Feeds

Harvesting passwords from DSL routers

Hackers raid Cayman for 'disposable' dial-up accounts

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Hackers have developed a trick for pilfering DSL account names and passwords right from subscriber's routers, a technique that provides hackers with untraceable Internet access, and potentially exposes subscriber email to interception.

The method targets Cayman Systems' popular 3220-H DSL router, a combination modem, router and hub that allows DSL subscribers to share their Internet connections among multiple computers. The 3220-H is sold retail, and is distributed by Cayman's channel partners-- notably SBC Communications, which provides the devices to thousands of "Enhanced DSL" subscribers through subsidiaries Pacific Bell, Southwestern Bell and Ameritech.

Like other DSL routers, the Cayman 3220-H allows users to easily configure their settings through a Web browser interface. But the router makes that interface accessible, not just from the user's local area network, but also from the 'WAN port' that connects to the Internet.

The device is protected from unauthorized reprogramming by an administrative password set by the owner. But unless the subscriber also sets a separate 'user password', the router's configuration settings can be viewed, though not changed, through the browser interface. There, the 'PPPoE' password used to log onto the DSL service is masked as a series of asterisks, but it is plainly visible in the HTML source code of the page.

Hackers can use the purloined password to download the subscriber's email from SBC servers, or view and edit portions of their account information.

But sources say the vulnerability has found its greatest utility in the computer underground as a wellspring of free, anonymous Internet access. Because the same password works on SBC's dial-ups, without interfering with the subscriber's DSL use, the purloined passwords help hackers cover their tracks by borrowing other people's ISP accounts, according to 20-year-old Internet hacker Adrian Lamo.

"Most of the people that I know of use them as disposal dial-up accounts," says Lamo, who discovered the hole over a year ago. "Looking at something in page source is not a tremendous technological effort."

Privacy Problems
An SBC spokesperson acknowledged the password theft vulnerability, and said it drove the company to begin disabling all Internet access to the router's configuration settings as part of its standard installation routine.

"Cayman and other companies have a factory setting where the WAN port is disabled," says spokesperson Fletcher Cook. "Our technicians are trained to disable this themselves."

But subscribers who received their routers over a year ago, before SBC enacted the more secure policy, may remain vulnerable, Cook admits. Newer subscribers are at risk only if they explicitly enable administrative access to the router's WAN port. He adds that the company educates users about security issues through its Web sites.

Lamo says his scanning has turned up thousands of vulnerable routers in homes and small offices throughout Chicago, Los Angeles, San Francisco, Houston, Saint Louis, San Diego, and other cities.

The problem has privacy implications for DSL subscribers. The same password that provides Internet access, is also used to control access to subscriber email.

The passwords can also be used to access some account information over SBC's public customer service Web sites; a cyber snoop could learn a given subscriber's name and phone number, or change their billing address. In some circumstances, the sites also reveal one digit of the subscriber's confidential three-digit telephone account "customer code," Lamo notes.

A spokesman for California-based Netopia, Inc., which acquired Cayman Systems last week, said the company is considering releasing a patch for the password revelation hole. In the meantime, customers should disable access from the WAN port, or set a separate 'user password,' on top of the administrative password, to block access to the configuration screens.

"[Cayman has] been concerned about network security for some time," says Evan Solley, Netopia's vice president of product marketing. "But there has been back pressure from the channels about solutions, because it makes things more difficult for deployment."

The issue is not the first for the Cayman router. In March of last year, security experts revealed that the 3220-H's administrative password was left blank by default, potentially allowing attackers to reconfigure or reprogram the devices remotely. In response, SBC technicians began setting that password manually upon installation.

© 2001 SecurityFocus.com, all rights reserved.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.