Comments on: Hack lets intruders sneak into home routers

Ability to change the settings of poorly configured home routers could put home networks at risk of serious attack.

[Mergatroid Mania]

This is caused by two problems.

First off, companies are marketing tech but skipping a step. It seems to go driect from engineering to market.

They should know that people are not engineers, and need a more friendly interface. Many more things should be automatic, rather than counting on manually configuring. Ever try to get NAT or VPN to work on a router? Almost have to be an engineer just to understand the settings. It's no wonder people have such a hard time.
Same goes for the password. The ability to leave it as default should not exist. During the installation process, the consumer should be prompted to enter a password. No ability to skip this step should be provided. Furthermore, if the consumer tried to use the product without entering a new password, the product should simply not work. Of course, this would lead to tech support phone calls, which cost money. Personally, I'd rather be known as the company who's instructions for using their product must be followed than as the company who's product is dangerious to use. (even worse, the company who's product helped thieves clean out someone's bank account).
The other problem is people who are just too damn lazy to read the instructions. I work in the electronic service field, and it's amazing how many people I deal with just because they couldn't be bothered to read the instructions. One customer who pulled up in a Limo, brought in an item he said was defective, and apon being informed there was nothing wrong with it and reading the owner's manual would have solved his problem promptly replied "I don't read owners manuals".
If people start getting ripped off by this method, the only ones I'll feel sorry for are the ones that couldn't figure out how to change the password.
Those that skipped the step, or simply couldn't be bothered will get what they deserve. Financial evolution in action.

[Stating]

Turn Java Off By Default

It is a bad idea in general to have Java enabled by default in your browser. I use the Noscript add-on for Firefox. Sites that I visit are only given script access if I expressly grant it. I can grant either on a temporary or permanent basis.

[lschweiss]

Thats nice.

At least you know that you need to take precautions. Unfortunately, most computer users are absolutely clueless about setting passwords.

I service home computers regularly, and have yet to encounter any passwords being used on any software or device I have encountered. The first thing I do is set up "user" accounts to be used instead of the default "Administrator" accounts and teach people how to set passwords. It's amazing how most people don't even have a clue as how to set their password in Windows.

Consumer products cannot assume the user will configure anything. Most people will buy a router and plug it in using the pretty pictures as a reference and expect everything to work. In the case of most routers, they WILL work out of the box. The exception being those that need PPPoE, but PPPoE seems to be on the decline with ISPs in this region. SBC now ships DSL modems that do PPPoE for the client and any DHCP device will work behind them.

What router manufactures really should be doing is intercepting the first HTTP access and forcing a setup wizard when they are first installed.

Mergatroid Mania is correct, the software engineers should not be designing the interface for consumer routers. What to see a software engineer twitch, let them see how their software is actually being used by Joe Consumer.

[drivel]

I dunno.

I wouldn't have too much faith in NoScript if I were you. I used to use it until one day I noticed a flash object started playing for a few seconds until NoScript disabled it. If it had been a malicious script it would be too late.

[Dalkorian]

note

Java is not and does not equal JavaScript.

Just thought I'd point that out, the two often get confused. The
issue here (as I've read it) is with JavaScript. Turning off Java will do
*NOTHING* to protect you from this!

[wanorris]

turning JavaSCRIPT off turns off web apps

Another poster has already kindly pointed out the difference between Java and JavaScript.

The downside of turning off JavaScript is that virtually any interactive web application depends on JavaScript for all of it's niftiness, and they will either not work, or will fall back to being sluggish and forcing you to post a page back to do anything at all.

Want to use GMail the way it's meant to be used? The spiffy new beta of Yahoo Mail? Google Docs & Spreadsheets? Google Maps? Kiss all that goodbye if you turn off JavaScript.

[alegr]

Very easy

In one reference design, which could be used by those companies, the router settings are changed by HTTP GET request. This means any website could change the settings, if the default password is used. Java Script is not even required.

[Renegade Knight]

Symantec has a lot of potential.

This shows the potential Symantec has. They are often at the forefront of security issues. Alas if only they used their power for good and created worthy software.

[kgrutz]

Not really

This was first mentioned at BlackHat 2006 by Jeremiah Grossman and RSnake:

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf

There has been a lot of research lately into what can be done with Javascript. The results are astounding.

Also discussed here: http://ha.ckers.org/blog/20070215/router-reconfiguration-xss/

[tphm]

is it really possible? don't you have to type IP address of your router

It's not some website on the web. You have to type your own IP router to get to the webpage that served up by the router. It's in the hardware. How can you do cross-site scripting with that?

[mrjam32]

Let's see...

192.168.0.1 -or- 192.168.1.1. How hard was that?

[mrjam32]

Let's see...

192.168.0.1 -or- 192.168.1.1. How hard was that?

[Anon-Y-mous]

Use a Mac or Linux. Won't have this problem!

Microsoft's defaults and no security caused this to occur. When will people learn? How many hacks onto NON-Microsoft hardware will people allow before they finally realize it's their operating system causing all of it?

[umcrouc0]

Good Point

You're right. If you just use a Mac Airport Base Station or Mac Airport Express for your router you won't have this problem.

[yeungj]

Not so sure..

