Linksys WiFi Gateway Remote Attack Risk Discovered

Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."

Only 'moderately' critical ?

[Space cowboy]

Security consultants Secunia rates the flaw as "moderately critical" and urged users to configure a strong password for the administrative Web interface or restrict access to the interface altogether.

Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!

I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...

Simon

How is this different from normal?

[Gothmolly]

Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.

things like this...

[fabs64]

honestly these sort of completely blatant and downright dangerous security holes in software i think should pave the way for making developers culpable for damages incurred by defects in their software.

I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?

Re:How is this different from normal?

[ideatrack]

You could argue that, but seeing as there are decent sysadmins out there (no really) who will have turned this feature off, it's pretty severe. Admittedly if I had turned it off, then I'd check to see if that was actually the case, but it's very easy to just believe the interface. After all, they'll have checked it before shipping it, won't they? Won't they?

Re:How is this different from normal?

[blowdart]

this is no less secure than everything was anyway

That's debatable. The admin pages are exposed to the internet at large by default, with a known username and password. Whereas with no WEP and so on you at least have to be physically close.

The reason the risk is "moderate" is...

[Ath]

1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.

Does it matter?

[thedillybar]

even if you turn the remote administration feature off on a Linksys WRT54G

Isn't it safe to say that if someone finds the "remote administration feature" and turns it off, they're also going to change the default password while they're in there? Or do people think oh, since you can't remotely administer this thing from outside, it doesn't matter? Sounds sketchy to me, I don't think it's going to be a big deal.

Okay....

[s.a.m]

So whats the big deal here? If you change the password etc then the problem is solved right? Ohhh thats right you're talking about people not READING the damn manual telling them what they need to do!

Well tell you what, tough. You didn't read, you didn't listen, then pay the consequences. It TELLS you that you need to change the password etc and what you should do. If you choose not to do it, then face the consequences.

See a Red Light means stop, if you choose not to obey that and get in an accident and get hurt, well sorry but you pay the consequences of your actions.

I hate being so negative sometimes but damn, there comes a time when even the Big red letters not the widespread panic across the news won't help.

Yes, I agree, the companies should make these things where you have to create a new password and username etc, but there's only so much they can do. B/c we all know that most people would leave the password field blank. I know this all to well as the CEO of my company has a blank password on his personal email addy.

Re:things like this...

[jimicus]

Mod parent up as insightful... it's an excellent point.

We sue architects for designing buildings which collapse before they're even completed. We sue car manufacturers who build cars which have an annoying tendency to explode. Our relatives sue doctors who say "that little lump is nothing to worry about". In each case, a person in a profession which requires a degree of understanding greater than expected of the general public has screwed up.

I can only imagine that the IT industry has convinced the general public that computers are Just So Complicated that nobody on earth can possibly understand them properly, and therefore such mistakes are to be expected. One day someone will be killed because of such complacency. Perhaps then the industry will start to take some responsibility for its mistakes.

Re:How is this different from normal?

[Sir dies alot]

I'm from the US and I've configured a few different routers, and from what I've seen, the majority of those come with an automagical cd that does not enable WEP, it just configures the network with the default SSID and the default username/password/port settings. One router specifically was by network everywhere, which you plugged in and attached to a modem and it was broadcast wirelessly, no setup, no cd, no nothing. You could just plug it in and let your wireless card detect the network. It was configurable, but Joe user wouldn't have the first clue as to how. Hope this helps.

Re:Okay....

[David Byers]

We've known for years or even decades that people for whatever reason often won't change the default password of the default account.

Saying "change the password" in the manual in no way absolves the manufacturer of the responsibility to provide reasonable default, especially when they know that many of their customers won't change that default.

If you make a product for the mass market, design your product accordingly and make it easy for your customers to do the right thing and hard to do the wrong thing. Most people will take the path of least resistance. Make sure that path leads to a good place.

Linksys could have done better. They could have required a password change before allowing the access point to accept outside connections. To combat bad passwords they could warn users them. They could even *generate* good passwords and encourage home users to tape a note of the password under the access point.

