Feeds

Harvesting passwords from DSL routers

Hackers raid Cayman for 'disposable' dial-up accounts

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Hackers have developed a trick for pilfering DSL account names and passwords right from subscriber's routers, a technique that provides hackers with untraceable Internet access, and potentially exposes subscriber email to interception.

The method targets Cayman Systems' popular 3220-H DSL router, a combination modem, router and hub that allows DSL subscribers to share their Internet connections among multiple computers. The 3220-H is sold retail, and is distributed by Cayman's channel partners-- notably SBC Communications, which provides the devices to thousands of "Enhanced DSL" subscribers through subsidiaries Pacific Bell, Southwestern Bell and Ameritech.

Like other DSL routers, the Cayman 3220-H allows users to easily configure their settings through a Web browser interface. But the router makes that interface accessible, not just from the user's local area network, but also from the 'WAN port' that connects to the Internet.

The device is protected from unauthorized reprogramming by an administrative password set by the owner. But unless the subscriber also sets a separate 'user password', the router's configuration settings can be viewed, though not changed, through the browser interface. There, the 'PPPoE' password used to log onto the DSL service is masked as a series of asterisks, but it is plainly visible in the HTML source code of the page.

Hackers can use the purloined password to download the subscriber's email from SBC servers, or view and edit portions of their account information.

But sources say the vulnerability has found its greatest utility in the computer underground as a wellspring of free, anonymous Internet access. Because the same password works on SBC's dial-ups, without interfering with the subscriber's DSL use, the purloined passwords help hackers cover their tracks by borrowing other people's ISP accounts, according to 20-year-old Internet hacker Adrian Lamo.

"Most of the people that I know of use them as disposal dial-up accounts," says Lamo, who discovered the hole over a year ago. "Looking at something in page source is not a tremendous technological effort."

Privacy Problems
An SBC spokesperson acknowledged the password theft vulnerability, and said it drove the company to begin disabling all Internet access to the router's configuration settings as part of its standard installation routine.

"Cayman and other companies have a factory setting where the WAN port is disabled," says spokesperson Fletcher Cook. "Our technicians are trained to disable this themselves."

But subscribers who received their routers over a year ago, before SBC enacted the more secure policy, may remain vulnerable, Cook admits. Newer subscribers are at risk only if they explicitly enable administrative access to the router's WAN port. He adds that the company educates users about security issues through its Web sites.

Lamo says his scanning has turned up thousands of vulnerable routers in homes and small offices throughout Chicago, Los Angeles, San Francisco, Houston, Saint Louis, San Diego, and other cities.

The problem has privacy implications for DSL subscribers. The same password that provides Internet access, is also used to control access to subscriber email.

The passwords can also be used to access some account information over SBC's public customer service Web sites; a cyber snoop could learn a given subscriber's name and phone number, or change their billing address. In some circumstances, the sites also reveal one digit of the subscriber's confidential three-digit telephone account "customer code," Lamo notes.

A spokesman for California-based Netopia, Inc., which acquired Cayman Systems last week, said the company is considering releasing a patch for the password revelation hole. In the meantime, customers should disable access from the WAN port, or set a separate 'user password,' on top of the administrative password, to block access to the configuration screens.

"[Cayman has] been concerned about network security for some time," says Evan Solley, Netopia's vice president of product marketing. "But there has been back pressure from the channels about solutions, because it makes things more difficult for deployment."

The issue is not the first for the Cayman router. In March of last year, security experts revealed that the 3220-H's administrative password was left blank by default, potentially allowing attackers to reconfigure or reprogram the devices remotely. In response, SBC technicians began setting that password manually upon installation.

© 2001 SecurityFocus.com, all rights reserved.

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Put down that shotgun: Wi-Fi's the way to beat Zombies
CreepyDOL sensors can pick walkers from humans with MAC snack attack
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.