News from Heise: 26.05.2015
If you have a insecure Router, you are in trouble.
Attackers are using a (until now) unknown exploit kit to attack more than 50 router models/firmware versions.
They are trying to detect weak spots of the routers and exploit them like changing the DNS-entries, this way the attackers/hackers can redirect the traffic of the victim through the hacker’s server and fish for Onlinebanking, Facebook, Amazon, Ebay, E-Mail passwords etc. etc. etc.
They even could reconfigure a Fritzbox to call EXPENSIVE PHONE NUMBERS ARBOAD. (Fritzbox-Dialer-Exploit or the 4000€ Phonebill)
In the „least“-worse case, they can extract the WPA-WLAN-Key and DSL-Internet-Access passwords (which is already pretty evil)
This is how EASY it is to extract those settings from a Fritzbox 7270:
The STUPID programmers RETURN THE COMPLETE SETTING PAGE (hidden), WITHOUT LOGIN! *OMG* I NEVER WOULD HAVE EXPECTED THEM TO BE THIS STUPID.
Mai 2015: The kit is targeting routers of: Asus, Belkin, D-Link, Edimax, Linksys, Netgear, TP-Link, Trendnet and Zyxel.
A complete list of Routers can you find here:
America’s trade watchdog is suing D-Link, alleging the router and camera vendor failed to implement basic security protections in its gear.
The FTC said that its complaint was based on D-Link’s failure to take „reasonable steps“ to secure its products, putting the privacy of citizens everywhere at risk as a result.
„Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information,“ said FTC Consumer Protection Bureau director Jessica Rich. „When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.“
Among the transgressions the FTC cites in its legal complaint [PDF] are:
- The use of non-removable default passwords in its IP cameras.
- Command-injection flaws.
- Leaked security keys in its routers.
- The use of plain-text password storage on its mobile app.
This despite D-Link advertising its products as having „advanced security“ protections and using secure connection protocols. As a result, the FTC says, D-Link illegally misrepresented its products and put the privacy of its customers at risk.
The FTC also notes the danger D-Link’s security lapses presented to people who were not their customers, as the poorly-secured routers and cameras presented prime targets for hackers looking to build IoT botnets.
The suit alleges six violations of the FTC Act of 1914: one count of unfairness and five counts of misrepresentation for security event response policy, router promotional material, router GUI, IP camera promotional material, and IP camera GUI.
The complaint seeks costs and damages as well as an injunction to further penalize D-Link should it continue to violate the FTC Act.
In a statement, the hardware maker said: „D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority.“
And in an FAQ, D-Link said the charges against it were „baseless.“
What do we learn:
#0. Routers with Firmware-Auto-Update feature IS A MUST. (the vendor can not blame you for not doing the update)
The Fritzbox 7490 does that. (finally)
1. DEACTIVATE AS MUCH UNUSED SERVICES/SOFTWARE AS POSSIBL!
1.1. On the Router: DEACTIVATE WPS, UPNP! IT’S ALL FLAWED AND CRAP.)
2. USE OPENDNS AND VIRUS SCAN SOFTWARE ON EVERY PC ACCESSING THE INTERNET VIA BROWSER AND AN MAIL.
BETTER: HAVE A SEPARATE NETWORK, FOR BROWSING (PRIVATE) AND WORK (SENSITIVE DATA).
Better: Asign the OpenDNS Servers IPs directly to your DSL Router: 22.214.171.124 and 126.96.36.199
3. it is IMPORTANT for IT-professionals and Super-Users to keep an eye on security-news.
4. SEND YOUR IT PROFESSIONALS ON IT-SECURITY TRAININGS ON A REGULAR BASIS (ATLEAST YEARLY!)
like the CCC Congress
or get certified:
Sources / Links: