Home
 » ISP News » 
Sponsored

UPDATE D-Link Broadband Routers Vulnerable to DNS Hijack Attack

Saturday, January 31st, 2015 (8:52 am) - Score 2,150
security of broadband isp routers

A Bulgarian security researcher called Todor Donev has demonstrated a new proof of concept attack against one of D-Link’s ADSL based wireless broadband routers (D-Link DSL-2740R), which allows a hacker to change the routers default Domain Name Server (DNS) details and thus hijack its web traffic. Other routers could also be vulnerable.

The vulnerability has a lot in common with one that was last year revealed to have impacted a huge number different routers (here) and similarly exploits a flaw, using Cross-Site Request Forgery (CSRF) techniques, in the ZynOS firmware used by D-Link and various other router vendors.

In order for the hack to work the attacker needs to be able to reach the web-based admin interface for the router, which is easy enough if the WiFi network is open or if you’re already logged into a related network. But even if the attacker is locked out then the exploit can still be performed by harnessing CSRF to reach the web-based interface (some routers expose their admin interface to the Internet for remote administration).

At this point the attacker can plant malicious code into the user’s web browser, which might occur if they visit a compromised website or bad link. The code then tells the browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with router (e.g. the admin interface is often accessed via 192.168.1.1 or 192.168.0.1 etc.). If successful then the hacker will gain enough access to change the routers DNS details.

The DNS system works to convert IP addresses to human readable domain names (e.g. 123.56.32.1 to examplefake.com) and back again. Most of the time your ISP will run the DNS servers, but end-users can also access their own computers and routers to use custom domain name systems like OpenDNS or Google’s Public DNS. But if a hacker gains access then he or she can replace the DNS settings with a malicious server to do the same task.

The result of a successful attack means that the hacker can redirect your website requests to fake phishing sites, monitor your activity to steal personal / financial information, inject more exploits into your network so as to gain even greater control and.. well, it’s basically all bad.

Admittedly the router model in question has been phased-out, but lots of consumers use old hardware and router manufacturers are notorious for failing to keep the devices they sell up-to-date and secure. The attack itself has so far only been demonstrated on this one device, but it’s likely that many other router models could be vulnerable, especially given the widespread use of ZynOS.

Several sites have carried this news (example) and all have asked D-Link for a comment, yet so far the manufacturer has not responded. This is arguably the biggest problem with the router industry, the slow pace to respond, identify and address serious exploits in the kit they sell. The past couple of years have been full of similar security flaws.

UPDATE 4th March 2015

Good news, D-Link has finally published a firmware patch for DNS hijacking related vulnerabilities in their DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-820L, DIR-826L, DIR-830L and DIR-836L model routers:

http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052

Delicious
Add to Diigo
Tags:
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he is also the founder of ISPreview since 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
0 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: CHRISTMAS18
  • Onestream £19.95 (*34.99)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.50
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • Vodafone £23.00 (*25.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (2290)
  2. FTTP (1755)
  3. FTTC (1521)
  4. Broadband Delivery UK (1491)
  5. Openreach (1234)
  6. Politics (1228)
  7. Business (1093)
  8. Statistics (966)
  9. Mobile Broadband (886)
  10. Fibre Optic (881)
  11. FTTH (819)
  12. Ofcom Regulation (814)
  13. Wireless Internet (807)
  14. 4G (769)
  15. Virgin Media (743)
  16. Sky Broadband (546)
  17. TalkTalk (525)
  18. EE (510)
  19. Vodafone (399)
  20. Security (371)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules