Hacking ASUS Routers via USB port
Hacking Functionality into ASUSWRT Routers by Darell Tan Dec. 10, 2012
Asus routers support something they call a USB application, software that runs from a USB flash drive (see screen shot). One example is 'Download Master' a program that controls downloads to USB storage devices. Just like Windows, when a USB flash drive is plugged into an Asus router, it will run a shell script, providing the script has the right name and is stored in the right folder. USB applications can be updated independently of the router firmware. If you own an Asus router, disable this feature. The article focuses on the ASUS RT-N56U, but should apply to other models as well.
More about WPS
Routers using WPS are intrinsically unsafe by Fred Langa in Windows Secrets newsletter Dec. 13, 2012
Explains four WPS methods of gaining network access, explains the security problem, offers advice on router configuration and verifying that WPS is really disabled. Not a great article, has some mistakes and omits the fact that Android network scanners can display the WPS status.
Router hacked by email message
The Email that Hacks You by
Bogdan Calin of Acunetix November 27, 2012
Opening a legitimate looking email on an iPhone, iPad or Mac while using an Asus router with a default or guessable password could compromise the security of your internal network. The author tested the Asus RT-N16 and Asus RT-N56U - and the attack was successful. The attacked also works against TP-Link Routers, tested on TL-WR841N, and the Arcor EasyBox A600. The author got the idea for these tests after noticing that Apple devices load remote images in emails by default. Any router that accepts configuration changes from GET parameters and doesn’t protect against CSRF should be vulnerable to this simple attack.
DSL modem hacking impacts millions of Brazilians
How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes
by Graham Cluley of Sophos October 1, 2012
Remote access was enabled on millions of routers. Huge mistake. But at least bad guys were prompted for a userid/password. That didn't matter. A bug allowed bad guys to break into the routers remotely, without needing to know the password. The bug was a Cross Site Request Forgery (CSRF) in the administration panel of the ADSL modem. Bad guys then changed the DNS servers on the routers. This has been ongoing since 2011. Six hardware manufacturers are affected.
ARRIS TG852G gateways are hackable
The ARRIStocrats: Cable Modem Lulz
by Chris Naegelin and Charlie Vedaa July 14, 2012
The ARRIS TG852G is a DOCSIS 3.0 cable modem/router issued by Time Warner Cable. They do not give you a userid/password to configure the box. This presentation from the HOPE Number Nine conference walks you through two different methods to gain access to the device by exploiting weakly implemented authentication mechanisms. The devices have an insecure Wi-Fi password that consists of the device model number and the lower half of the MAC address. Admin access to the box is possible, even though Time Warner does not want customers doing this. Aggregating publicly available datasets would allow an attacker to use the vulnerability to build an army of thousands of routers. The response from Arris, ignoring this, tells you everything you need to know when buying a modem.
WPS - The Flaw that got me started on this
Most Wi-Fi routers susceptible to hacking through security feature by Chester Wisniewski of Sophos December 30, 2011
WPS: A Troubled Protocol Transcript of Security Now podcast with Steve Gibson and Leo Laporte January 25, 2012
Brute forcing Wi-Fi Protected Setup When poor design meets poor implementation by Stefan Viehböck Dec. 26, 2011
Hands-on: hacking WiFi Protected Setup with Reaver by Sean Gallagher of ArsTechnica Jan 4, 2012. Testing the WPS attack program Reaver from Craig Heffner of Tactical Network Solutions
Researchers publish open-source tool for hacking WiFi Protected Setup by Sean Gallagher of ArsTechnica Dec 30, 2011
Vulnerability Note VU#723755 WiFi Protected Setup (WPS) PIN brute force vulnerability from CERT. Released Dec 27, 2011. Last revised: May 10, 2012
Attacking router passwords
Routers with poor passwords
at risk from Chuck Norris by Graham Cluley of Sophos February 23, 2010
Malware installs itself on routers by cracking admin passwords.
D-Link HNAP flaw
D-Link Issues Fixes for Router Vulnerabilities by Jeremy Kirk of IDG News Service
January 15, 2010
Some D-Link routers have an insecure implementation of the Home Network Administration Protocol (HNAP), which could allow an unauthorized person to change a router's settings. The bug can be exploited both locally and externally. The flaw was discovered by SourceSec which says that D-Link routers include both a regular administrative interface and a HNAP connection that can't be disabled. SourceSec disagrees with D-Link about which routers are vulnerable. D-Link said the DIR-855, DIR-655 and DIR-635 are vulnerable along with three discontinued models - DIR-615, DIR-635 and DI-634M. D-Link plans on issuing fixes.
Windows malware configures routers
New ZLOB Rigs Routers by Trend Micro
June 16, 2008
Windows malware logs on to a router and re-configures it with new DNS servers. Recently, half a million Web sites have been compromised to download ZLOB variants which in turn drop codes to change router DNS settings and browser settings. In another high-impact attack, DNS changers in Mexico also install botnet clients in victims' PCs.
UPnP abused by the Adobe Flash player
Most home routers 'vulnerable to remote take-over' by Dan Goodin of The Register January 15, 2008
A design flaw in routers allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website. The exploit works even if a user has changed the default router password, however it does require Adobe Flash. Bad guys can change DNS servers and open ports. The problem is a design flaw in UPnP, which has no authentication. Some routers can disable UPnP, some can not.