And the fact that your CEO has a blank e-mail password does not imply that most people leave passwords blank. What we do know is that many people will choose weak passwords, but even weak passwords are better than blank defaults.

Re:Okay....

[evel aka matt]

Fine, and it's Master's fault when I leave my front door unlocked and then get robbed. But, but, I had a sign on the gate that said "FRIENDS ONLY"!!!!! That's a lame damn excuse.

I'll let you know when I find an intelligent user that says "fuck it, admin is fine, not like anyone else has access to it."

Re:things like this...

[gclef]

There's a concept called "fitness for purpose" that I think applies here. If you used bicycle tires on a car, for whatever reason (price being an obvious one), if you then got hurt in your car, you'd have no one to blame but yourself. Bike tires aren't fit for use on a car.

By the same logic, if you used a cheap, home-user piece of crap for a life-critical operation, you deserve to be sued into oblivion, since it wasn't designed for something critical. Personal firewalls like this Linksys thing are not suited for life-critical use, and everyone who knows what the hell they're doing should realize that.

If you use a piece of software that is sold as "fit for this purpose" (like, using windows-embedded health monitoring devices) and it fails due to a poor design, then you're right on...the vendor of that device should be sued.

Re:things like this...

[dfn5]

We sue architects for designing buildings which collapse before they're even completed.

When was the last time you saw someone firmware upgrade a building? This analogy is hardly acurate. Software is correctable. I would hardly consider something like this "Dangerous" as the previous poster put it.

And as far as Wi-Fi security is concerned I think that people have blown it way out of proportion. If people just treat Wi-Fi networks as insecure as the Internet and keep it seperated from their internal network there shouldn't be any problem with keeping it open. Secure hosts, not networks.

Re:things like this...

[kfg]

When was the last time you saw someone firmware upgrade a building?

My brother makes his living doing this.

KFG

Serial number as username and password?

[Pascal Sartoretti]

A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?

Re:things like this...

[jimicus]

Ah, great solution, "sue". Guess you must be American.

I'm not. I'm English.

Here in Merrie Olde England, a few years ago, the London Ambulance Service decided that a computer could work out the most efficient route from A to B through a busy city far better than a human controller. Reference Here [ucl.ac.uk]

Thus the computer could decide which ambulance was best placed to answer a specific call based on its geographic location far more efficiently than a person.

It couldn't. People died. Nobody was ultimately held liable. Had the problem been that a bunch of vehicles with faulty steering was sold as ambulances, the manufacturer would have been feeling the pain for years.

It is my 'umble, very 'umble opinion, that there are some things which we still do not understand sufficiently to turn into reliable computer systems. Oh, we understand them ourselves OK - regular drivers know where's a bad place to drive in their home town at rush hour - but we simply don't have a thorough enough understanding to be able to turn it into a reliable computer system. Yet we still try it.

Which doesn't matter if you use Windows XP

[the_skywise]

Because Windows XP FORCES you to leave SSID on or suffer the wrath of not being able to connect if you have multiple wireless routers in the area.

See Microsoft Link [microsoft.com]

Microsoft even tells you that this is a "good thing" at the link:

Disabling SSID broadcasts on an access point is not considered a valid method for securing a wireless network.

Re:Which doesn't matter if you use Windows XP

[tstiehm]

This isn't true. While XP won't detect a WAP with the SSID broadcast turned off, you can manually configure a connection to the router. This whole point of turning you SSID broadcast off is to not allow automatic detection of WAPs. I would say MS is working within the standard in this case.

I have this specific situation, I am not broadcasting my SSID but I have 3-6 WAPs broadcasting SSIDs around me. I have no problem.

Re:does anyone know

[darkain]

please keep in mind tho, that Cisco and Linksys ARE the same company now. how much further spread is this to their other products?

Re:Serial number as username and password?

[LincolnQ]

Probably because they print 50 billion ROM chips all identical, and it would be a significant cost to reprogram each one differently with the serial number.