Hacked DSL Modems Steal Bank Info

Locked down your computer so nobody can hack it? Great! Now you just have to lock down your DSL modem.

Turns out a Broadcom chipset used by a bunch of DSL modems has a vulnerability that allows remote takeovers. A crew of Internet criminals used this to target /millions/ of Brazilians, changing their DSL modems to use the crooks’ malicious DNS service. The DNS in turn sent people to fake versions of popular websites, which stole logins and installed malware.

As tech gets embedded in more unexpected places, no doubt we’re only going to see more examples of this. Probably to considerable psychological effect.

(The mind has an interesting relationship with everyday things it doesn’t understand — look at the popular resonance Dan Brown got with “symbology” and religion.

I suspect tech will someday find itself in the same shoes, with Dan Brown Jr. theorizing about Apple and its logo as meaning both knowledge and evil. [apple with a bite out of it / garden of eden, etc])


“This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems[…]

Without much fanfare, a vulnerability showing a flaw in a specific modem was revealed in March 2011. That failure allowed remote access to an DSL modem. No one knows exactly when criminals began exploiting it remotely. The flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.

Even if you have a strong password configured on the device, the flaw allows an attacker to access the control panel, capture the password, log into the device and make changes.

Seems the problem is not related to a particular model or manufacturer, but the chipset driver that performs the main functions of the equipment and is bought by modem manufacturers who use it in consumer products. All the affected devices has in common a Broadcom chipset, used by several manufacturers, including modems approved by the National Telecommunications Agency of the Brazilian government and sold in Brazil. Interestingly not all devices using Broadcom chips have this problem, but there is no precise data about which versions and equipment are affected. This depends on information from manufacturers.

Two malicious scripts

The attack was quite simple. Criminals swept the internet in search of exposed modems on the network.

The attackers used two bash scripts that were executed in a dedicated server purchased exclusively for this purpose. A range of IPs was set to be scanned and tested by the script. Whenever a modem was found, an attempt to exploit the flaw was performed.

Once accessed, another script called “roda.sh” would run and access the modem. The vulnerability reveals the administration password of the modem. Capturing the password, the script accesses the modem admin panel, changes the configuration of the Domain Name System (DNS) and changes the password, preventing the device owner from changing it later.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: