Routers with passwords still vulnerable to hack attacks
This is a follow up to two articles I published earlier this year. They both dealt with an attack against 2Wire brand modems used in Mexico, with the first article titled "Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts" and the latter titled "2Wire Modem DNS Poisoning Attack Returns to Mexico." In both of those articles I urged owners of the affected models of these and other brands of modem/router combinations to change the default administrator password, which is blank be default. By creating a personal password the scripted attacks described in these articles will fail, as they rely upon a blank, or known default password to gain access to the configurations pages.
Yesterday I learned about a new means being tested by security cracking professionals and hackers, whereby a 2Wire modem can still be hacked after a personal administrator password has been applied to it! The exploit may already be in the wild, on MySpace, Facebook, or other popular social networking websites, or soon will be. The technique they are using is not brute force, nor a dictionary attack, in fact, it is what I'd call a chance opportunity attack vector. The way it works is by launching a script aimed at your router's GUI configuration page, in your browser, hoping that you have recently logged into the router, in the same browser session. If you have been logged into your router and not closed that browser in the interim, and you happen upon a web page that contains the JavaScript exploit code, your router can be taken over! This happens because having logged in once, and not logged out, you are still authenticated by the router and anything you want to change is only a mouse click, or code string away. No further challenges would appear in most consumer modem/routers or wireless routers. After gaining access to the configuration utility a hacker's code can change your router's administrator password, poison the DNS tables (to redirect you to phishing websites), enable remote administration, download hostile firmware, and anything else the hacker can think of. You wouldn't be any the wiser until you closed that browser, then tried to log in again, only to find that your password was incorrect.
Should this type of attack happen to you and you find yourself locked out of your router, or modem/router configuration page, don't panic yet. The first thing you should do is reset the router to its default state. Most routers have a small hole on the back, where you can insert the tip of a pen, pencil, or hair pin and hold it in for a half minute, or so, then power off, hold it in again, then release the button and power the unit back on. After the device stabilizes you should be back to factory default settings. Close any open browsers to clear any possible hostile sessions and empty your browser's cache, or Temporary Internet Files. Next, open a new browser window and enter the web interface for your router and change the administrator password, disable remote administration and UPnP, then, if at all possible, change the router's IP address. Do not open any other web pages yet; they could have hostile codes embedded without the owner's knowledge.
The last item I mentioned is important because many router or modem attacks have hardcoded IP addresses in the scripts, which will target specific brands of routers. Some will target the address 192.168.1.254, used by 2-wire and certain other routers. If your router will allow you to alter its IP address, do so and save the changes, then log in using the new IP. For instance, if the default IP is 192.168.1.254, change it to something like 192.168.2.253. Be creative here. As long as you change it to a valid LAN IP, in the 192.168 range, it should accept it. When you restart the router, after saving the change, you will probably have to release and renew the computer's IP address, to get a new one from the changed router. To do this open a command prompt. Go to Start > Run and type in CMD then press the Enter key. A black command window should open, with a blinking cursor after a text path ending in a > symbol.
At the blinking cursor type the following commands:
IPCONFIG /RELEASE
press Enter
IPCONFIG /RENEW
press Enter
The last command will show your new computer's IP address as well as the IP of the gateway, which is your router (or modem/router). The gateway IP should be the same as the one you just assigned to your router.
Go back to your browser and try to log into the router again, using the new IP address you assigned to it. You should have to type in your user name and password to get authenticated. Once you are successful and have checked everything that needs checking, close that browser. From henceforth, until all of the major router manufacturers update their firmware to force you to type your old password before changing it, always close all browsers after visiting the router's web interface. Empty your browser's cache before surfing to any other websites, just in case they have been compromised with hostile codes aimed at your router.
If you have visited your online bank, or other financial institution, contact them as soon as possible to put a fraud watch on your account. Then, after securing your (modem) router, log in again to these websites and change you passwords. Hopefully, you will notice the problem with the router before the hackers receive your login details and empty your accounts.
Make it a point to visit your router/modem-router's manufacturer's website to look for new firmware and install it when it becomes available. If you do not know how to do this call your broadband service provider, who supplied the router, and ask them what they are doing to safeguard their routers. They may offer a flash upgrade on demand and may even do it without notifying you first. If that does occur, your personal settings and administrator password may have been reset to default again, along with the IP address you changed. This is typical for firmware updates, but I can't say for sure that you exact model will get reset completely by an upgrade. Just write down everything you know about the router's login and IP address, or save the configuration file after you have everything where you want it, and import it after you flash the firmware. Always verify your settings and make sure you are able to connect to the net, before closing out the router interface. Exit all browser windows afterward and clear the cache/Temporary Internet Files before starting to surf. I have detailed instructions in the extended comments below, for automatically clearing your browser's cache, upon closing all browser windows.
