DSL routers vulnerable to malware attacks

Published 5 December 2008

New reports says DSL modems are susceptible to attacks more typically associated with Web sites: Hackers can insert malware onto the victim’s computer or recruit the computer as a bot for a botnet

New communication vulnerability which should worry businesses and consumers alike: A deadly attack more often associated with Web sites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT&T’s DSL service. Dark Reading’s Kelly Jackson Higgins reports that Nathan Hamiel, a consultant and founder of security think-tank Hexagon Security Group, discovered a CSRF vulnerability in the Motorola/Netopia 2210 DSL modem which, among other things, could let an attacker insert malware onto the victim’s computer or recruit it as a bot for a botnet. “CSRF is one of the only vulnerabilities that can be either completely innocuous or completely devastating,” Hamiel says.

Hamiel notes that the vulnerability is not limited to Motorola/Netopia DSL modems. It affects most DSL modems because they do not require authentication to access their configuration menu. “I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks,” Hamiel says. The attack uses HTTP POST and GET commands on the modems, he says.

CSRF vulnerabilities, of course, are not new, and they are pervasive on many Web sites and in many devices. “CSRF, in general, is a very old issue,” says Hamiel, who blogged about the hack this week. “Most of the vulns found today are old. That’s the point: Nobody seems to learn lessons anymore.”

Higgins quotes Hamiel to say that home users are not the only ones at risk of a CSRF attack on a DSL router, as enterprises, too, could be hacked this way. “Let’s say we have Wells Fargo corporate…They have thousands of Wells Fargo home mortgage branches with five or more people working at them. They typically go with an ISP for Internet service, maybe they use a VPN connection back to the corporate office, maybe they just have some routing enabled,” he says. “They may have a DSL because of their size. If one of their machines gets compromised, now an attacker has a box on the Wells Fargo network.”

What should users — consumers and businesses — do? ”[The problem] could be mitigated if the user just enters a password for the device, which, nobody does,” Hamiel says.