Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Exploit Kit Delivers Pharming Attacks Against SOHO Routers

posted by takyon on Wednesday May 27 2015, @01:20PM   Printer-friendly
from the feeling-vulnerable dept.

kaszz writes:

For the first time, DNS redirection attacks against small office and home office (SOHO) routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

Perhaps it's time to demand OpenWrt compatibility? It's without backdoors by design, with continuous bug fixes, IPv6 support and unrestrained configuration capability. Embedded boxes seems to have a poor track record on bugs, transparency and robustness.

[Editor's Comment: Original Submission]

 
This discussion has been archived. No new comments can be posted.
Exploit Kit Delivers Pharming Attacks Against SOHO Routers | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by jdccdevel on Wednesday May 27 2015, @06:13PM

    by jdccdevel (1329) on Wednesday May 27 2015, @06:13PM (#188712) Journal

    Router Hacking has really, really taken off in the last or two. Prior to that, it was almost unheard of.

    The days of buying a router and leaving it alone forever are long, long gone. Now it's keep your router up to date, or you WILL be hacked.

    Almost always all they are trying to do is change your DNS settings. Unfortunately, most home users have no idea how dangerous that is.

    It's also very, very hard to detect. There are ways to do it, but most antivirus/antispam/internet security products can't detect it at all, which makes your router a prime target.

    One of the problems we're having is a lot of older routers have vulnerable firmware, and the manufacturer doesn't provide any updates any more. For a lot of them, the Latest versions of the firmware are a couple years old and are actively being hacked. We can't tell a customer to convert to dd-wrt, open-wrt or similar. Most wouldn't even know where to start (Most could barely set their wi-fi password!), so all we can do is tell them "Your router is too old, upgrade." Which is sad when the hardware is still working fine.

    The only silver lining is that the firmware writers are really having to clean up their act. Most of these attacks are because router manufacturers did really brain-dead things security wise. (Un-changable Default passwords, magic packets, backdoors, Configuration webpages riddled with security holes, etc.)

    Now a lot of the manufacturers are being a lot more conscious of the security of their products. Let's hope that leads to more robust systems overall.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2) by Phoenix666 on Thursday May 28 2015, @03:21AM

    by Phoenix666 (552) on Thursday May 28 2015, @03:21AM (#188927) Journal

    It's interesting you say this because I recently put OpenWRT on my older router because I suspected it had been compromised and it would no longer update its firmware from the manufacturer. I had never thought about it as a vulnerability before, having seen it as an appliance like a toaster. Now I'm becoming more interested in router firmware both for its security implications in this sort of context, but also for its possibilities in playing a role in ad hoc mesh networks and their potential for resilient networks in the face of natural disaster, government interference, etc.

    Do you know of any particularly helpful sites (beyond OpenWRT) that could help a person get their feet wet?

    --
    Washington DC delenda est.

    • (Score: 2) by jdccdevel on Friday May 29 2015, @08:12PM

      by jdccdevel (1329) on Friday May 29 2015, @08:12PM (#189824) Journal

      As I mentioned, most attacks on routers are implementing DNS Hijacking [wikipedia.org] attacks, because they're relatively easy. (Just change the DNS settings to point to a rogue DNS server, and they're good to go.) and hard to detect, but the potential is there to do much, much more. Thankfully the embedded nature of the devices raises the bar, since any hacked binaries need to be compiled for a particular router model. (Think of how many possible firmware versions openwrt has compiled for all the different models it supports, and it's the same thing.)

      As far as vulnerabilities, once you've installed OpenWRT or similar, you've moved well beyond the router-as-appliance frame of mind, which can only be a good thing. At that point, your router is basically a mini linux server, so all the usual linux sysadmin tools and best-practices apply.

      Every home router is essentially a mini embedded server. If you were to try to configure a Linux box to do the same, the computer would end up running:
      - Iptables
      - ebtables
      - tc (for traffic control and QOS)
      - a HTTP server (for configuration) with PHP or some other scripting language enabled.
      - a DNS Recursive resolver (At the very least, some have a full fledged DNS Server running)
      - a DHCP Server
      - Wireless network configuration tools
      - OpenVPN or similar
      - a Mini-DLNA server like ReadyMedia aka MiniDLNA [archlinux.org]
      - Possibly some variant of Quagga [nongnu.org] for dynamic routing

      In order to properly administer all of those services, you need a lot of knowledge, which is why the quality of the configuration tools is so important. It's really easy to mess something up without them if you don't know what you're doing. Even if you do, the attack surface is much larger than most people realize.

      If you really want to learn about routers, I would suggest getting a cheap linux box (or VM), putting in a couple of Network cards, and building one for yourself. NAT inside your home network should work fine (although double NAT isn't recommended for accessing the internet, it should work for most things).

      A solid understanding of IP Networks, Static Routing, firewall rules, Network Address Translation (NAT), DNS and DHCP will get you most of the way there, there's lots of books and tutorials online for how those work, and nothing teaches like doing.

      The Linux routing and firewall howtos, and the Linux advanced routing and traffic control howto are both very good resources.

      Hope that helps!

      • (Score: 2) by Phoenix666 on Monday June 01 2015, @04:54AM

        by Phoenix666 (552) on Monday June 01 2015, @04:54AM (#190558) Journal

        Thank you, that's very kind. Reading man pages and wikis can only take you so far, especially when the larger conceptual terrain is unknown, right? Once upon a time there were LUGs where people helped each other through areas like this, to synthesize the configuration settings into a larger security framework. Do LUGs still exist, or what have they morphed into? I've been down the rabbit hole of my own projects in things I know for so long that I've rather lost touch with that community.

        --
        Washington DC delenda est.