Stories
Slash Boxes
Comments

SoylentNews is people

Exploit Kit Delivers Pharming Attacks Against SOHO Routers

posted by takyon on Wednesday May 27 2015, @01:20PM   Printer-friendly
from the feeling-vulnerable dept.

kaszz writes:

For the first time, DNS redirection attacks against small office and home office (SOHO) routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

Perhaps it's time to demand OpenWrt compatibility? It's without backdoors by design, with continuous bug fixes, IPv6 support and unrestrained configuration capability. Embedded boxes seems to have a poor track record on bugs, transparency and robustness.

[Editor's Comment: Original Submission]

 
This discussion has been archived. No new comments can be posted.
Exploit Kit Delivers Pharming Attacks Against SOHO Routers | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Wednesday May 27 2015, @02:48PM

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday May 27 2015, @02:48PM (#188628) Homepage
    Cross-Site Request Forgery? So the router's running a web-server?

    A *router* is running a *web server*.

    What web-server functionality does a router require for routing? None.
    Therefore, how much of a webserver should be on your router? Exactly - none.

    I have never subscribed to the "clicky-clicky makes it easier to configure" way of thinking. If router configuration can be performed by an entity remote from the router, then the router should bloody well make sure there's been an authorisation step from a sentient human. (Remember logging in, using a password, at the serial console? Ahh, crazy days...)

    Of course, this exploit requires the victim to be running javascript from an untrusted site. Which was wrong when it was invented, and is still just as wrong now.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Nerdfest on Wednesday May 27 2015, @03:31PM

    by Nerdfest (80) on Wednesday May 27 2015, @03:31PM (#188652)

    Typically there is authentication required, but many people will leave their session authenticated and few change their router's IP address which goes a long way towards mitigating the problem as well. Not allowing CSRF exploits would be the proper solution, but even just requiring re-autheintication before setup changes would also help.

    • (Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:16PM

      by Anonymous Coward on Wednesday May 27 2015, @04:16PM (#188672)

      If you read about the exploit, they actually use Chrome as the primary vector because it allows it to discover info on the lan, including IP address and the gateway's address.

    • (Score: 2) by frojack on Wednesday May 27 2015, @06:06PM

      by frojack (1554) on Wednesday May 27 2015, @06:06PM (#188711) Journal

      Well at least routers aren't shipped with standard passwords any more. The default password is encoded to the serial number on any modern router.

      The configuration capability is usually restricted to a lan port. The exception is those routers you get from any ISP. They almost always have some sort of remote management capability.

      Personally, I move all routing and dns services into a linux box. I use WIFI routers as Access Points only. In the few cases that I ever have a carrier provided router/modem I set it for pass through operation and feed a linux or openbsd box configured as a router gateway.

      --
      No, you are mistaken. I've always had this sig.

  • (Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:18PM

    by Anonymous Coward on Wednesday May 27 2015, @04:18PM (#188675)

    Of course, this exploit requires the victim to be running javascript from an untrusted site.

    Or from a normally trusted site that has been hacked.

  • (Score: 3, Interesting) by http on Wednesday May 27 2015, @07:39PM

    by http (1920) on Wednesday May 27 2015, @07:39PM (#188746)

    If you're expecting Joe Sixpack to learn to use a serial console, exhale slowly and sit down, because I've got some bad news for you.

    Damn rights a router is running a web server. Web pages allow for both simple and complex presentations of the router's interface, and they allow an intervening authorisation step from a barely sentient human. Don't mistake the horse for the messenger you're about to kill.

    --
    I browse at -1 when I have mod points. It's unsettling.

    • (Score: 2) by FatPhil on Thursday May 28 2015, @07:53AM

      by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Thursday May 28 2015, @07:53AM (#188999) Homepage
      Using a serial console, as such, is no more difficult than using a keyboard. OK, that's a skill that's disappearing since the obsession of making everything pointy-clicky or even worse, swipey. Hence sales of tablets booming at the expense of their keyboarded rivals. This isn't progress, it's people just wanting to use the user-interface that that they saw in 80s sci-fi, not matter how dumb it is. (And with cameras and gestures becoming more popular, people will be demanding a /Minority Report/-like interface soon, even though that's even dumber.)
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves