» ISP News » 

Some UK TalkTalk D-Link DSL-3680 Routers Vulnerable to DNS Hijack

Friday, March 27th, 2015 (3:47 am) by Mark Jackson (Score 13,353)
talktalk uk router

Customers of TalkTalk’s home broadband service in the United Kingdom, specifically those who use one of the ISPs older D-Link DSL-3680 routers (check the model code on the back), should be aware that for some people the hardware might be vulnerable to an easily performed remote DNS hijack.

The DNS system works to convert IP addresses to a human readable form (e.g. to examplefake.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS.

But if a hacker gains access then they could replace the Primary and Secondary DNS settings with malicious servers. The result of a successful attack means that the hacker can redirect your website requests to fake phishing sites or monitor your activity to steal personal / financial information and inject more exploits into your home network in order to gain even greater control etc.

talktalk d-link 3680 router dns hacked
(Demo conducted by the customer – DNS was set to “auto” before the exploit attempt)

Meanwhile the problem with TalkTalk’s kit was spotted on Tuesday by a couple of customers, with one noticing that the Domain Name Server (DNS) details of their router had been changed and redirected to an unknown location without their permission (most likely a DNS server run by the attackers).

A second subscriber then tested the exploit on their DSL-3680 and found that he too was able to remotely change the DNS details of his router by merely using a special custom URL (web address) alongside the IP address of his Internet connection (no password was required). It’s a little more complicated than that, but not much.

It’s not uncommon for routers to expose their admin web-interface to the Internet, usually for purposes of remote management, although clearly it shouldn’t be this easy to crack.

John Smith, A TalkTalk Customer, told ISPreview.co.uk:

Given that D-Link appear to have known about this for two months since the story broke, I would have imagined they would have fixed their current routers by now, including the DSL-3680.

I was shocked to see my DNS settings altered remotely by some unknown entity, as you can imagine, especially since I know I used a very strong password for remote management. But I was bothered that I could not restrict access to specific IPs [for remote management], and this issue would have been mitigated had I been able to do so.”

The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it’s hard to know which one is the actual culprit.

On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year and TalkTalk informs that they’ve asked D-Link to check again. For security reasons we have chosen not to demonstrate how this works, although it’s easily found online.

D-Link officially published a firmware update to fix the aforementioned exploit a couple of weeks ago, while the last firmware released for TalkTalk’s D-Link DSL-3680 was v1.12t on 10th November 2014 (here) and the affected customers are currently on that version. TalkTalk’s other D-Link routers include the 2680, 2640R, 2740R, 2780 and 3780.

At the time of writing TalkTalk have said that they’re still investigating the situation and we hope to have an update soon. But customers who do have the router shouldn’t worry just yet  because it’s only an issue if you’ve enabled Remote Management, which is normally disabled by default. Obviously we’d recommend switching this feature off until the issue is resolved (hackers can easily scan for exposed routers, so do check).

Take note that the remote management being referenced above is not the familiar CWMP/TR-069 interface, but rather a separate feature that allows users to log into the router’s web interface over WAN (useful for remotely monitoring your network). By comparison the TR-069 feature, which is often used by ISPs to deliver firmware updates, is not vulnerable.

Add to Diigo
Tags: ,
Leave a Comment
2 Responses
  1. tatanyave

    Using Putty I telnet into the router and I get some commands:
    D-Link> ?
    Valid commands are:
    sys exit ether wan
    etherdbg tcephydbg ip bridge
    dot1q pktqos show set
    D-Link> ip dns
    query stats hijack
    D-Link> ip dns hijack
    DNS Hijack switch is 1.
    D-Link> ip dns hijack show
    valid command: ip dns hijack [0|1].

    Would someone like to investigate this?
    What is being hijacked?
    Also if you try to ping the internet with an invalid url, your query gets
    routed through to which belong to http://www.barefruit.co.uk/
    I got the modem from TalkTalk.

  2. John

    I don’t think the hijack settings in the DSL-3680’s telnet interface are related to the vulnerability reported in the news story. Often these router “hijack” settings are used to hijack DNS to a router troubleshooting page in the event of ADSL being down (e.g. divert http://www.google.com to and display a troubleshooting page).

    The NXDOMAIN hijacking to Barefruit is a different sort of hijacking which TalkTalk use to make money out of typographical errors. You can opt-out here: http://www.talktalk.co.uk/optout/

IMPORTANT: Javascript must be enabled to post (most browsers do this automatically). On mobile devices you may need to load the page in 'Desktop' mode to comment.

Comments RSS Feed

* Your comment might NOT appear immediately (the site cache re-syncs periodically) *
* Comments that break our rules, spam, troll or post via fake IP/proxy servers may be blocked *
Cheapest Superfast ISPs
  • Origin Broadband £23.89 (*31.58)
    Up to 38Mbps, Unlimited
    Gift: None
  • Plusnet £24.99 (*33.98)
    Up to 38Mbps, Unlimited
    Gift: £50 Cashback
  • Vodafone £25.00
    Up to 38Mbps, Unlimited
    Gift: None
  • Virgin Media £26.00
    Up to 50Mbps, Unlimited
    Gift: None
  • Hyperoptic £26.00 (*35.00)
    Up to 100Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (1908)
  2. Broadband Delivery UK (1320)
  3. FTTP (1228)
  4. FTTC (1214)
  5. Politics (946)
  6. Openreach (931)
  7. Business (837)
  8. Statistics (763)
  9. Fibre Optic (751)
  10. Mobile Broadband (692)
  11. Wireless Internet (627)
  12. Ofcom Regulation (615)
  13. Virgin Media (575)
  14. 4G (574)
  15. FTTH (508)
  16. Sky Broadband (453)
  17. TalkTalk (430)
  18. EE (373)
  19. Security (311)
  20. 3G (269)
New Forum Topics
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules