Newly discovered router flaw being hammered by in-the-wild attacks

Enlarge

Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.

Read 8 remaining paragraphs | Comments

TP-Link forgets to register domain name, leaves config pages open to hijack

This (blurry) picture shows the bad domain name printed on the bottom of a TP-Link router. (credit: Amitay Dan)

In common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.

Two domain names used by TP-Link appear to be affected. tplinklogin-dot-net was used, according to TP-Link, on devices sold until 2014. On initial setup, while the router's Internet connection is still offline, the domain name will be trapped automatically and correctly send users to the router's configuration page. But subsequent visits to the configuration page can use the real Internet DNS system to resolve the address, and hence those routers are susceptible to being hijacked. A second TP-Link domain name, tplinkextender-dot-net, was used by TP-Link wireless range extenders and is similarly vulnerable.

Together, these domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net. It's not known who the new owner of the domains is, but Dan tweeted that domain name brokers are offering the more popular of the two for $2.5 million. This high price tag is perhaps why TP-Link has declined to buy the name back.

Read 1 remaining paragraphs | Comments

Asus lawsuit puts entire industry on notice over shoddy router security

Enlarge (credit: Zuzu)

In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices.

"This is an automated message being sent out to everyone effected [sic]," the message read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection." The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.

On Tuesday, the US Federal Trade Commission settled charges that alleged the hardware manufacturer failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices. Under the agreement, Asus will maintain a comprehensive security program subject to independent audits for the next 20 years.

Read 6 remaining paragraphs | Comments

Asus lawsuit puts entire industry on notice over shoddy router security

Enlarge (credit: Zuzu)

In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices.

"This is an automated message being sent out to everyone effected [sic]," the message read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection." The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.

On Tuesday, the US Federal Trade Commission settled charges that alleged the hardware manufacturer failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices. Under the agreement, Asus will maintain a comprehensive security program subject to independent audits for the next 20 years.

Read 6 remaining paragraphs | Comments