When Your Home Router is Working for the Bad Guys

It seems back in January, someone executed a large-scale (300,000+ routers) attack on those little boxes people have at home connecting them to the Interwebs.

Exploiting a security hole in the ZyXEL ZynOS firmware, the attackers changed the DNS servers used by those routers to DNS servers controlled by the attackers.

In other words, the attackers could now redirect 300,000 people’s attempts to visit yourbank.com to ThisIsYourBankNoReallyHonest.ru. Only the redirect would now look perfectly seamless, provided the attackers were able to get a suitable SSL certificate or otherwise trick you.

(And if you were using iOS or an Apple device, cobbling together such an SSL certificate was beyond easy!)

Of course this also worked for any other website or server, too.

Lesson? I’m reminded of the 3 rules of computer security:
1. Don’t buy a computer.
2. If you have to buy a computer, don’t turn it on.
3. If you have to turn it on, don’t use it.


In January, the firm uncovered a “SOHO pharming” campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, “effectively conducting a man-in-the-middle attack,” the company’s report said.

“If [your router’s] been hijacked and is pointing to someone else’s DNS server, you really have no trust over what you’re actually getting – you could be getting the bad guy’s version of Google, or your bank site,” Team Cymru spokesman Steve Santorelli told PC Pro. “It’s very clever.”[…]

“This is kind of a sea-change in the way people have been approaching security,” he said. “This isn’t the first time this kind of thing’s been spotted, but it’s certainly the biggest in recent memory.”

The attack affects devices from several manufacturers, the firm said said, adding that “consumer unfamiliarity” with configuring routers and weak default settings makes the devices a “very attractive target”.

Indeed, security researchers at Tripwire spotted a series of flaws in routers last year, while D-Link rushed out a patch to fix a back door to admin settings.

Santorelli said the problem wasn’t a hardware flaw, but weaknesses in ZyXEL’s widely used router firmware, ZynOS.

“It’s about the people who write the original firmware… this is ubiquitous firmware,” he said. “It’s on all these very good value, cheap routers – it’s really a firmware vendors’ problem than a hardware manufacturers’ problem.” […]

To stay safe, Santorelli recommended checking your router’s DNS settings, ensuring that the IP addresses you end up at are legitimate, and updating your firmware.

The report added that if the attackers’ servers are shut down, it could cause trouble for victims. “As with the DNSChanger malware, unwitting victims are vulnerable to a loss of service if the malicious servers are taken down, as both primary and secondary DNS IP addresses are overwritten, complicating mitigation,” the report added.”

%d bloggers like this: