DNS Vulnerability Strikes Popular DrayTek Broadband ISP Routers

Taiwan-based telecoms kit manufacturer DrayTek has announced that a large number of their popular wireless routers are vulnerable to a new security exploit, which enables an attacker to remotely change the device’s DNS and DHCP settings in order to hijack your internet traffic or steal personal data.

The Domain Name System (DNS) works to convert IP addresses to a human readable form (e.g. 123.56.32.1 to examplefakeblah.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS. Sadly hackers can also setup their own to hijack your internet traffic.

Recently a number of people using DrayTek kit spotted that somebody had changed their router’s DNS server to 38.134.121.95, which appears to have been achieved by exploiting a new weakness in the device rather than a brute-force attempt to crack admin passwords. In response DrayTek has published a new firmware update (v3.8.8.2) that should resolve the problem, although not all UK routers appear to have received this yet.

DrayTek Statement

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.

The company has done a good job of publishing two useful security updates (here and here) and the second one describes in detail how to resolve the problem. DrayTek notes that their wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are NOT affected and do not need updating (but you should still always run the latest firmware on those anyway).

List of Vulnerable Routers and New Firmware
Vigor120, version 3.8.8.2
Vigor122, version 3.8.8.2
Vigor130, version 3.8.8.2
VigorNIC 132, version 3.8.8.2
Vigor2120 Series, version 3.8.8.2
Vigor2132, version 3.8.8.2
Vigor2133, version 3.8.8.2
Vigor2760D, version 3.8.8.2
Vigor2762, version 3.8.8.2
Vigor2832, version 3.8.8.2
Vigor2860, version 3.8.8
Vigor2862, version 3.8.8.2
Vigor2862B, version 3.8.8.2
Vigor2912, version 3.8.8.2
Vigor2925, version 3.8.8.2
Vigor2926, version 3.8.8.2
Vigor2952, version 3.8.8.2
Vigor3220, version 3.8.8.2
VigorBX2000, version 3.8.8.2
VigorIPPBX2820, version 3.8.8.2
VigorIPPBX3510, version 3.8.8.2
Vigor2830nv2, version 3.8.8.2
Vigor2820, version 3.8.8.2
Vigor2710, version 3.8.8.2
Vigro2110, version 3.8.8.2
Vigro2830sb, version 3.8.8.2
Vigor2850, version 3.8.8.2
Vigor2920, version 3.8.8.2