Saturday Sep 04

Jart in the News

Los Angeles Times
Computer World
The Register
Popular Mechanics
McAfee

More Publications

HostExploit Twitter

Archive

Router Hacking, Warkitting Take Stage at Black Hat

Attention: open in a new window. PDFPrintE-mail
Share/Save/Bookmark

Router hacking and modem security is in the news again, thanks to a presentation at Black Hat in Las Vegas this week and to the associated sensational press response.

Whether at home or in the enterprise, invariably modems and routers are overlooked when considering network and Internet security. You may have the most sophisticated and up-to-date antivirus and other security applications, but if the hacker can get hold of the gateway, i.e., your router, the hacker then has absolute control over where you actually go on the Internet -- or, rather, which redirect the hacker chooses to employ.

The form of exploitation described this week at Black Hat Vegas is an attack on the router via a browser using the old method of DNS rebinding. The presenter is Craig Heffner, senior security engineer with Seismic, a provider of defense and intelligence security solutions based in Maryland.

But just knowing about the problem isn’t solving anything. Anticipating this week’s presentation, David Ulevitch, founder and CEO of OpenDNS , a provider of free security and infrastructure services, took the unprecedented step of openly appealing to Craig Heffner in his blog, stating:

Since the vulnerability was first publicized, we’ve made several attempts to contact Craig Heffner, the researcher, and get more detail. We’ve phoned. We’ve emailed. We’ve contacted reporters who’ve spoken to the researcher and had their help connecting to the researcher. I’ve even Facebook messaged his coworkers. I haven’t had a single reply.

Why the aggressive outreach from us? Because we want to be a fix, we work hard to make OpenDNS a solution to the many problems system administrators and security pros face. In fact, our entire service was designed to address the problems you want it to address. The only information we have is that this deals with DNS Rebinding.

Fortunately, Ulevitch wrote, “OpenDNS has secured users from DNS rebinding attacks for a long time.”

As an aside, this brings up the old and increasingly irritating issue of responsible disclosure.

There are several ways to prevent DNS rebinding attacks:

Reject HTTP requests with an unrecognized Host header.

Secure the IP address to the value received in the first DNS response.

Block any resolution of external names into internal IP addresses at the organization's local nameservers.

Use OpenDNS to prevent rebinding attacks. (We found this to be true in a few recent tests in the hostexploit labs with regular users of OpenDNS.

Warkitting, which is another form of router and phishing attack to the one in the Black Hat presentation, is essentially used for replacing the firmware in routers. This has been around for some years and still is in regular use by hackers. It was originally academically detailed back in 2006 by Tsow, Jakobsson, Yang, and Wetzel.

For movie fans, the term warkitting originated from the movie WarGames with Matthew Broderick, and what was popularly known as wardialing, the automated search for active modems. In more recent times this became wardriving, the searching for wireless networks, and from there to warkitting.

Warkitting is not theoretical; it is in actual and regular use, and has nothing to do with DNS rebinding. The router’s firmware is totally replaced by the hacker and it is unlikely any of the above remedies would solve a focused warkitting attack.

Modern use of warkitting as a blended attack in conjunction with a few of the latest crime kits allows the hacker to control all traffic for the victim’s network. This could even permit them to disable SSL and secure encryption and replace them with, say, HTML.

Here we need to see the boundary of a network, i.e., the modem and router, as the vulnerable elements in such an attack. This technique has also been used in extortion attempts where the attacker adds his own encryption to all internal and external traffic, therefore potentially throwing the whole organization into chaos.

If we want to consider the theoretical, this kind of warkitting attack could even perhaps be deployed in modern-day heists, for instance, like the recent art theft at the Museum of Modern Art in Paris, which featured an Interpol-baffling wholesale disablement of PC- and Internet-based internal audio visual security systems.