Home
 » ISP News » 
Sponsored

Is it the ISPs Fault if Your Home Broadband Router Gets Hacked?

Tuesday, March 11th, 2014 (2:49 pm) - Score 5,438

As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit?

Last week ISPreview.co.uk carried word that more than 300,000 home broadband routers, albeit mostly in Vietnam, had been infected by a new Domain Name System (DNS) redirection exploit. This effectively hijacks the routers / your website requests and redirects the traffic to phishing servers that could be used to steal the owners personal information (here).

Shortly thereafter it emerged that some of AAISP’s customers in the United Kingdom had also been hit by a related exploit, which had changed the DNS settings on their routers to untrustworthy servers (199.223.215.157 and 199.223.212.99). The ISP wisely spotted the activity by logging when customers tried to access the aforementioned IP addresses and then contacting related users.

Meanwhile an article on The Register has just confirmed that customers of BT’s sibling ISP, PlusNet, have also been suffering from the same problem. No doubt they won’t be the only ones.

A Spokesperson for PlusNet said:

Since last week, we’ve seen an increase in the amount of malicious DNS traffic being directed through to Plusnet IP ranges.

It appears that some of our customers, (and no doubt a number of other people out on the internet) running TP-Link, Linksys and Edimax routers have been compromised due a vulnerability which appears to allow the allocated DNS server in the router to be changed.

This means requests to domains like Facebook or Google are being redirected on ALL devices behind the router to a website which contains a malicious payload disguised as a Flash update.”

PlusNet also clarified that the routers they provide aren’t vulnerable to the hijack, which means that the issue is hitting subscribers that own third party kit (i.e. not ISP supplied). The earlier reports also indicated that most of the vulnerable kit tended to be end-of-life routers that were no longer receiving firmware updates and thus weren’t being patched against modern flaws.

Admittedly if it was the ISPs own hardware at fault then they would inevitably need to accept some responsibility for resolving the problem. But in this instance some customers have been quick to blame their Internet provider and often without realising that the fault rests with their own hardware and not the provider.

In the land of Internet provision the lines of responsibility are often blurred by a fog of technical jargon and or a simple lack of knowledge, which can lead some consumers to incorrectly apportion blame to the wrong recipient. At the same time ISPs do still have a responsibility to ensure that they don’t allow their customers and network to become hubs for bad traffic, thus the question is often – where do you draw the line?

Ultimate responsibility for problems like this should reside with the end-user, which could involve replacing or patching the device to ensure that the issue does not re-occur. In other cases it may also be possible to add a firewall rule that could block an attack vector used by the exploit but these tend to vary and may not be a lasting solution.

However ISPs can also do their bit by keeping an eye out for bad traffic and notifying related customers when spotted, ideally alongside some constructive advice rather than a “Oh noes.. you’ve been hacked! Goodbye” style response. But we shouldn’t be expecting ISPs to do everything for us.

Leave a Comment
21 Responses
  1. Avatar BT Investor

    All consumers should be savvy enough go configure OpenDNS on their ethernet connected client machines. Do not trust the wireless router – ever. I only blame ISP’s for shipping wireless routers when they are not safe. Ethernet only please.

    • Avatar Raindrops

      Setting your LAN connection on your PC to manual DNS settings be they OpenDNS, google or any other will not help.

      The exploit targets an IP Range, when traffic over that range is sent through the corresponding default gateway is when the exploit takes place at the router level altering the DNS servers and thus redirecting your traffic.

      It has nothing to do with if you have wireless enabled or not and setting DNS at LAN connection level or even per PC wont help cos your IP Address and Default gateway go hand in hand with each other.

      Short version whether you are using you Rupees Burdoch or BT Investor ID you have no idea about anything.

      One thing ISPs could do, though it would be a nightmare for large providers is alter/switch around the corresponding gateway to IP range. Though if those behind it are that determined it would not take them long to realise and reconfigure their exploit. The only way to totally avoid it is to have router hardware which is not affected, with old hardware that is affected you can still use that to some degree, disable authentication and disable DHCP and turn your old router into a dumb switch.

    • Avatar FibreFred

      Raindrops I take it you didn’t bother to read up on how the exploit works and just thought you would go on the attack?

      Bt investor is right if you had your Dns setting manually configured on your pc you would be fine I suppose the hack could try to change your pc settings also but it would require elevated permission

      Anyway I suggest you read up on how the hack works 🙂

    • Avatar Raindrops

      NO it is you no matter what name you use that does not understand. Its done via packet injection man in the middle attack, setting the DNS at the PC wont make any difference. Packets will and can still be intercepted because your IP is bound to you gateway address. Once capture the exploit runs against it and then attempts to access a router which has the flaw to alter its DNS. The router is the first chain of communication not your PC DOH!

