Feeds

Harvesting passwords from DSL routers

Hackers raid Cayman for 'disposable' dial-up accounts

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Hackers have developed a trick for pilfering DSL account names and passwords right from subscriber's routers, a technique that provides hackers with untraceable Internet access, and potentially exposes subscriber email to interception.

The method targets Cayman Systems' popular 3220-H DSL router, a combination modem, router and hub that allows DSL subscribers to share their Internet connections among multiple computers. The 3220-H is sold retail, and is distributed by Cayman's channel partners-- notably SBC Communications, which provides the devices to thousands of "Enhanced DSL" subscribers through subsidiaries Pacific Bell, Southwestern Bell and Ameritech.

Like other DSL routers, the Cayman 3220-H allows users to easily configure their settings through a Web browser interface. But the router makes that interface accessible, not just from the user's local area network, but also from the 'WAN port' that connects to the Internet.

The device is protected from unauthorized reprogramming by an administrative password set by the owner. But unless the subscriber also sets a separate 'user password', the router's configuration settings can be viewed, though not changed, through the browser interface. There, the 'PPPoE' password used to log onto the DSL service is masked as a series of asterisks, but it is plainly visible in the HTML source code of the page.

Hackers can use the purloined password to download the subscriber's email from SBC servers, or view and edit portions of their account information.

But sources say the vulnerability has found its greatest utility in the computer underground as a wellspring of free, anonymous Internet access. Because the same password works on SBC's dial-ups, without interfering with the subscriber's DSL use, the purloined passwords help hackers cover their tracks by borrowing other people's ISP accounts, according to 20-year-old Internet hacker Adrian Lamo.

"Most of the people that I know of use them as disposal dial-up accounts," says Lamo, who discovered the hole over a year ago. "Looking at something in page source is not a tremendous technological effort."

Privacy Problems
An SBC spokesperson acknowledged the password theft vulnerability, and said it drove the company to begin disabling all Internet access to the router's configuration settings as part of its standard installation routine.

"Cayman and other companies have a factory setting where the WAN port is disabled," says spokesperson Fletcher Cook. "Our technicians are trained to disable this themselves."

But subscribers who received their routers over a year ago, before SBC enacted the more secure policy, may remain vulnerable, Cook admits. Newer subscribers are at risk only if they explicitly enable administrative access to the router's WAN port. He adds that the company educates users about security issues through its Web sites.

Lamo says his scanning has turned up thousands of vulnerable routers in homes and small offices throughout Chicago, Los Angeles, San Francisco, Houston, Saint Louis, San Diego, and other cities.

The problem has privacy implications for DSL subscribers. The same password that provides Internet access, is also used to control access to subscriber email.

The passwords can also be used to access some account information over SBC's public customer service Web sites; a cyber snoop could learn a given subscriber's name and phone number, or change their billing address. In some circumstances, the sites also reveal one digit of the subscriber's confidential three-digit telephone account "customer code," Lamo notes.

A spokesman for California-based Netopia, Inc., which acquired Cayman Systems last week, said the company is considering releasing a patch for the password revelation hole. In the meantime, customers should disable access from the WAN port, or set a separate 'user password,' on top of the administrative password, to block access to the configuration screens.

"[Cayman has] been concerned about network security for some time," says Evan Solley, Netopia's vice president of product marketing. "But there has been back pressure from the channels about solutions, because it makes things more difficult for deployment."

The issue is not the first for the Cayman router. In March of last year, security experts revealed that the 3220-H's administrative password was left blank by default, potentially allowing attackers to reconfigure or reprogram the devices remotely. In response, SBC technicians began setting that password manually upon installation.

© 2001 SecurityFocus.com, all rights reserved.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.