Black Hat 2010: How to Hack Millions of Routers

  • So I recently saw an article about a speaker at Black Hat 2010 thats going to present a new DNS rebinding hack to exploit "millions" of routers, which will also release a tool also. The presentation is described as the following…


    How to Hack Millions of Routers

    This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

    A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

    Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.

    I figured since PFSense was mention in this article it would be a good idea to create a thread discussing the issues and developments of the story if and/or this is released and any potential impact it will have on the security of PFSense.

    Edited: According to the spreadsheet of tested devices/software this will effect PFSense 1.2.3-RC3 so far

  • Rebel Alliance Developer Netgate

    There are already at least two threads about this :-)

    Here's the main one:,26368.0.html

  • I did a quick search but was not able to find anything..

    thanks and feel free to trash this thread :)

  • Rebel Alliance Developer Netgate

    It's OK, it might help someone else who lands here looking for keywords which aren't in the other thread.

  • The upcoming Black Hat security conference in Las Vegas offers an annual parade of security researchers revealing new ways to break various elements of the Internet. But few of the talks have titles quite as alarming as one on this year's schedule: "How to Hack Millions of Routers."

    Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner's exploit could have their router hijacked and used to steal information or redirect the user's browsing.

    Heffner's attack is a variation on a technique known as "DNS rebinding," a trick that's been discussed for close to 15 years. "There have been plenty of patches over the years, but this still hasn't really been fixed," he says.

    The hack exploits an element of the Domain Name System, or DNS, the Internet's method of converting Web page names into IP address numbers. (When you visit, for instance, a domain name server might convert that name into the IP address Modern browsers have safeguards that prevent sites from accessing any information that's not at their registered IP address.

    But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.

    Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address–in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.

    That DNS trick isn't new, and browsers have installed patches for earlier versions of the exploit. But Heffner says he's tweaked it to bypass those safeguards; He won't say exactly how until his Black Hat talk. "The way that [those patches] are circumvented is actually fairly well known," says Heffner. "It just hasn't been put together like this before."

    Heffner tested his attack against 30 router models and found that about half were vulnerable. Here's his chart of which are and aren't subject to attack. ("Successful" in the far right column means that the router was successfully hacked.)

  • Merging this to one of the already existing topics.

Log in to reply