Home routers under attack...

[AplusWebMaster]

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.com/5079721/how-to...m-the-wpa-hack
Nov 7 2008 - "... a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5230
Last revised: 12/03/2008

- https://www.cisco.com/en/US/products...nalInformation
"... the use of WPA2 with AES is recommended whenever possible..."

[AplusWebMaster]

FYI...

DSL modem-router botnet...
- http://blog.trendmicro.com/botnet-ri...-chuck-norris/
Mar. 1, 2010 - "... Dubbed the “Chuck Norris botnet,” based on the Italian comment in its source code, in nome di Chuck Norris (translation: “in the name of Chuck Norris”), this botnet infects vulnerable DSL modems and routers to spread a worm Trend Micro detects as WORM_IRCBOT.ABJ. This worm tries to gain access to a target router by guessing the router’s configuration password using brute force. It may also spread via shared networks by exploiting a known Microsoft vulnerability, MS03-039 Buffer Overrun in RPCSS Service. The worm’s routines make users who are connected to the same network or router at risk of being infected. This worm also has backdoor capabilities that allows attackers to execute remote command on affected systems, which include downloading and executing other malware and launching denial-of-service (DOS) attacks against other systems. Ultimately, its main goal is still to gain profit from unknowing users by stealing personally identifiable information (PII) and credentials to access certain websites, particularly online banking sites. Its infection routine via router may be unusual for most bots of its kind, which usually infects computers. But it is not the first time that bots have used modems and routers as a propagation platform. Trend Micro has, in fact, reported such attacks in the past in relation to other threat families such as ZLOB, RBOT, and QHOST..."

[AplusWebMaster]

FYI...

Wi-Fi hacked in seconds ...
- http://blog.cpp.co.uk/index.php/arti...etworks-safely
14 Oct 2010 - "... Using only a laptop and widely available software, our ethical hacker demonstrated how vulnerable we are to Wi-jacking because of non-existent or inadequate online security. Having gained access to your personal details hackers can ‘cloak’ criminal activities such as purchasing illegal pornography or selling on stolen goods. It also allows them to view your private transactions over the network, accessing passwords and usernames which can then be used to impersonate you and commit identity fraud and other illegal activity in your name.
Key findings from the report:
• We found that nearly a quarter of private wireless networks have no password whatsoever attached, making them immediately accessible to criminals
• Hackers were able to ‘harvest’ usernames and passwords from unsuspecting people using public networks at a rate of more than 350 an hour, sitting in town-centre coffee shops and restaurants.
• More than 200 people unsuspectingly logged onto a fake Wi-Fi network over the course of an hour, putting themselves at risk from fraudsters who could harvest their personal and financial information.
Steps and ways to protect yourself..."
(More detail at the URL above.)

> http://www.cpp.co.uk/news/wireless-n...pen-to-attack/

- http://news.cnet.com/8301-27080_3-20021188-245.html
November 1, 2010 - "Chances are you don't leave your front door unlocked. And you shouldn't leave your Wi-Fi network unsecured either. Many of you may have heard this before, but many still seem to not be doing anything about it. You should. Here's why. With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can capture passwords, e-mail messages, and any other data being transmitted over your network, and even decrypt data that is supposedly protected..."

[AplusWebMaster]

FYI...

Tools bypass Wireless router security...
- https://krebsonsecurity.com/2011/12/...uter-security/
December 29, 2011 - "... At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses... Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption. Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router. But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can simply try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device... if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in."
> http://www.kb.cert.org/vuls/id/723755
Last Updated: 2011-12-27 - "... Workarounds: Disable WPS... best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network."
___

- https://isc.sans.edu/diary.html?storyid=12292
Last Updated: 2011-12-30 03:19:11 UTC - "... Disable WPS..."
___

• Linksys WPA2 setup: http://www6.nohold.net/Cisco2/GetArt...nverted=0#WPA2
• D-Link WPA2 setup: http://support.dlink.com/faq/view.asp?prod_id=1506
• Netgear WPA2 setup: http://kb.netgear.com/app/answers/detail/a_id/112
• Belkin WPA2 setup: http://en-us-support.belkin.com/app/...M01qSjhSTWs%3D

[AplusWebMaster]

FYI...

WPS vulnerable to Brute-Force Attack
- https://www.us-cert.gov/cas/techalerts/TA12-006A.html
January 06, 2012 - "... Solution: Update Firmware: Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information -may- be available in the Vendor Information section of VU#723755* and in a Google spreadsheet called WPS Vulnerability Testing**.
Disable WPS: Depending on the access point, it may be possible to disable WPS. Note that some access points may -not- actually disable WPS when the web management interface indicates that WPS is disabled..."

