Millions of Home Routers Vulnerable to DNS Rebinding Attack ….

August 1, 2010

Reports of a  presentation shown by Craig Heffner at the Black Hat security conference show how millions of home routers are vulnerable to hacker attack. The attack would let Internet traffic to get redirected and intercepted as well as giving access to home networks. Some of the routers that are vulnerable are from Netgear, Belkin, and Linksys. Models affected include routers used for Verizon’s FIOS and DSL services; popular third-party firmwares like DD-WRT and OpenWRT were found to be vulnerable as well.

A list of the tested routers is available here. Ones that say YES in the last column were successfully hacked. Approximately half of the routers were able to withstand the attack.

Heffner works at security consultancy Seismic and will have a proof-of-concept along with the presentation. He wishes to get this issue out into the open so router manufacturers will take greater notice and release new firmware. The attack employs an old method that has been in use for 15 years, DNS rebinding, which lets the attack get around browser limits on scripts and HTML. DNS is the system that maps english website addresses into IP addresses. DNS allows one name be mapped to multiple IP addresses, DNS rebinding takes advantage of this ability to include the malicious site into the list of sites to load for the site name.

How this comes in handy for hacking routers:

With DNS rebinding, the attacker can make the browser think that any computer he chooses has the same origin as his own malicious page—he just has to create a DNS entry pointing to that computer that matches the DNS name for his malicious site. So, by creating DNS entries for computers in the victim’s LAN, the attacker can trick the victim’s web browser into accessing machines on the victim’s own network. Most computers on a home LAN won’t be running a web server, so on the face of it, this might not seem especially useful. However, one kind of machine typically does run a web server: the router.

If access to the router’s administrative interface can be gained, the attacker can reconfigure it. An example would be routing all DNS lookups through a malicious server which would allow traffic to be monitored and intercepted. Gaining access to the router can be simple as many home routers still have their default password and original firmware isn’t updated. Another possibility is that security flaws could allow the hacker to bypass the password entirely.

Browsers add another layer of protection against this attack as they do attempt to block this type of attack. However, the variation created by Heffner bypasses browser protections. The bypasses aren’t new either, they have been known for a long time. His attack isn’t really all-new but rather a combination of previous knowledge.

The best way to protect against this attack is to change the password on the home router and change the default IP address along with keeping firmware up to date.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: