Half of Home Routers Vulnerable to DNS Exploit

The Black Hat Security conference is going on now in Vegas. Scanning through the list of presentations, this one really stood out, “How to Hack Millions of Routers“. According to the description, “This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router’s internal-facing administrative interface.”

The DNS binding attack has been known for a while, but it looks like Craig has found a new spin on the attack. According to a Forbes article, an attacker places a malicious script on a web page. When the page is visited, it switches the webpage IP address visited with the IP address of your router. It then gives the script access to view the router contents, and to log in to it.

Which routers are susceptible to this attack? Oh, a few, and you probably recognize their names, “Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.”

Also at the conference, Craig is going to release the tool that automates the attack, “A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim’s router in real-time, just as if the attacker were sitting on the victim’s LAN.”

That’s awful nice of him isn’t it?

All right, so what do we do? An article on Notebook.com recommends changing your router password to a very complex password, upgrade your routers firmware to the latest version, and to avoid questionable sites. I would also add that you should check for firmware updates frequently. As router companies scramble to patch this, yours may not be updated against the threat yet.


5 thoughts on “Half of Home Routers Vulnerable to DNS Exploit”

  1. Home users need to make sure that their desktop firewall is turned on and that they change the router’s default password. Users also need to know how to reset their router to factory defaults just in case their router gets hijacked.

    1. Good advice Mister Reiner. You know, I am pretty concerned about this one. How many small office/ home users will hear the warning about this exploit, and how many will actually update their router? Routers aren’t set up like Windows Updates or Windows security patches. They do not automatically download updates for you.

      On most, you need to manually log in and tell it to check for an update. To log in, you usually have to put your router’s IP address in your internet explorer’s browser bar and browse to it. Then log in and you should have a “Check for Update” button or something like that, check your manual for exact directions. On some others you need to go to the manufacturer’s website and download the update, then login to the router and upload the patch to it from your system. You system manual should tell you how to download the update. If you have lost your manual, you can usually view it online at your manufacturer’s website.

      Again, your manual will tell you how to reset your router. Some have a reset button, but it is different for each. If you do reset your router, remember that it puts it back to default settings, removing all security, so you will need to setup security again and change the administrator password.

  2. Actually, from what I understand of this particular issue, all that home/SMB users really need to do is set the fracking password!

    Keeping your firmware up to date will help, but it seems that the call for manufacturers to fix this via firmware is mainly for them to implement strong password policies and to make the router force users to change the default password to something unique upon first login.

    1. Not sure, Esecurity Planet had an after presentation article about it:

      Heffner suggested one preventative measure users can take is to change their firewall rules to prevent an external IP from rebinding with internal ones. Additionally he suggested that it’s likely a best practice for home users to just disable the http admin interface of their routers, if that’s an option. Another key thing that Heffner suggested users should do is change the default password for their home routers and to make sure that the router’s firmware is up-to-date..”

      Did anyone get a chance to see his presentation? If it is just the password, what is the magic in that? 🙂

      More will come out in time I am sure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.