* http://www.kb.cert.org/vuls/id/723755#vendors

** https://docs.google.com/spreadsheet/...SSHZEN3c#gid=0
___

Cisco WPS vuln Response
- http://tools.cisco.com/security/cent...1-wps#Response
2012-January-18 - Rev 2.0 - Updated information for the WRP400.

[AplusWebMaster]

FYI...

- http://tools.cisco.com/security/cent...curityResponse

Cisco WPS vuln - status updated ...
- http://tools.cisco.com/security/cent...r-20120111-wps
2012-January-27 - Revision 3.0... Updated the Cisco UC320W WPS Disable status to Yes due to release of DisableWPS.pmf**. Added Cable and DSL access products currently under investigation. Added a link to Linksys product documentation*...

WPS vulnerability status update for Linksys devices
* http://www6.nohold.net/Cisco2/ukp.as...rticleid=25154
"... Cisco will be releasing firmware that allows customers to disable Wi-Fi Protected Setup to eliminate exposure to this issue... table lists affected products and will be updated with dates and firmware version numbers that include the ability to disable WPS..."

** https://supportforums.cisco.com/docs/DOC-16301
Last Modified: Jan 26, 2012 - Rev. 10
___

- http://www.kb.cert.org/vuls/id/723755#vendors
Last Updated: 2012-01-28

[AplusWebMaster]

FYI...

D-Link routers - Security Update...
- http://krebsonsecurity.com/2013/12/i...-link-routers/
Dec 2, 2013 - "... Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working... On Nov. 28, D-Link released a series of updates to fix the problem*..."
* http://www.dlink.com/uk/en/support/security
Update on Router Security issue
___

D-Link routers authenticate administrative access using specific User-Agent string
- http://securityadvisories.dlink.com/...?name=SAP10001
Last updated: Dec 3, 2013
Rev 9

- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-6026 - 10.0 (HIGH)
"... as exploited in the wild in October 2013."

[AplusWebMaster]

FYI...

D-Link routers back door vuln...
- http://www.theinquirer.net/inquirer/...s-wifi-routers
Oct 15 2013 - "... D-Link has hurriedly prepared a patch for WiFi routers that are affected by a recent security alert... In a statement on its website*, D-Link acknowledged the problem and said that it is "proactively working with the sources of these reports". In the meantime, the company has posted an interim firmware update to address the problem... a full fix will be with us by the end of October."
* http://www.dlink.com/uk/en/support/security
"... Disable remote access to your router if it is not required (this is disabled by default)... These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates..."

- https://isc.sans.edu/diary.html?storyid=16802
Last Updated: 2013-10-14 19:58:28 UTC - "... old d-link routers which allows the attacker to gain admin privileges in the router. The following models are affected:
DIR-100
DI-524
DI-524UP
DI-604S
DI-604UP
DI-604+
TM-G5240
DIR-615 ...
... check this page* to look for information on how to access the admin tool to change the password..."
* http://support.dlink.com/emulators/w...ools_admin.htm

[AplusWebMaster]

FYI...

Netis routers - backdoor open ...
- http://blog.trendmicro.com/trendlabs...open-backdoor/
Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
> https://www.grc.com/port_53413.htm
... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices."
___

Netis Router Backdoor “Patched” but not really
- http://blog.trendmicro.com/trendlabs...ut-not-really/
Oct 3, 2014 - "... the ShadowServer Foundation* has been kind enough to scan for IP addresses affected by this vulnerability... the same number of devices were at risk (we note that the number has risen at the time of this writing)... Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page**)... instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdooritself and has the technical knowledge to open it can access it... The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC). It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house. Should you still update? Yes. We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure. However, we want to stress that users should also make their router passwords stronger as well -immediately- after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters. We will continue to monitor this particular issue and update as necessary."
* https://netisscan.shadowserver.org/
"... 885,093 distinct IPs have responded to our probe..."

** http://www.netis-systems.com/en/Downloads/
___

- http://atlas.arbor.net/briefs/
High Severity
28 Aug 2014

[AplusWebMaster]

FYI...

ASUS routers - critical updates...
- http://h-online.com/-1918469
16 July 2013 - "... updates are available from the company's support page* for the two router models RT-AC66U and RT-N66U. The company says that it will offer fixes for the other affected models "soon". In the meantime, ASUS recommends turning -off- all AiCloud functions like Cloud Disk, Smart Access and Smart Sync."
* http://www.asus.com/support/