Linksys WiFi Gateway Remote Attack Risk Discovered 311
Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
Only 'moderately' critical ? (Score:5, Insightful)
Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!
I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...
Simon
Re:Only 'moderately' critical ? (Score:5, Informative)
If you did the right thing and changed you admin password, then what you've really got is a linux box on a wan, with a hard to guess password.
Besides which, your running the Sweadish [sveasoft.com] firmware anyway arn't you.
Re:Only 'moderately' critical ? (Score:2, Informative)
I picked one of these up last night.
The admin page is set at 192.168.1.1, a route unreachable from my nat'ed router (which even resides on another subnet).
As long as people set up WPA or something, these devices are fine. You would have to have physical access to the network to run the noted compromise, as the page in question is only accessible from the air if you first compromise whatever wireless security the user has in place.
Re:Only 'moderately' critical ? (Score:3, Informative)
Re:Only 'moderately' critical ? (Score:3, Informative)
It would be more critical if the exploit permanently wrecked the router. As it is, most of them have their simple boot code in flashable ROM. Just grab the last good copy and work with it (if someone figures out a way to update the firmware to a bad version, well, then people are screwed).
Re:Only 'moderately' critical ? (Score:3, Informative)
This doesn't rate a critical or severe like the
Re:Only 'moderately' critical ? (Score:2)
Re:Only 'moderately' critical ? (Score:2)
Ummmmm....... (Score:5, Funny)
does anyone know (Score:4, Interesting)
Re:does anyone know (Score:2)
psst ... (Score:5, Funny)
Re:psst ... (Score:4, Interesting)
Re:psst ... OFFTOPIC (Score:2)
*Don't get any ideas; they both use WPA and MAC address limiting, so neither of them are open.
Re:psst ... OFFTOPIC (Score:2)
Well in Manhattan, the most densely populated county in the U.S. (67,000 people / square mile), I've generally had no fewer than 3 WiFi access points available in the various apartments I've lived in... I can reach 7 access points from different corners of my 400 square foot apartment now.
Not that WiFi is the reason to live here, but hey, free Internet is nice when you're paying through the nose for the apartment!
Re:psst ... OFFTOPIC (Score:4, Interesting)
With people giving away USB 802.11b cards for free [ecost.com], the temptation to steal all that free interenet is just well, it's inevitable that it gets used.
Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."
Re:Too Late -- Expired (Score:3, Informative)
http://www.pcmall.com/pcmall/shop/detail.asp?dpno = 345833&adcampaign=email,PWB02474 [pcmall.com]
there's a vendor that has it til june 30th. there's a ton of these, just google for "free usb wifi" or something.
Re:psst ... (Score:2)
Try doing it from the internet side, and see if you can still get in. It seems some people here are calling bluff.....
Re:psst ... (Score:3, Informative)
It works from the outside as well.
This has actually been a problem for a long time. I first noticed it on one of their 802.11b series WAP/firewalls. I don't remember the model; it was an early one and died of over-heating a couple years ago, like most of their stuff does.
(Tip for anybody w/a LinkSys WAP - put a fan on/in it!)
Like somebody else commented, I just forwarded to ports to a bogus IP. I also sent a note to their tech support who told me to upda
All your gateways are belong to us (Score:4, Funny)
Has nobody noticed these ports being wide open? (Score:4, Interesting)
Re:Has nobody noticed these ports being wide open? (Score:3, Interesting)
Re:Has nobody noticed these ports being wide open? (Score:2)
They do this for all of their routers - wired or wireless. The default password is in the (downloadable) manual, along with instructions to change it. To be fair, they aren't the only ones to do this.
How is this different from normal? (Score:5, Insightful)
Re:How is this different from normal? (Score:4, Insightful)
Re:How is this different from normal? (Score:2)
Re:How is this different from normal? (Score:2, Insightful)
That's debatable. The admin pages are exposed to the internet at large by default, with a known username and password. Whereas with no WEP and so on you at least have to be physically close.
Re:How is this different from normal? (Score:2, Interesting)
Re:How is this different from normal? (Score:2, Insightful)
Re:How is this different from normal? (Score:5, Informative)
Mine does - I've got a "Wireless SSID Broadcast: Enable/Disable" option on the Wireless page. I'm running firmware 2.02.2
Cheers,
Ian
Which doesn't matter if you use Windows XP (Score:4, Insightful)
See Microsoft Link [microsoft.com]
Microsoft even tells you that this is a "good thing" at the link:
Disabling SSID broadcasts on an access point is not considered a valid method for securing a wireless network.
It's not a priority issue... (Score:3, Informative)
That, I hadn't tried... (Score:3, Interesting)
I hadn't thought about using the linksys app... (which I had uninstalled because I didn't want all the icons cluttering up my start bar and, geez, Windows XP already provides those services anyway...)
Re:"Wireless SSID broadcast: Enable/Disable" optio (Score:2)
Doesn't mean it's broken either. In this case it's easy to see: bring in a WiFi device and see if the SSID is picked up. And it wasn't, by two separate devices.
Cheers,
Ian
Re:How is this different from normal? (Score:2)
Incorrect. Right there on the default setup page are the following fields:
SSID: (key in your SSID)
SSID Broadcast: (*) Enable ( ) Disable
There are enough bad things you can say about Linksys, you don't have to make up new ones that aren't true.
Re:How is this different from normal? (Score:4, Informative)
Please make sure you either clarify such statements or don't make them when they are false (as in the current situation).
Re:How is this different from normal? (Score:2, Informative)
Linksys routers have no way to stop broadcasting the SSID
Which Linksys WAP? The WRT54G certainly does allow you to turn off SSID broadcast, it's a setting under the "Wireless" tab on the administration page. When I first set up my wireless network, I initially left the SSID on to make it easier for me to verify that all my machines were within range and had good signal. Once satisfied, I turned off the SSID broadcast and took other steps to secure the network.
Changing the default SSID doesn't help
Re:How is this different from normal? (Score:4, Informative)
Re:How is this different from normal? (Score:4, Informative)
Re:How is this different from normal? (Score:2)
That is wholly inaccurate. The WRT54G supports turning off SSID broadcast (I've tested it and it actually does stop broadcasting). It also supports WPA in addition to WEP.
Yes, but could they.... (Score:2)
Yes, but could they reconfigure the WAP to turn on that "unrestricted access to internet" feature that maps every inbound port on the router to one internal machine? Lesee - they know your internal IP block from the router config, and even the addresses of your DHCP workstation. If you haven't kept your patches up to date.....
pWN3D!
Maybe it's just the way the summary was written, but for some reason the original article poster makes this sound like more of a nuisance than the serious problem it re
things like this... (Score:5, Insightful)
I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?
Re:things like this... (Score:4, Insightful)
We sue architects for designing buildings which collapse before they're even completed. We sue car manufacturers who build cars which have an annoying tendency to explode. Our relatives sue doctors who say "that little lump is nothing to worry about". In each case, a person in a profession which requires a degree of understanding greater than expected of the general public has screwed up.
I can only imagine that the IT industry has convinced the general public that computers are Just So Complicated that nobody on earth can possibly understand them properly, and therefore such mistakes are to be expected. One day someone will be killed because of such complacency. Perhaps then the industry will start to take some responsibility for its mistakes.
Re:things like this... (Score:5, Insightful)
By the same logic, if you used a cheap, home-user piece of crap for a life-critical operation, you deserve to be sued into oblivion, since it wasn't designed for something critical. Personal firewalls like this Linksys thing are not suited for life-critical use, and everyone who knows what the hell they're doing should realize that.
If you use a piece of software that is sold as "fit for this purpose" (like, using windows-embedded health monitoring devices) and it fails due to a poor design, then you're right on...the vendor of that device should be sued.
Re:things like this... (Score:2, Insightful)
When was the last time you saw someone firmware upgrade a building? This analogy is hardly acurate. Software is correctable. I would hardly consider something like this "Dangerous" as the previous poster put it.
And as far as Wi-Fi security is concerned I think that people have blown it way out of proportion. If people just treat Wi-Fi networks as insecure as the Internet and keep it seperated from their internal
Re:things like this... (Score:2, Insightful)
My brother makes his living doing this.
KFG
Re:things like this... (Score:2, Interesting)
Ah, great solution, "sue". Guess you must be American.
As soon as folk start suing, FOSS goes out the window - remember the kernel this Linksys box runs is GPL'd and it's for that reason folk have been doing so many great things with it.
Now you want every programmer, every kid who wants to release an application to take out public indemnity insurance. Why, because a user couldn't be bothered to RTFM and set a password. The user is at fault by not following the supplied instructions, but f
Re:things like this... (Score:3, Insightful)
I'm not. I'm English.
Here in Merrie Olde England, a few years ago, the London Ambulance Service decided that a computer could work out the most efficient route from A to B through a busy city far better than a human controller. Reference Here [ucl.ac.uk]
Thus the computer could decide which ambulance was best placed to answer a specific call based on its geographic location far more efficiently than a person.
