After attending several DEFCON events, I am thrilled to announce that I will be speaking at DEFCON 18. My presentation titled "How to Hack Millions of Routers" aims to shed light on prevalent security vulnerabilities. I will also take this opportunity to answer frequently asked questions and provide a glimpse into the content of my upcoming talk.
Many people mistakenly believe that disabling remote administration on their routers shields them from unauthorized external access. Unfortunately, this is not the case for many router models. Anyone owning a registered domain can potentially gain full access to a router's internal web interface. This access allows them to exploit vulnerabilities or perform brute-force attacks to alter settings and control the router. This vulnerability extends beyond the primary web interface to SOAP-based services like Universal Plug-n-Play, which do not require authentication. In tests conducted on thirty routers, more than half, including popular models like the Linksys WRT54G and various ActionTec routers used by Verizon FiOS and DSL customers, were susceptible to these attacks.
The core of this security issue involves DNS rebinding, a technique that has been known for almost 15 years yet remains widely misunderstood. The inquiries I receive about this topic generally focus on two questions:
- What is DNS rebinding?
- What makes the DNS rebinding technique discussed in this talk special?
To address these, it's essential to understand the 'same domain policy' enforced by web browsers. This policy allows a website like www.evilhacker.com to request your browser to load external content (like images and scripts) but prevents it from accessing or seeing the responses from those external sites. Despite this, DNS rebinding manipulates this policy by tricking a browser into believing that a known website has shifted to a different IP address, thus bypassing the restrictions.
Historically, DNS rebinding attacks have employed methods like setting low TTL values or using multiple A records, but these techniques have become impractical or obsolete due to advancements in browser security like DNS pinning and anti-rebinding measures in plugins like Flash and Java.
Despite these protections, the attack I will discuss remains viable due to specific features in many routers and their operating systems. It has been tested in real-world scenarios with the necessary permissions. While services like dnsmasq, OpenDNS, and NoScript offer some anti-rebinding measures, they are insufficient against the demonstrated attack.
The highlight of my talk will be the demonstration and release of a tool that automates this attack, extending the router's internal web interface to an external site. This tool allows an attacker to navigate the router's settings remotely, provided a user within the target network visits the attacker's website. This presentation not only illustrates the ease of modern hacking techniques but also emphasizes the urgent need for both vendors and users to implement long-overdue security fixes.
*Further details will be provided during the presentation.
