the rest.
Such bullshit rationalizing passivity.
The informed few don't change anything by silently voting for change in the face of an apathetic majority.
the apathetic majority wont load openwrt even if it is compatible. they have to care before it makes a difference.
(Score: 2) by FatPhil on Wednesday May 27 2015, @02:48PM
A *router* is running a *web server*.
What web-server functionality does a router require for routing? None.
Therefore, how much of a webserver should be on your router? Exactly - none.
I have never subscribed to the "clicky-clicky makes it easier to configure" way of thinking. If router configuration can be performed by an entity remote from the router, then the router should bloody well make sure there's been an authorisation step from a sentient human. (Remember logging in, using a password, at the serial console? Ahh, crazy days...)
Of course, this exploit requires the victim to be running javascript from an untrusted site. Which was wrong when it was invented, and is still just as wrong now.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Nerdfest on Wednesday May 27 2015, @03:31PM
Typically there is authentication required, but many people will leave their session authenticated and few change their router's IP address which goes a long way towards mitigating the problem as well. Not allowing CSRF exploits would be the proper solution, but even just requiring re-autheintication before setup changes would also help.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:16PM
If you read about the exploit, they actually use Chrome as the primary vector because it allows it to discover info on the lan, including IP address and the gateway's address.
(Score: 2) by frojack on Wednesday May 27 2015, @06:06PM
Well at least routers aren't shipped with standard passwords any more. The default password is encoded to the serial number on any modern router.
The configuration capability is usually restricted to a lan port. The exception is those routers you get from any ISP. They almost always have some sort of remote management capability.
Personally, I move all routing and dns services into a linux box. I use WIFI routers as Access Points only. In the few cases that I ever have a carrier provided router/modem I set it for pass through operation and feed a linux or openbsd box configured as a router gateway.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:18PM
Or from a normally trusted site that has been hacked.
(Score: 3, Interesting) by http on Wednesday May 27 2015, @07:39PM
If you're expecting Joe Sixpack to learn to use a serial console, exhale slowly and sit down, because I've got some bad news for you.
Damn rights a router is running a web server. Web pages allow for both simple and complex presentations of the router's interface, and they allow an intervening authorisation step from a barely sentient human. Don't mistake the horse for the messenger you're about to kill.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by FatPhil on Thursday May 28 2015, @07:53AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by jdccdevel on Wednesday May 27 2015, @06:13PM
Router Hacking has really, really taken off in the last or two. Prior to that, it was almost unheard of.
The days of buying a router and leaving it alone forever are long, long gone. Now it's keep your router up to date, or you WILL be hacked.
Almost always all they are trying to do is change your DNS settings. Unfortunately, most home users have no idea how dangerous that is.
It's also very, very hard to detect. There are ways to do it, but most antivirus/antispam/internet security products can't detect it at all, which makes your router a prime target.
One of the problems we're having is a lot of older routers have vulnerable firmware, and the manufacturer doesn't provide any updates any more. For a lot of them, the Latest versions of the firmware are a couple years old and are actively being hacked. We can't tell a customer to convert to dd-wrt, open-wrt or similar. Most wouldn't even know where to start (Most could barely set their wi-fi password!), so all we can do is tell them "Your router is too old, upgrade." Which is sad when the hardware is still working fine.
The only silver lining is that the firmware writers are really having to clean up their act. Most of these attacks are because router manufacturers did really brain-dead things security wise. (Un-changable Default passwords, magic packets, backdoors, Configuration webpages riddled with security holes, etc.)
Now a lot of the manufacturers are being a lot more conscious of the security of their products. Let's hope that leads to more robust systems overall.
(Score: 2) by Phoenix666 on Thursday May 28 2015, @03:21AM
It's interesting you say this because I recently put OpenWRT on my older router because I suspected it had been compromised and it would no longer update its firmware from the manufacturer. I had never thought about it as a vulnerability before, having seen it as an appliance like a toaster. Now I'm becoming more interested in router firmware both for its security implications in this sort of context, but also for its possibilities in playing a role in ad hoc mesh networks and their potential for resilient networks in the face of natural disaster, government interference, etc.
Do you know of any particularly helpful sites (beyond OpenWRT) that could help a person get their feet wet?
Washington DC delenda est.
(Score: 2) by jdccdevel on Friday May 29 2015, @08:12PM
As I mentioned, most attacks on routers are implementing DNS Hijacking [wikipedia.org] attacks, because they're relatively easy. (Just change the DNS settings to point to a rogue DNS server, and they're good to go.) and hard to detect, but the potential is there to do much, much more. Thankfully the embedded nature of the devices raises the bar, since any hacked binaries need to be compiled for a particular router model. (Think of how many possible firmware versions openwrt has compiled for all the different models it supports, and it's the same thing.)
As far as vulnerabilities, once you've installed OpenWRT or similar, you've moved well beyond the router-as-appliance frame of mind, which can only be a good thing. At that point, your router is basically a mini linux server, so all the usual linux sysadmin tools and best-practices apply.
Every home router is essentially a mini embedded server. If you were to try to configure a Linux box to do the same, the computer would end up running:
- Iptables
- ebtables
- tc (for traffic control and QOS)
- a HTTP server (for configuration) with PHP or some other scripting language enabled.
- a DNS Recursive resolver (At the very least, some have a full fledged DNS Server running)
- a DHCP Server
- Wireless network configuration tools
- OpenVPN or similar
- a Mini-DLNA server like ReadyMedia aka MiniDLNA [archlinux.org]
- Possibly some variant of Quagga [nongnu.org] for dynamic routing
In order to properly administer all of those services, you need a lot of knowledge, which is why the quality of the configuration tools is so important. It's really easy to mess something up without them if you don't know what you're doing. Even if you do, the attack surface is much larger than most people realize.
If you really want to learn about routers, I would suggest getting a cheap linux box (or VM), putting in a couple of Network cards, and building one for yourself. NAT inside your home network should work fine (although double NAT isn't recommended for accessing the internet, it should work for most things).
A solid understanding of IP Networks, Static Routing, firewall rules, Network Address Translation (NAT), DNS and DHCP will get you most of the way there, there's lots of books and tutorials online for how those work, and nothing teaches like doing.
The Linux routing and firewall howtos, and the Linux advanced routing and traffic control howto are both very good resources.
Hope that helps!
(Score: 2) by Phoenix666 on Monday June 01 2015, @04:54AM
Thank you, that's very kind. Reading man pages and wikis can only take you so far, especially when the larger conceptual terrain is unknown, right? Once upon a time there were LUGs where people helped each other through areas like this, to synthesize the configuration settings into a larger security framework. Do LUGs still exist, or what have they morphed into? I've been down the rabbit hole of my own projects in things I know for so long that I've rather lost touch with that community.
Washington DC delenda est.