janrinok writes "A recent survey carried out by Tripwire, reported by the BBC, claims that "80% of the 25 best-selling routers available on Amazon are vulnerable to compromise". Security researcher Craig Young from Tripwire said exploits had been publicly discussed and published for more than one-third of these devices.
In a separate report, the Internet Storm Center (ISC) warned about a continuing attempt to exploit a vulnerability in 23 separate models of Linksys routers. A worm, called 'The Moon' is compromising Linksys routers and then scans for other potentially vulnerable systems. So far, wrote ISC researcher Johannes Ullrich in his blogpost, it is not clear why the routers are being compromised and what might be done with them. There are hints in the exploit code that the routers will at some point be gathered together into a network of compromised machines. Currently, he added, all the worm was doing was spreading to other Linksys routers.
The reason for the current European concern is a recent large scale attack on home routers in order to gather usernames and passwords for online bank accounts, reported by the Polish Computer Emergency Response Team (CERT) and elsewhere."
(Score: 5, Interesting) by TheLink on Monday February 24 2014, @04:07AM
Secondly "browser drive by" attacks on the router's internal IP should only work if the user is logged in (which is hardly ever). And if you use session cookies, the window should be a lot smaller (yes I know many use basic auth, ugh).
(Score: 5, Informative) by nsa on Monday February 24 2014, @04:25AM
The internal interface also matters. Compromise a single system on the internal network via MITM at the ISP or upstream, or a malicious site visited, and now that barrier to compromise of the router is gone. Compromise the router, and you now have total domination of the rest of the hosts on that network (or at least all of their internet traffic, which usually makes further infiltration a piece of cake).
The NSA Never Says Anything. The NSA Never Lies [washingtonpost.com]
(Score: 1) by TheLink on Monday February 24 2014, @07:04AM
Which is why I wrote a second paragraph.
(Score: 1) by nsa on Monday February 24 2014, @09:25AM
Yes, I too quickly inferred from the word 'drive by' that you were referring to a wifi attack from a vehicle driving by. That said, even if the user is not logged in, the threat surface is still extremely large compared to an external interface filtering out admin access. Your 'should' in that paragraph is also one of those infamous 'should's to dwell on. Beside that, advanced persistent threats[1] in firmware can wait a long time for the user to log into the router.
[1] Jonathan Corbet - Practical Security for 2014
"Many of these problems can be explained by the fact that we're dealing with firmware authors, but there is more to it than that: a system's firmware has not traditionally been part of its security model. Suddenly the firmware has been put into an important position of trust, despite the fact that it was not written with that kind of security in mind."
Again, we at the NSA are sorry for being too hasty delivering a retaliatory salvo to your opinion instead of considering it more carefully. Sorry about that.
The NSA Never Says Anything.
The NSA Always Apologizes For Its Mistakes
The NSA Never Lies [washingtonpost.com]
(Score: 1) by chromas on Monday February 24 2014, @09:38AM
I recently discovered an older Belkin 'router' (F5D8236-4 v2) I commandeered loads up the login page with a bunch of JavaScript variables including some booleans and various IP and MAC addresses plus the login password. The JavaScript is there solely to redirect to the firmware updater which doesn't work. It also forgets how DNS works sometimes.