Feeds

Most home routers 'vulnerable to remote take-over'

Universal plug and prey

The Essential Guide to IT Transformation

Security mavens have uncovered a design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed.

"This is a huge problem," Adrian Pastor, of the prolific hacking organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to most routers used for home networks so machines running games, instant messaging programs and other applications will work seamlessly with the devices. By exposing an end user to a malicious Flash file lurking on a website, attackers can use UPnP, as the technology is usually called, to make significant modifications to the router.

The most serious change that's possible is changing the the server PCs connected to the router use to access websites. That might cause a victim trying to access eBay or Bank of America to see spoofed pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim's router. That would be useful in turning a router into what would amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and URLRequest object specified in Flash, isn't a security flaw within Flash, the researches say. Rather they are design flaws in UPnP, which doesn't use authentication. PCs using virtually any platform and browser will change router settings, as long as they run version 8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices.

The vulnerability, which was also discovered by Petko D. Petkov, is explained further here. A FAQ is here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.