33 Linksys router models leak full historic record of every device ever connected

Hard-to-fix flaw cause >25,000 routers to leak >756,000 unique MAC addresses.

33 Linksys router models leak full historic record of every device ever connected

(credit: US Navy)

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

(credit: Troy Mursch)

Independent researcher Troy Mursch said the leak is the result of a persistent flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.

The flaw allows snoops or hackers to assemble disparate pieces of information that most people assume aren’t public. By combining a historical record of devices that have connected to a public IP addresses, marketers, abusive spouses, and investigators can track the movements of people they want to track. The disclosure can also be useful to hackers. The Shadowhammer group, for instance, recently infected as many as 1 million people after hacking the software update mechanism of computer maker ASUS. The hackers then used a list of about 600 MAC addresses of specific targets that, if infected, would receive advanced stages of the malware.

Read 6 remaining paragraphs | Comments

Advanced CIA firmware has been infecting Wi-Fi routers for years

Enlarge (credit: D-Link)
Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infec…

Enlarge (credit: D-Link)

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

(credit: WikiLeaks)

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Read 8 remaining paragraphs | Comments

Home routers under attack in ongoing malvertisement blitz

(credit: Gionnico)
As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn’t infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent do…

(credit: Gionnico)

As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn't infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent domains.

Using a technique known as steganography, the ads hide malicious code in image data. The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain.

Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars:

Read 7 remaining paragraphs | Comments

Stop using Netgear routers with unpatched security bug, experts warn

Enlarge (credit: Sinchen.Lin)
A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend.
The critical bug allows remote attackers…

Enlarge (credit: Sinchen.Lin)

A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend.

The critical bug allows remote attackers to inject highly privileged commands whenever anyone connected to the local Netgear network clicks on a malicious Web link, a researcher who uses the online handle Acew0rm reported on Friday. The link, which can be disguised to appear innocuous, then injects a command that routers run as root. The devices' failure to properly filter out input included in Web requests allows attackers to run powerful shell commands. Netgear R7000, R6400, and R8000 models have been confirmed to be vulnerable, and other models, including the R7000P, R7500, R7800, R8500 R9000, have been reported by end users as being affected.

"Exploiting this vulnerability is trivial," officials with CERT, the federally funded vulnerability coordination service, warned in an advisory published Friday. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."

Read 3 remaining paragraphs | Comments