It couldn't. People died. Nobody was ultimately held
Re: (Score:2, Informative)
Re:things like this... (Score:3, Interesting)
The only chance of having a bug free system is one organization having control of the entire system from hardware design, to the firmware, to the OS, the support libraries, and the application software. In the current IT world, where your hardware consists of generic components from half a dozen manufacturers, your OS from someone else, and application software and support libraries from other companies, none of which have influence over each other a
Re:things like this... (Score:2)
If the cruise control in your car were to go berserk and drive you into a brick wall, you'd bet your ass you'd be sueing the car manufacturer (read: company that wrote the firmware). Having your firewall vulnerable on the Internet
2 points (Score:5, Informative)
2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.
The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.
port fowarding (Score:4, Interesting)
Re:port fowarding (Score:5, Informative)
From the article:
"As a workaround until a firmware upgrade is issued, Rateliff recommends the use of port forwarding send ports 80 and 443 to non-existent hosts. "Note that forwarding the ports to any hosts -- including listening ones if you are actually running servers -- will override the default behavior," he explained."
So you're ok. As am I, or at least as I will be after I've just finished forwarding 443...
Cheers,
Ian
Re:port fowarding (Score:2)
I think Rateliff had some cables crossed and, becuase I am using the exact same firmware, I don't forward 80 or 443, and I can't get the admin page from the WAN.
Re:port fowarding (Score:2)
in short (Score:3, Informative)
How does changing the default password help if you don't turn on WEP? Can't someone get on the network using the default SSID(linksys) and sniff for passwords?
Re:in short (Score:2)
Once you have configured the router to perform the tasks you need, most people never have a need to log into the router again. As a result the new password does not appear on the wireless net any more for the vast majority of the users who do set the password.
Some of us do things like checking statistics, setting up port forwarding, etc. tha
The reason the risk is "moderate" is... (Score:5, Insightful)
Re:The reason the risk is "moderate" is... (Score:2)
Re:The reason the risk is "moderate" is... (Score:2)
Re:The reason the risk is "moderate" is... (Score:5, Informative)
I should correct this because some people with the 2.02.07 version that this guy claimed to be using are reporting they cannot reproduce the problem.
This could be basic user error. By the way, the remote admin function is disabled by default in the WRT54G firmware.
What gets me is that if you want to bitch about the WRT54G firmware, there are plenty of better reasons than this apparently bogus one. Only the hacked firmwares really make this hardware shine (and have all functions plus new ones work properly).
Also doesn;t ork on WAG54G (Score:2)
Re:The reason the risk is "moderate" is... (Score:2)
The sad truth is that linksys has gone down the drain since being acquired by Cisco. I own a BEFSX41 and for the past 3 or 4 firmware revisions things have been constantly broken. Either various yahoo services just plain don't work, DynDNS support was broken at one point, VPN tunn
Firmware flash (Score:3, Interesting)
Bugtraq submission (Score:5, Informative)
Manufacturer: LinkSys (a division of Cisco)
Product: Wireless-G Broadband Router
Model: WRT54G
Product Page:
http://www.linksys.com/products/product.as
Firmware tested: v2.02.7
In a recent client installation I discovered that even if the remote
administration function is turned off, the WRT54G provides the
administration web page to ports 80 and 443 on the WAN. The implications
are obvious: out of the box the unit gives full access to its administration
from the WAN using the default or, if the user even bothered to change it,
an easily guessed password.
I reported this to LinkSys (along with a number of other non-security
related issues) on April 28. I received no reponse addressing this, and no
updated firmware has yet appeared on their firmware page
http://www.linksys.com/download/firmware.as
To work around this, you can use the port forwarding (irritatingly renamed
to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
that forwarding the ports to any hosts -- inluding listening ones if you are
actually running servers -- will override the default behavior.
On a personal note, there are a number of reasons for which I am thoroughly
disappointed with LinkSys since the acquisition by Cisco. For the sake of
what was once a rock-solid product and great brand name, I hope things
change soon.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2@rateliff.net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
Re:Bugtraq submission (Score:2, Interesting)
> Testing this issue with a recently purchased WRT54G here showed that while
> I can access the web interface on the WAN IP from the LAN behind the
> linksys, I can not access it from another location on the WAN side.
Also, there were other replies saying that you could fix this by forwarding these ports to non-existant IP's if you were able to reproduce the issue.
Re:Bugtraq submission (Score:2)
Well... (Score:5, Funny)
...anyone dumb enough to leave the router with the default password deserves to be h4x0red. I assume that by now pretty much anyone that owns a computer knows the need to create their own password not only for their PC but other devices/peripherals.
Although, I tried changing mine to "penis" and it returned a message saying: "Password is too small."
Go figure...
Wifi-Box Firmware (Score:2)
Re:Wifi-Box Firmware (Score:2)
And I definitely do not have the problem with the Wifibox firmware that I have been using for almost 9 months.
testing (Score:2)
What if some script kiddie meshed them all? (Score:5, Interesting)
Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.
Re:What if some script kiddie meshed them all? (Score:2)
Re:What if some script kiddie meshed them all? (Score:3, Funny)
Wow, you could cluster 100 of these together and get the computing power of a Pentium III. Imagine what you could do with that kind of hardware.
Re:What if some script kiddie meshed them all? (Score:2)
NOT (Score:4, Informative)
Something is wrong...... (Score:2)
not not .... well sorta (Score:5, Informative)
In hind sight this sort of makes sense
In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).
Does it matter? (Score:3, Insightful)
Isn't it safe to say that if someone finds the "remote administration feature" and turns it off, they're also going to change the default password while they're in there? Or do people think oh, since you can't remotely administer this thing from outside, it doesn't matter? Sounds sketchy to me, I don't think it's going to be a big deal.
Simple, simple solution (Score:2, Funny)
Okay.... (Score:4, Insightful)
Well tell you what, tough. You didn't read, you didn't listen, then pay the consequences. It TELLS you that you need to change the password etc and what you should do. If you choose not to do it, then face the consequences.
See a Red Light means stop, if you choose not to obey that and get in an accident and get hurt, well sorry but you pay the consequences of your actions.
I hate being so negative sometimes but damn, there comes a time when even the Big red letters not the widespread panic across the news won't help.
Yes, I agree, the companies should make these things where you have to create a new password and username etc, but there's only so much they can do. B/c we all know that most people would leave the password field blank. I know this all to well as the CEO of my company has a blank password on his personal email addy.
Re:Okay.... (Score:2)
You know how I
Re:Okay.... (Score:2, Insightful)
I'll let you know when I find an intelligent user that says "fuck it, admin is fine, not like anyone else has access to it."
Re:Okay.... (Score:2)
Re:Okay.... (Score:2)
Anyone know how to do it? I'd love to have a name for the "root" user.
Re:Okay.... (Score:3, Insightful)
Saying "change the password" in the manual in no way absolves the manufacturer of the responsibility to provide reasonable default, especially when they know that many of their customers won't change that default.
If you make a product for the mass market, design your product accordingly and make it easy for your customers to do the right thing and hard to do the wrong thing.
Need a better notification mechanism (Score:2)
Use Custom Linux firmware (Score:2, Informative)
Additional info on WRT54G administration page (Score:5, Informative)
How long until a worm that exploits this comes out (Score:2)
After all, if you didn't change it in the first place, you'll probably never notice the "upgrade".
Linksys product are flakey (Score:2)
Netgear is consistently better.
What a lot of worm flash food! (Score:2, Interesting)
Anyone know of another WiFi gateway company that would be good to buy stock in? They might suddenly be getting a massive number of orders.
Set reasonable options (Score:2)
The author of this report is likely to be using an earlier firmware version that did not have a firewall setting.
I don't know if Firewall/enable is the factory default now, but it might be. Problem solved? Not exactly -- t
I don't think this is true (Score:3, Interesting)
Pretty much the first thing I did when I took mine out of the box was to try to access port 80 and 443. No go.
After seeing this, we tried again. None of us can access the box from the WAN port, only the LAN side.
I wonder if this guy got a refurb or one that had been returned to a store after a user screwed with it?
There are backdoored firmware available. (Score:5, Informative)
This doesn't make sense... (Score:2)
Serial number as username and password? (Score:5, Insightful)
Linksys = cheap, shonkey. (Score:2)
While Linksys devices are a option if your looking for something thats very cheap and easy to administer (the CLI and Web based interfaces on their more complex switches are really user friendly), but they are historically flakey (to lack of support for key options, non upgradability or straight forward incompatibility with other devices) as well as insecure.
I wouldn'
You think that's scary? (Score:3, Informative)
I've been following this on BugTraq. As others in this discussion have pointed out, it's not that big a deal, since most people turn the firewall on. There's also an interesting post about someone who bought a few of them and checked whether the firewall was enabled by default--it turns out that two of the three units he tested came with the firewall enabled. [securityfocus.com]
Much more terrifying, though, is the fact that Netgear WG602 Access Points have a default admin account [securityfocus.com] that can't be turned off, with the username "super" and the password "5777364". So expect anyone on the WLAN/LAN to be able to own your router if you have this product and enable the admin interface.