I don?t know about Macs but not so sure about Linux!! JavaScript is a scripting language just like HTML. It executes from the web browser so as long as the browser is able to run JavaScript the hacker code should run no matter you are running on Linux or Windows. Unless you are using FireFox which you can disable JavaScript to run.

[eBob1]

Sorry, but no.

This hack uses Javascript, which, as far as I know, is cross-platform. Just because one uses Linux or Mac, one should not assume that this could not happen. I would advise that the default password on any wireless router be changed as soon as it is powered on the first time.

[Hoser McMoose]

This hack has NOTHING to do with the OS

Congrats, you win the prize for dumbest post of the thread so far! Now, please go back and read again. Hopefully you'll understand that this hack works EXACTLY the same if you're using Windows, Mac, Linux or any other OS. As long as you have one of the router's in question and standard JavaScript installed, you're vulnerable.

Actually even JavaScript is not 100% necessary, it just makes things easier. Plain old HTML could probably be used to accomplish the exact same thing.

[jcollett69]

I don't think you read the article.

How on Earth is this Microsoft's fault? Are they even mentioned in the article? The problem lies in the interface to the routers themselves. To my knowledge, Javascript is platform independent meaning it does not care if you are using Windows, Mac, or Linux. The code is the same, only the Java clients are different. Though, when this story is boiled down to its essence, this is an id10t error of users not taking the time to RTFM.

[scottSEA]

Wrong, Wrong, Wrong.

If:

1. You have a computer (Linux, Mac or PC - doesn't matter)...

2. ...with JavaScript enabled on your browser (Opera, FireFox or IE - doesn't matter).

3. Your computer talks through a router with the default password and username (Linksys, DLink or NetGear - doesn't matter).

4. You browse to a webpage with the evil Javascript in it, and the JavaScript reconfigures your router to load different web pages without you knowing.

5. You're hosed.

[gggg sssss]

clueless

*** are you babbling about? not even a clue. not even a clue.

[allis0]

You haven't a clue!

That is total rubbish! Mac and Linux both use java in the same way and the password is a property of the router not the operating system!
Stop posting the same crap to every story you bigot!

[v_noronha]

Read the story, Mac ignoramus

The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!

[v_noronha]

Read the story, Mac ignoramus

The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!

[MD525]

Telecomuting and Wireless

The factor that is probably the worst is people telecommuting from businesses and have unprotected home networks. The potential losses from these types of situations have the greatest impact on businesses.

Telecommuting is responsible for a growing part of the business world. I was reading an article from ezine http://ezinearticles.com/?Telecommuting-Safely-for-Better-Business&id=377038
Just going over how accidental loss effects companies. If people begin to do the "Drive by Pharming" then it can be terrible for business professionals who may not even be aware of their poor behavior online.

[yeungj]

Agree

I like the article that you have posted. This is so true but a lot of people not realize. But I think this is more or less affects small to medium businesses. Larger businesses usually setup VPN for their employees. BUT only if the employees uses it. For me, I sort of don?t use it at home mainly because my company blocks MSN, Youtube, audio streaming, etc.

[Hoser McMoose]

Surprised this hasn't happened sooner!

Honestly I'm rather shocked that this hasn't happened sooner. Actually, scratch that, it HAS happened before, I'm fairly certain of it, it probably just hasn't been all that widely publicized. Other similar attacks could enable unencrypted wireless, enable port-forwarding to access potentially vulnerable ports or, in an extreme situation, even upload a new and compromised version of the router firmware.

This is really a trivial hack. Actually I wouldn't even really call it a "hack" since that implies that there was some real thought and trickery involved here. Really it's just simply automating a procedure and making use of the fact that most users don't change default passwords.

It is somewhat ingenious in it's simplicity though. This should work on any OS that the routers are connected too and there would be no obvious sign. I take a much more paranoid approach to security then the average home user, but honestly I think it's been months since I last checked the DNS settings on my router (though I most certainly did change the default password!). And even if someone DID check their DNS address, would they recognize the IP address for the hacker's site vs. their own ISP's DNS server IP address?

Honestly if this were to happen to me, probably the only thing I would notice is that the malicious hacker's DNS server would probably be faster and more reliable than that of my ISP's! :)

[lynxss]

Me too, we used to do this years ago

Before the days of Gotomypc and other variants to connect to home PCs from the office, we used to do this exact same thing. 8 years or so ago we used to connect in the morning through dialup, open the javascript page which then reconfigures another webpage with the home pc address (which changed each day of course). Then later from the office you have the address of the home machine and can ssh to home and sync files etc. Not as complex as figuring out the brand of router and apropriately logging in and changing settings but same principle, and nearly a decade old.

[lynxss]

Me too, we used to do this years ago

Before the days of Gotomypc and other variants to connect to home PCs from the office, we used to do this exact same thing. 8 years or so ago we used to connect in the morning through dialup, open the javascript page which then reconfigures another webpage with the home pc address (which changed each day of course). Then later from the office you have the address of the home machine and can ssh to home and sync files etc. Not as complex as figuring out the brand of router and apropriately logging in and changing settings but same principle, and nearly a decade old.

[v_noronha]

Read the article, Mac-ignoramus!!!

The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!