    • Avatar FibreFred

      “NO it is you no matter what name you use that does not understand. Its done via packet injection man in the middle attack, ”

      No its not, its a simple but very effective hack that gets your PC to change the config of the DNS router settings to change them to their own DNS servers

      “setting the DNS at the PC wont make any difference”

      Yes it does

      It seems as long as chickens lay eggs you’ve find space on your face to smother those eggs all over

      “Mitigation’Strategies”

      “For end users, or those who use a SOHO device as their local DNS server, we suggest reviewing the DNS settings of local devices, and checking that the IP addresses listed belongs to your ISP’s name servers. While not affected by this attack, a review of host computer DNS settings is also recommended. When in question, DNS settings can always be set to use Google’s name servers (8.8.8.8 and 8.8.4.4) or those of OpenDNS (208.67.222.222 and 208.67.220.220) ”

      From the whitepaper:- https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf

      I suggest you read the whitepaper and then we’ll see you back here with apologies for all 🙂

    • Avatar FibreFred

      You can also get the most up to date info on this hack here https://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html which includes the two new DNS ip addresses mentioned in this article

      Just in case you cry “oh its not the same hack”

      Oh yes it is

    • Avatar James Ling

      I am customer of BT Plusnet with Linksys router that is been affected. I contacted Plusnet who said i should use their router which i can not as it has not worked (PSU is faulty) they are sending out a new router.

      They also told me to alter the DNS addresses on my PC… I WARN PEOPLE THIS DOES NOT WORK. Traffic to specific sites is still redirected. This is the very definition of a man in the middle attack is attack traffic between router and internet not PC and router. All time your router has the compromised DNS settings they can redirect your traffic.

      I have solved it for now by using VPN with SSL and upgrading my linksys firmware to OpenWRT. This has solved issue, alter DNS on PC not solve issue.

      Be very careful people it very bad attack.

    • Avatar No clue

      Good idea James about upgrading your router to OpenWRT or similar firmware if you are a person affected by this exploit and your router is compatible with one of the WRT variants.

      As to Freddie, good to see him agreeing with himself as usual, nobody else does.

    • Avatar Raindrops

      Poor chap can not help himself 😉

    • Avatar Rupees Burdoch

      Thanks for providing evidence to back up my claims FibreFred.

    • Avatar Raindrops

      The only thing you have backed up changing from the BT investor ID you originally posted in the story with to the Rupees Burdoch one is that you are a troll with multi IDs

    • Avatar FibreFred

      Inventing an id to back up his man in the middle attack, expected as much. Only goes to show how sad such an individual is.

      How very very embarrassing for you

    • Avatar Raindrops

      I think you will find James has posted on here before. The only one backing himself up with ID changes is you. It is clear to anyone reading Rupees Burdoch and BT Investor are the same person, even Mark realises he is a troll.
      http://www.ispreview.co.uk/index.php/2014/03/skys-broadband-based-uk-now-tv-service-hampered-rights-restrictions.html
      Not the first time you have forgot which ID you used. Perhaps you should get back to work fixing the congested FTTC AAISP reported to you which you denied also.

    • Avatar FibreFred

      And that once again is where you arguments fall apart because I not these other two id’s you speak, you are talking about AAISP congestion and I have no idea what you are ranting on about

      Anyway you are still wrong about the man in the middle simply read the whitepaper and website

    • Avatar James Ling

      Yes Raindrops i post here long time ago.
      http://www.ispreview.co.uk/index.php/2013/11/virgin-media-uk-adds-free-calls-philippines-november.html
      I from Philippines and come to UK a few times each year. I like the UK lots but this man in middle attack is very bad all good people in UK should be aware.

    • Avatar George

      No need to defend yourself James, and unlike some here there are plenty that believe your actual experience rather than the hearsay of a troll.

  2. Avatar hmm

    wifi is not that safe wep encryption can be hacked in 5 -10 mins easy

    and wpa wpa2 psk wpa2 aes with wps enabled 5 -9 hours

    so in short if you want to be a bit safer use a cable

    but at the end of the day its the internet

  3. Avatar Mel

    I’m aware of a password bypass vulnerability in the router I’m currently using (now a very old model 🙂 ). It can be exploited remotely by a reflective attack by way of a specially crafted image link when opened by the victim’s browser, it also affected several other models in the same range, including some supplied by ISPs. I wrote some demo exploits (some installed a shell script on the router) and reported it to the manufacturer years ago, but I don’t think they ever released a fix, other than for one model supplied by one ISP (And I suspect that was by chance).

  4. Their such as you read through my thoughts! You seem to have an understanding of a whole lot approximately this kind of, as if you wrote a e-book inside it or something. I think that you can do with some Percent to push the solution household somewhat, but rather than this, that is wonderful site. A fantastic read. I am going to definitely be back.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Vodafone £22.95
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2696)
  2. FTTP (2541)
  3. FTTC (1742)
  4. Building Digital UK (1683)
  5. Politics (1578)
  6. Openreach (1542)
  7. Business (1363)
  8. FTTH (1283)
  9. Statistics (1189)
  10. Mobile Broadband (1160)
  11. Fibre Optic (1037)
  12. 4G (1000)
  13. Ofcom Regulation (987)
  14. Wireless Internet (987)
  15. Virgin Media (962)
  16. EE (668)
  17. Sky Broadband (650)
  18. TalkTalk (633)
  19. Vodafone (627)
  20. 5G (463)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact