Is it the ISPs Fault if Your Home Broadband Router Gets Hacked?

As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit?

Last week ISPreview.co.uk carried word that more than 300,000 home broadband routers, albeit mostly in Vietnam, had been infected by a new Domain Name System (DNS) redirection exploit. This effectively hijacks the routers / your website requests and redirects the traffic to phishing servers that could be used to steal the owners personal information (here).

Shortly thereafter it emerged that some of AAISP’s customers in the United Kingdom had also been hit by a related exploit, which had changed the DNS settings on their routers to untrustworthy servers (199.223.215.157 and 199.223.212.99). The ISP wisely spotted the activity by logging when customers tried to access the aforementioned IP addresses and then contacting related users.

Meanwhile an article on The Register has just confirmed that customers of BT’s sibling ISP, PlusNet, have also been suffering from the same problem. No doubt they won’t be the only ones.

A Spokesperson for PlusNet said:

“Since last week, we’ve seen an increase in the amount of malicious DNS traffic being directed through to Plusnet IP ranges.

It appears that some of our customers, (and no doubt a number of other people out on the internet) running TP-Link, Linksys and Edimax routers have been compromised due a vulnerability which appears to allow the allocated DNS server in the router to be changed.

This means requests to domains like Facebook or Google are being redirected on ALL devices behind the router to a website which contains a malicious payload disguised as a Flash update.”

PlusNet also clarified that the routers they provide aren’t vulnerable to the hijack, which means that the issue is hitting subscribers that own third party kit (i.e. not ISP supplied). The earlier reports also indicated that most of the vulnerable kit tended to be end-of-life routers that were no longer receiving firmware updates and thus weren’t being patched against modern flaws.

Admittedly if it was the ISPs own hardware at fault then they would inevitably need to accept some responsibility for resolving the problem. But in this instance some customers have been quick to blame their Internet provider and often without realising that the fault rests with their own hardware and not the provider.

In the land of Internet provision the lines of responsibility are often blurred by a fog of technical jargon and or a simple lack of knowledge, which can lead some consumers to incorrectly apportion blame to the wrong recipient. At the same time ISPs do still have a responsibility to ensure that they don’t allow their customers and network to become hubs for bad traffic, thus the question is often – where do you draw the line?

Ultimate responsibility for problems like this should reside with the end-user, which could involve replacing or patching the device to ensure that the issue does not re-occur. In other cases it may also be possible to add a firewall rule that could block an attack vector used by the exploit but these tend to vary and may not be a lasting solution.

However ISPs can also do their bit by keeping an eye out for bad traffic and notifying related customers when spotted, ideally alongside some constructive advice rather than a “Oh noes.. you’ve been hacked! Goodbye” style response. But we shouldn’t be expecting ISPs to do everything for us.