I haven't heard how these people are actually being exploited. When I read the CVE, it makes me think javascript in the browser is reaching out over their LAN and hitting their NAS boxes, but I can't be sure that's whats happening. I can't imagine all these users set up port forwarding or UPnP on their MyBook Live. I would imagine a person buys that type of device because they don't want to or know how to do that kind of management. I'm curious to hear the details about the nuts and bolts of the exploit.
That CVE only shows how to factory-reset a single MyBook to which you can connect and send HTTP requests. There's still something missing to explain how it could happen to seemingly all MyBook's at once, including those behind a NAT.
Yeah, I have one at home too, so I really want more detail on what the exploit is (I wonder if if is perhaps IPSEC specific, like an RNG flaw since they talk about VPN and encryption appliances, or it could be something to do with Cavium HSMs and unrelated to the network processors).
Until consumers are willing to spend on subscription services to keep devices up-to-date, new hardware is the de facto method of paying for software development work.
Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.
So they'd have to physically drive around looking for these three specific D-Link routers.
And then what would they get out of a successful exploit? Access to your network's traffic and unprotected file shares (most people don't even have any file shares), and even that level of access will be rather useless for getting important information like bank credentials (protected by HTTPS).
Am I wrong about any of this?
A lot of non-technical people use old Android phones, old printers, etc, and never experience any serious security breach. Some of them do experience a security breach, but it's far more likely to happen in a social exploit (phishing, whaling, etc) or institutional breach (your reused password being breached from a database hack of a popular website). In a lot of ways, ignorance is bliss.
I doubt that; they most likely were just a bunch of nerds who recognised the cheap routers and discovered the vulnerabilities from just playing around with a laptop and something like Kali Linux.
I'm not sure I follow, what you can do with the bits of information you named when this vulnerability is not present?
In any case, the scenario for this exploit is that you have access (possibly only restricted, no superuser) to an internet-facing machine and are looking to expand your reach into the internal network. That's why they are keen to exploit these Cisco boxes, they are a stepping stone to the wider network that might be otherwise firewalled off and a pretty permanent one at that.
I ordered a router from Amazon when someone said it was running Linux. I received it, and gave it to my uni friend on Friday. On Sunday, he told me he found an exploit in the webinterface.
This is mind boggling. Who installs these systems? Who maintains them? Surely this is supposed to be done by someone with at least a certain amount of clue? Enough clue not to hook up your insecure gear to the internet? No?
I don't even get how this happens. Surely these things are not just plugged in to a modem? There has got to be some kind of LAN involved. If there is, then there should at least be an edge firewall. Or even a simple garden variety gateway with NAT, which would already prevent all of those open ports from being accessible. So what gives? Are people deliberately hooking this gear up to the internet, deliberately exposing ports without taking security into consideration? That is patently insane.
So does this lend credence to the theory that the attackers compromised the network to the point that they were able to install compromised firmware on users machines?
Is a disk image of one of these available anywhere?
I find it much more likely that these are being used for what they say they are (basically a proxy so they can buy ads from a residential IP) than some crazy MITM device. The "Attacker" is basically renting an IP connection or paying a co-location fee for their little server.
Plugging a device into your network doesn't make it magically see all the traffic. It would have to be doing ARP spoofing, DHCP hijacking, or hacking the router config/firmware. Is it possible that it is doing some or all of those things -- sure. But why? That could all be done via a malicious client executable that would give you access to the network and much more and is much more discrete than a physical box, so why would someone go through the trouble of shipping out a box + paying the recipient? The more simple explanation is the sender of the device is doing nefarious actions on the internet and needs a bunch of IPs for cheap so when they get blocked they can just move on to the next IP.
Would I put one of these on my home network - hell no. But if one of my friends tells me they had one plugged into their network I wouldn't immediately assume that their entire digital life was compromised. I would tell them to unplug it though.
reply