Archive

Tag Archives: Exploits

ASUS has settled a lawsuit with the FTC over its home routers’ vulnerabilities and has agreed to implement a security program that will be independently audited for the next 20 years.

In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices.

“This is an automated message being sent out to everyone effected [sic],” the message read. “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.” The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.

Ars’ Dan Goodin suggests it should be regarded as a wake-up call not only for other router manufacturers, but for the entire IoT industry as well.

Read more about it here.

Advertisements

A recent Naked Security post reports that D-Link’s DSL-2740R modem/router is vulnerable to DNS hijacking and traffic rerouting. According to the post, the vulnerability lies in the ZynOS firmware used by the device. ZynOS is a proprietary operating system made by ZyXEL.

The flaw apparently allows an attacker to access the device’s web interface without the need for authentication.

If an administration panel is exposed to the internet – and we strongly recommend that you don’t do this! – then outsiders may be able to access and reconfigure your device’s DNS setting from afar.

The author suggests that the popularity of ZynOS means that other D-Link devices might be vulnerable too, as well as devices manufactured by TP-Link, ZTE and of course, I might add, ZyXEL.

ComputerWorld, reporting on the same vulnerability, suggests that the flaw could be exploited by CSRF attacks, even if the device’s configuration panel is only accessible from the LAN.

DSL-2740R is a wireless ADSL2+ modem router that is not in production anymore; the latest firmware available on D-Link’s website is version 1.01b02, released almost two years ago, on 22-Feb-2013, for revision B devices.

You can find the Naked Security post here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A Team Cymru report published on Monday finds more than 300,000 SOHO routers hacked, having their DNS settings modified to point to DNS servers controlled by the attackers. The affected devices come from various manufacturers, including, but not limited to, D-Link, Micronet, Tenda and TP-Link.

The vast majority of the compromised routers (more than 160,000) is found in Vietnam; other locations with large infections include India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador.

The exploit techniques used include Cross-Site Request Forgery (CSRF) for TP-Link devices and an authentication bypass vulnerability in devices running ZyXEL firmware (ZynOS). The routers exploited have their DNS settings point to ip addresses 5.45.75.11 and 5.45.75.36.

You can find the Team Cymru report here. There’s also a post by Ars Technica here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A new post by Ars Technica published yesterday reports two critical vulnerabilities affecting a series of ASUS RT routers. According to the report almost 13,000 routers have been exploited in the 8 months since the vulnerabilities were publicly disclosed, and the users of those routers have had files leaked online. ASUS is said to have patched the routers late last week.

As if that wasn’t enough, the same article makes mention of an attack that infects Linksys routers with self-replicating malware. The worm doesn’t seem to be stealing any data though.

Dan Gooding, the post’s author, notes in his closing paragraph:

Taken together, the attacks are a sign that routers and other Internet-connected devices are being subject to the same in-the-wild attacks that have plagued PCs—and in some cases Macs—for years. Readers are advised to lock down their routers by installing any available firmware updates, changing any default passwords, and ensuring that remote administration, Cloud, and FTP options are set to off if they’re not needed

You can find Ars’ post here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Updated January 04, 2014 – added link to Naked Security.

An Ars Technica post reports a Linksys WAG200G vulnerability, discovered by Eloi Vanderbeken, which, if exploited, provides the attacker with admin access. To take advantage of the backdoor the attacker needs to be on the local network and talk to TCP port 32764.

The WAG200G is not the only modem affected by this vulnerability. According to Ars the backdoor has been found on other Linksys models and on Netgear DSL modems as well.

You can read more about it on Ars Technica.

Vulnerabilities like this one are the reason why you need to make sure your modem/router is always running the latest firmware or switch to an open source alternative.

Update: Naked Security posted a nice write-up for this issue. You can find it here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.