Feeds

Harvesting passwords from DSL routers

Hackers raid Cayman for 'disposable' dial-up accounts

  • alert
  • submit to reddit

Reducing security risks from open source software

Hackers have developed a trick for pilfering DSL account names and passwords right from subscriber's routers, a technique that provides hackers with untraceable Internet access, and potentially exposes subscriber email to interception.

The method targets Cayman Systems' popular 3220-H DSL router, a combination modem, router and hub that allows DSL subscribers to share their Internet connections among multiple computers. The 3220-H is sold retail, and is distributed by Cayman's channel partners-- notably SBC Communications, which provides the devices to thousands of "Enhanced DSL" subscribers through subsidiaries Pacific Bell, Southwestern Bell and Ameritech.

Like other DSL routers, the Cayman 3220-H allows users to easily configure their settings through a Web browser interface. But the router makes that interface accessible, not just from the user's local area network, but also from the 'WAN port' that connects to the Internet.

The device is protected from unauthorized reprogramming by an administrative password set by the owner. But unless the subscriber also sets a separate 'user password', the router's configuration settings can be viewed, though not changed, through the browser interface. There, the 'PPPoE' password used to log onto the DSL service is masked as a series of asterisks, but it is plainly visible in the HTML source code of the page.

Hackers can use the purloined password to download the subscriber's email from SBC servers, or view and edit portions of their account information.

But sources say the vulnerability has found its greatest utility in the computer underground as a wellspring of free, anonymous Internet access. Because the same password works on SBC's dial-ups, without interfering with the subscriber's DSL use, the purloined passwords help hackers cover their tracks by borrowing other people's ISP accounts, according to 20-year-old Internet hacker Adrian Lamo.

"Most of the people that I know of use them as disposal dial-up accounts," says Lamo, who discovered the hole over a year ago. "Looking at something in page source is not a tremendous technological effort."

Privacy Problems
An SBC spokesperson acknowledged the password theft vulnerability, and said it drove the company to begin disabling all Internet access to the router's configuration settings as part of its standard installation routine.

"Cayman and other companies have a factory setting where the WAN port is disabled," says spokesperson Fletcher Cook. "Our technicians are trained to disable this themselves."

But subscribers who received their routers over a year ago, before SBC enacted the more secure policy, may remain vulnerable, Cook admits. Newer subscribers are at risk only if they explicitly enable administrative access to the router's WAN port. He adds that the company educates users about security issues through its Web sites.

Lamo says his scanning has turned up thousands of vulnerable routers in homes and small offices throughout Chicago, Los Angeles, San Francisco, Houston, Saint Louis, San Diego, and other cities.

The problem has privacy implications for DSL subscribers. The same password that provides Internet access, is also used to control access to subscriber email.

The passwords can also be used to access some account information over SBC's public customer service Web sites; a cyber snoop could learn a given subscriber's name and phone number, or change their billing address. In some circumstances, the sites also reveal one digit of the subscriber's confidential three-digit telephone account "customer code," Lamo notes.

A spokesman for California-based Netopia, Inc., which acquired Cayman Systems last week, said the company is considering releasing a patch for the password revelation hole. In the meantime, customers should disable access from the WAN port, or set a separate 'user password,' on top of the administrative password, to block access to the configuration screens.

"[Cayman has] been concerned about network security for some time," says Evan Solley, Netopia's vice president of product marketing. "But there has been back pressure from the channels about solutions, because it makes things more difficult for deployment."

The issue is not the first for the Cayman router. In March of last year, security experts revealed that the 3220-H's administrative password was left blank by default, potentially allowing attackers to reconfigure or reprogram the devices remotely. In response, SBC technicians began setting that password manually upon installation.

© 2001 SecurityFocus.com, all rights reserved.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.