Is Your Router Safe?

Lots of people think about their computers being vulnerable, and to alleviate the problems, they use a software firewall, an antivirus package, and various other packages designed to keep the computer safe from outside attacks.

Many people use a router that features Network Address Translation [NAT] and feel that is enough protection, foregoing the use of a software firewall on the computers on the near side of the router. Much of the time, that is enough, and people are protected from lots of nastiness in the wild of the internet.

Today, however, we are informed that new attackers are aware of the protected nature of the intranet (those computers connected to the near side of the router) and are instead choosing to attack the router, which has been considered a bastion of security by many. Unfortunately, an article from Forbes (not the first place I think of computer security articles originating!) tells us that many routers in place today are hackable, and that the more upsetting thing is that the method of these hacks is well known in the world of hacking, and has been known for about 15 years.

The upcoming Black Hat security conference in Las Vegas offers an annual parade of security researchers revealing new ways to break various elements of the Internet. But few of the talks have titles quite as alarming as one on this year’s schedule: “How to Hack Millions of Routers.”

Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner’s exploit could have their router hijacked and used to steal information or redirect the user’s browsing.

Heffner’s attack is a variation on a technique known as “DNS rebinding,” a trick that’s been discussed for close to 15 years. “There have been plenty of patches over the years, but this still hasn’t really been fixed,” he says.

The hack exploits an element of the Domain Name System, or DNS, the Internet’s method of converting Web page names into IP address numbers. (When you visit Google.com, for instance, a domain name server might convert that name into the IP address 72.14.204.147.) Modern browsers have safeguards that prevent sites from accessing any information that’s not at their registered IP address.

But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.

Heffner’s trick is to create a site that lists a visitor’s own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address–in reality the user’s own IP address–and accesses the visitor’s home network, potentially hijacking their browser and gaining access to their router settings.

That DNS trick isn’t new, and browsers have installed patches for earlier versions of the exploit. But Heffner says he’s tweaked it to bypass those safeguards; He won’t say exactly how until his Black Hat talk. “The way that [those patches] are circumvented is actually fairly well known,” says Heffner. “It just hasn’t been put together like this before.”

Heffner tested his attack against 30 router models and found that about half were vulnerable. Here’s his chart of which are and aren’t subject to attack. (“Successful” in the far right column means that the router was successfully hacked.)

Potential fixes implemented in the free DNS replacement OpenDNS and the Firefox NoScript plug-in won’t prevent his exploit, Heffner adds.

One comfort for users may be that Heffner’s method still requires the attacker to compromise the victim’s router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device’s software or by simply trying the default login password. Only a tiny fraction of users actually change their router’s login settings, says Heffner. “Routers are usually poorly configured and have vulnerabilities,” he says. “So the trick isn’t how to exploit the router. It’s how to get access to it.”

That means concerned users should make sure their router’s firmware is updated and patched, and that they’re not using default security settings.

Heffner, like most security researchers revealing dangerous bugs, argues that releasing an exploit may be the most effective way to draw attention to severity of the problem and convince both browser and router makers to fix the fundamental vulnerability. “I’m not the first to give a Black Hat talk on DNS rebinding, and I won’t be last,” he says. “Everyone has had ample time to fix this.”

The problem for many is that they have been fooled into a false sense of security, thinking that the router is secure in and of itself, and so no further thought is given. They will not be aware that a problem has been uncovered because they are not looking for news of problems with their router. Their first knowledge will come at that moment when they realize they have been had – and then it is way too late.

Following the link to the article and checking to see if your router has a problem is a good start, and then checking for a firmware update is the best place to begin. If no update exists for the router listed as vulnerable, then it is time to begin your search for a new router. (BTW, it looks as though every Verizon router I have ever used or seen being used in California is vulnerable…I am going to be searching for updated firmware; if you have a Verizon router, I’d be checking also – this article hitting means that the bad guys won’t hesitate to start trying to mess with those routers that are not safe.)

Isn’t playing catch up to the internet bad guys fun?

  • http://about.me/jackgavigan Jack Gavigan

    NAT does not stand for “Name Address Translation”. Just thought you should know.

  • Marc Rogers

    Name Address Translation? *facepalm*