(broadband routers) PC World: Flash Attack Could Take Over Your Router
Props to Jeff Chan who I saw it from. Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that. ------ http://news.yahoo.com/s/pcworld/20080116/tc_pcworld/141399 Flash Attack Could Take Over Your Router Robert McMillan, IDG News Service Tue Jan 15, 7:08 PM ET Security researchers have released code showing how a pair of widely used technologies could be misused to take control of a victim's Web browsing experience. The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems' Flash multimedia software. By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar. "The most malicious of all malicious things is to change the primary DNS server," the researchers wrote. "That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it." Because so many routers support UPnP, the researchers believe that "ninety nine percent of home routers are vulnerable to this attack." In fact, many other types of UPnP devices, such as printers, digital entertainment systems and cameras are also potentially at risk, they added in a Frequently Asked Questions Web page explaining their research. [...]
On Wed, 16 Jan 2008, Gadi Evron wrote:
Props to Jeff Chan who I saw it from.
Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that.
I doubt many ISP security or customer care folks are fans of UPnP. The distribution channel (consumer electronics retail store, discount mail order company, etc) is less important than working with the CPE vendors. I worked with a few CPE vendors for several years since 2003 to improve some things. You may be able to figure out which CPE vendors, because they have UPnP off by default (or don't have UPnP), and other nice things such as automatic security patch loading. CPE owners take even less care of the CPE than even PCs. But even though a few other large ISPs copied some of my requirements for their RFPs, a lot of CPE is distributed through many channels. I'm a bit suspicious of some security researcher's statistics about UPnP gateway configurations in different markets. If you just want to rant at network operators go ahead. But it will probably be more productive working with CPE vendors and ISPs on a few constructive things. What specifications can consumer electronics stores and ISPs include in the RFPs to consumer CPE vendors? What can consumer CPE vendors include at the price-points for the market for consumer CPE? Is the Carterphone era over, and consumers just can't handle managing CPE anymore?
On Thu, 17 Jan 2008, Sean Donelan wrote:
On Wed, 16 Jan 2008, Gadi Evron wrote:
Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that.
What specifications can consumer electronics stores and ISPs include in the RFPs to consumer CPE vendors? What can consumer CPE vendors include at the price-points for the market for consumer CPE? Is the Carterphone era over, and consumers just can't handle managing CPE anymore?
Thanks for putting the discussion in focus, Sean. These are splendidly good questions! And cosumers may be able to handle CPE, but not most of the ones on broadband providers. "Anymore" ? The questions you raise are very good, and I don't intend to attack their validity. My purpose here is to say that: yes, vendors should do better and it is good to form relationships with them, but currently there are millions of customers who consider these "modems" plug and play, regardless of technology. The recursive DNS servers, linux machine, default passwords and whatever else may be on that CPE device is outside their realm of care. I'd be happy if Windows Update is turned on for even some of them, which is in their realm of care. These devices are on the client end, and are not under client care. I believe this needs to be re-emphasized. I do not believe spreading gospel on how to secure them to end users is what we need, but rather the other part you mentioned, which is working with vendors. Working with vendors aside (as you mentioned, can be frustrating) network operators need to realize these are in fact their problem, as the vendors are not quite up to scratch yet, are they? These devices are: 1. Botnets waiting to happen. 2. Sniffers waiting to infringe on user privacy. 3. Recursive DNS servers waiting to be abused. I believe the main points of interest are #1 and #3. I've worked with a few ISPs on this in the past couple of years, but it is obvious the issue remains un-noticed for most. Flash and UPnP I am honestly not that interested in. Gadi.
participants (2)
-
Gadi Evron -
Sean Donelan