Clearing your browser's Temporary Internet Files, or "Cache"
Different brands and versions of web browsers provide different means of clearing the temporary files they save as you browse the Internet, or when you login to your router to inspect or alter any settings. Most allow you to automatically empty your Temporary Internet Files, or the browser cache and authenticated sessions, when you close your browser. Below, are the details clearing these caches for Internet Explorer, Firefox and Opera.
Internet Explorer
You can do this in two ways. The simplest is to have the browser open and click on Tools > Internet Options. When the Internet Options window opens click on the Advanced tab. Scroll down to the section labeled "Security." There, you will see a checkbox item labeled "Empty Temporary Internet Files folder when browser is closed." Place a checkmark in that option, then click on the Apply button at the bottom right. Look over other options and make any changes you want, then click OK to close the Internet Options window. When you close all of your browser all of the temporary files saved as you browse will be deleted, except for cookies. They are dealt with in the Privacy section of Internet Options. Session Cookies are temporary cookies that are only meant to live during an authenticated logged in session. You should allow these session cookies if you don't want to have to retype your user name and password for every page you visit, on a website where you have to login.
The second way you can do the same thing is to click on the Start button > Settings > Control Panel and locate your Internet Options icon. Different versions of Windows may display this icon alphabetically, in Classic View, or hide it inside another section, in Web View, of Control Panel. Once you find the Internet Options icon double-click on it to open the properties sheets.
Firefox
Firefox has an option to automatically clear your private data when you close the browser, which is accessed under the menu-bar item "Tools" > Options. When the Options sheet opens click on the "Privacy" tab, then in the section labeled "Private data" place a checkmark in "Always clear my private data when I close Firefox." Now, click on the Settings button to the right of that option and choose which items you want to delete, when you close Firefox. I would recommend Cache and Authenticated Sessions. Click OK, to save your preferences and close the Options. Your cache files and logged in sessions will be cleared each time you close out all Firefox browser windows.
Opera
If you use a current version of the Opera browser you can instruct it to automatically empty it's cache in this manner. With the browser open click on "Tools" > "Preferences." When Preferences opens click on the "Advanced" tab. On the left sidebar - click on the word "History." This will open options for your browsing history, including a checkbox labeled "Empty on exit." Check that box, then make any other changes you want, then click OK, to save your preferences and close the Preferences window.
In all of the above listed browsers your temporary internet files, or cache will only be cleared if you close all open browser windows, from each brand of browser. If you use Firefox and have the Downloads window open, then close the main browser, your Authenticated Sessions and cache will not be cleared, until you close the Downloads window. If a second instance of any browser is open, closing one, but not both will result in the cache not being cleared. You have to shut them all down to clear your Cache/Temporary Internet Files.
Use your HOSTS file to protect your 2Wire modem-router from being accessed by its host name.
Hackers can access a 2Wire modem-router by call it by a host name, such as http://gateway.2wire.net, http://home, or by the IP address: http://192.168.1.254. If you have changed the modem-router's IP address you have closed off only one of three attack vectors. Unless you also change the DNS mapping of HOME and gateway.2wire.net, you are still vulnerable to a non-directed attack against these host names. You can easily change the DNS mapping on a Windows computer by editing a file with the unique file name HOSTS. This file is usually located in your system32 directory, in the Drivers sub-directory, inside a folder named "Etc." If Windows is installed in your C drive, in a directory named Windows, the path to HOSTS is as follows:
C:\Windows\System32\Drivers\Etc\HOSTS
HOSTS can be opened in any plain ascii text editor, such as Windows Notepad, or in HostsFileReader - by Option^Explicit, or with HostsMan. After you edit your HOSTS file you must Save the changes, but, if you are using Notepad, you have to follow these special instructions, to save the file correctly.
After making changes to HOSTS in Windows Notepad, or any other text editor, you must not simply Save, but instead use "Save As." When the Save as window opens you must first go to the section labeled "Save as type" and change it to "All Files." Next, change the "Encoding" to ANSI, then make sure the file name is HOSTS without any extension. Then click Save.
Here are the additions to make to your HOSTS file to protect against a 2wire modem attack, using host names. Add them under 127.0.0.1 localhost using the TAB key to space the host name after the IP address.
127.0.0.1 localhost
127.0.0.1 home/
127.0.0.1 gateway.2wire.net/
Save these changes to HOSTS and reboot the computer. From now on you will have to type in the IP address of the router interface, to access it. If you have the default IP of http://192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X), to protect against an IP address based attack. Something like 192.168.2.253 is a good starting point, but it could be just a different IP in the same subnet, like 192.168.1.221. Don't forget to release and renew your computer's IP after changing the router's own IP, as described in the 5th paragraph of this article.
I will post another follow up to this after I learn more about the new exploits being tested, along with any news about firmware updates from 2Wire and other manufacturers, to protect against password changes with out knowing the old password.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.