For the first time, DNS redirection attacks against small office and home office (SOHO) routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
Perhaps it's time to demand OpenWrt compatibility? It's without backdoors by design, with continuous bug fixes, IPv6 support and unrestrained configuration capability. Embedded boxes seems to have a poor track record on bugs, transparency and robustness.
(Score: 2) by FatPhil on Wednesday May 27 2015, @02:48PM
A *router* is running a *web server*.
What web-server functionality does a router require for routing? None.
Therefore, how much of a webserver should be on your router? Exactly - none.
I have never subscribed to the "clicky-clicky makes it easier to configure" way of thinking. If router configuration can be performed by an entity remote from the router, then the router should bloody well make sure there's been an authorisation step from a sentient human. (Remember logging in, using a password, at the serial console? Ahh, crazy days...)
Of course, this exploit requires the victim to be running javascript from an untrusted site. Which was wrong when it was invented, and is still just as wrong now.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Nerdfest on Wednesday May 27 2015, @03:31PM
Typically there is authentication required, but many people will leave their session authenticated and few change their router's IP address which goes a long way towards mitigating the problem as well. Not allowing CSRF exploits would be the proper solution, but even just requiring re-autheintication before setup changes would also help.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:16PM
If you read about the exploit, they actually use Chrome as the primary vector because it allows it to discover info on the lan, including IP address and the gateway's address.
(Score: 2) by frojack on Wednesday May 27 2015, @06:06PM
Well at least routers aren't shipped with standard passwords any more. The default password is encoded to the serial number on any modern router.
The configuration capability is usually restricted to a lan port. The exception is those routers you get from any ISP. They almost always have some sort of remote management capability.
Personally, I move all routing and dns services into a linux box. I use WIFI routers as Access Points only. In the few cases that I ever have a carrier provided router/modem I set it for pass through operation and feed a linux or openbsd box configured as a router gateway.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @04:18PM
Or from a normally trusted site that has been hacked.
(Score: 3, Interesting) by http on Wednesday May 27 2015, @07:39PM
If you're expecting Joe Sixpack to learn to use a serial console, exhale slowly and sit down, because I've got some bad news for you.
Damn rights a router is running a web server. Web pages allow for both simple and complex presentations of the router's interface, and they allow an intervening authorisation step from a barely sentient human. Don't mistake the horse for the messenger you're about to kill.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by FatPhil on Thursday May 28 2015, @07:53AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves