A new tool used by cybercriminals has been developed that once a user visits a compromised website, the tool attempts to exploit unpatched security vulnerabilities in the user’s internet router. The tool makes the assumption that the routers firmware is not up to date. A router is a device usually provided by your ISP (Internet Service Provider) allowing you access to the internet, routers usually provide both wired and wireless internet access. A router connects to the internet via your fiber broadband connection or via your traditional telephone line (allowing a slower broadband connection). It should be noted that currently only consumer routers are affected. More details of the affected router models are provided in this blog post from French malware researcher Kafeine.
This exploit tool first uses a cross-site request forgery (CSRF) technique to determine the manufacturer of the router being used. Based on those results the attack then uses an exploit for known issues with that router (e.g. previously patched (fixed) flaws in D-Link, Belkin and TP-Link routers) attempting to access the routers administration page. If that is not successful common passwords are then used trying to gain access. The goal of accessing the administrative interface of your router (a settings page usually accessed using a web browser) is to change the DNS server IP addresses of your router from the addresses assigned by your ISP or from the IP addresses for DNS servers of your choice.
Why Does An Attacker Want To Change My Router’s DNS Settings?
DNS (Domain Name Service) works very much like looking a number up in a phone book. For example, when you type www.google.com into your web browser, your browser will check with your router to find out how to get to that website, it does this by “asking” the router what IP address is associated with www.google.com ? Once the router replies with the IP address, your web browser visits that IP address and displays Google’s homepage.
Your router finds out the IP address of Google by querying the DNS servers, the IP addresses of these servers that it has stored within it. These servers obtain the IP address of Google for your router and provide it to your router. If an attacker can change your routers DNS server settings, your router will then check with the attacker’s DNS servers (rather than your ISPs) for the IP address of Google and will accept any IP address those servers’ responds with.
The router will then pass the address it was given to your web browser which then displays the page for you. Since this IP address has been deliberately chosen by the attacker, the website could be a phishing site (or any other site of the attacker’s choice) which could (to continue the above example) try to steal your Google account credentials or perform other malicious actions. More details on approximately how many users have been impacted by this attack are available in this blog post. Protocols such as DNSSEC were designed to prevent such tampering but unfortunately its use is not yet very widespread.
The name given to this type of attack where your DNS settings are changed without your permission is known as “pharming”.
How I can defend against this attack?
In order to protect against this issue I would recommend a similar approach to the NetUSB flaw that I previously discussed namely monitoring the relevant websites of your routers’ manufacturer for firmware updates that address a CSRF flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates.
In addition, it is recommended to have the most recent firmware for your router already installed (especially if it contains fixes for already known security vulnerabilities). As mentioned above, the attack tries to exploit older known flaws and assumes you haven’t updated your router.
My home router is an Asus router from mid-2013. I already have the most recent firmware from January 2015 installed (which fixed 2 security issues, one was a CSRF flaw). However it’s unclear if Asus still supports my router or will release a fix for this issue. Upon contacting Asus support, they said they couldn’t disclose the answers to either question. Based on this uncertainty it may be time for me to consider a newer model of router from Asus.
In order to avoid the CSRF technique being able to access your router, you can specify that a single IP address is only allowed to access your router’s settings page (unfortunately not all routers have this capability). Thus the routers admin page would only be accessible from that address. Thus to access your router you would first need to change your computers/devices IP address to the address you have chosen and then login to your router, the CSRF attack would not be able to do this. When you are completed accessing your router’s admin page you would change your devices IP address back to its default (commonly used) address (which would block any unauthorized access).
To check that the DNS servers of your router are legitimate and working as expected, Kafeine in her/his blog post mentioned 2 tools used to check your routers DNS settings. I don’t own an Android device to install the Android app but used the web based F-Secure tool, it showed that my DNS servers are still set to my ISPs servers. I had already verified this since I had manually checked the DNS settings of my router, found the 2 IP addresses being used for DNS lookups and entered the addresses into Domaintools Whois lookup. The company names that were displayed matched those of my ISP. However F-Secure’s tool is very easy to use and much quicker than my manual method mentioned above.