Home
 » ISP News » 
Sponsored

Some UK TalkTalk D-Link DSL-3680 Routers Vulnerable to DNS Hijack

Friday, March 27th, 2015 (3:47 am) - Score 17,352

Customers of TalkTalk’s home broadband service in the United Kingdom, specifically those who use one of the ISPs older D-Link DSL-3680 routers (check the model code on the back), should be aware that for some people the hardware might be vulnerable to an easily performed remote DNS hijack.

The DNS system works to convert IP addresses to a human readable form (e.g. 123.56.32.1 to examplefake.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS.

But if a hacker gains access then they could replace the Primary and Secondary DNS settings with malicious servers. The result of a successful attack means that the hacker can redirect your website requests to fake phishing sites or monitor your activity to steal personal / financial information and inject more exploits into your home network in order to gain even greater control etc.

talktalk d-link 3680 router dns hacked
(Demo conducted by the customer – DNS was set to “auto” before the exploit attempt)

Meanwhile the problem with TalkTalk’s kit was spotted on Tuesday by a couple of customers, with one noticing that the Domain Name Server (DNS) details of their router had been changed and redirected to an unknown location without their permission (most likely a DNS server run by the attackers).

A second subscriber then tested the exploit on their DSL-3680 and found that he too was able to remotely change the DNS details of his router by merely using a special custom URL (web address) alongside the IP address of his Internet connection (no password was required). It’s a little more complicated than that, but not much.

It’s not uncommon for routers to expose their admin web-interface to the Internet, usually for purposes of remote management, although clearly it shouldn’t be this easy to crack.

John Smith, A TalkTalk Customer, told ISPreview.co.uk:

Given that D-Link appear to have known about this for two months since the story broke, I would have imagined they would have fixed their current routers by now, including the DSL-3680.

I was shocked to see my DNS settings altered remotely by some unknown entity, as you can imagine, especially since I know I used a very strong password for remote management. But I was bothered that I could not restrict access to specific IPs [for remote management], and this issue would have been mitigated had I been able to do so.”

The exploit appears as if it could stem from a vulnerability that we first reported on in January 2015 (here), which affected a number of D-Link routers, although D-Link has been hit by similar exploits over the past few years and so that it’s hard to know which one is the actual culprit.

On top of that D-Link appears to be of the viewpoint that the 3680 is not vulnerable to such an attack, yet the code used to perform it is almost identical to the one we covered earlier this year and TalkTalk informs that they’ve asked D-Link to check again. For security reasons we have chosen not to demonstrate how this works, although it’s easily found online.

D-Link officially published a firmware update to fix the aforementioned exploit a couple of weeks ago, while the last firmware released for TalkTalk’s D-Link DSL-3680 was v1.12t on 10th November 2014 (here) and the affected customers are currently on that version. TalkTalk’s other D-Link routers include the 2680, 2640R, 2740R, 2780 and 3780.

At the time of writing TalkTalk have said that they’re still investigating the situation and we hope to have an update soon. But customers who do have the router shouldn’t worry just yet  because it’s only an issue if you’ve enabled Remote Management, which is normally disabled by default. Obviously we’d recommend switching this feature off until the issue is resolved (hackers can easily scan for exposed routers, so do check).

Take note that the remote management being referenced above is not the familiar CWMP/TR-069 interface, but rather a separate feature that allows users to log into the router’s web interface over WAN (useful for remotely monitoring your network). By comparison the TR-069 feature, which is often used by ISPs to deliver firmware updates, is not vulnerable.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags: ,
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
2 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £20.00 (*54.00)
    Speed: 400Mbps, Unlimited
    Gift: None
  • Vodafone £23.00 (*26.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Virgin Media £25.00 (*44.00)
    Speed: 108Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
Large Availability | View All
Cheapest Superfast ISPs
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Vodafone £20.00 (*23.00)
    Speed 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Plusnet £21.95 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £75 Reward Card
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3655)
  2. BT (3043)
  3. Politics (1971)
  4. Building Digital UK (1941)
  5. FTTC (1897)
  6. Openreach (1861)
  7. Business (1715)
  8. Mobile Broadband (1499)
  9. Statistics (1424)
  10. FTTH (1367)
  11. 4G (1294)
  12. Virgin Media (1191)
  13. Fibre Optic (1182)
  14. Wireless Internet (1175)
  15. Ofcom Regulation (1164)
  16. Vodafone (858)
  17. EE (845)
  18. 5G (791)
  19. TalkTalk (779)
  20. Sky Broadband (756)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact