2Wire Security Issue

[Allitnil]

Some while ago there was a thread here about a security vulnerability in 2Wire routers (including the 2700). At the time I posted that you would be OK if you had a password set. Apparently I was wrong as the password can be altered without your knowing about it

Please see this threadthread for details. Unfortunately there is no way to be completely secure but that thread details several steps which if followed would make it considerably less likely that your router could be compromised.

Apparently the threat is now in the "wild" so you are at risk if you are still using the default router IP address and/or allow use of the 'home' and 'gateway.2wire.net' domains.

[Rik]

Thanks for that - it seems we need more vigilance than ever before.

[Danni]

Thank you for that. I'll ensure Colin's router gets secured.

[Sebby]

Thanks for this - useful to know. I'm still not overly concerned, but it's always a good idea to be put something in place to make these things less likely.

[Ann]

Well I don't have a clue what's being talked about.  What are the dangers.. what is likely to happen if I don't do anything?

[Sebby]

IMHO, Ann, I'd say nothing. The vulnerability is there, but you'd have to visit a site that takes advantage of it. Firstly, I'd say such sites are likely to be pretty sparse, and secondly, employing some common sense (like we all do to avoid things like spyware) the risk is very low.

[Sebby]

One very simple thing you could do, Ann (which is what I've done) is to set Windows to use certain DNS servers (IDNets, or OpenDNS if you prefer), rather than letting Windows use the router for DNS requests. You can still let your PC get a local IP manually.

It won't mean that your router isn't susceptible to the vulnerability, but it will mean that even if it was exploited, it would have no effect as you won't be using the router for DNS lookups.

[somanyholes]

this discloses how simple it is to exploit the 2wire, and its easier than simple..... glad i don't have one 

http://www.securityfocus.com/bid/27246/exploit

[Sebby]

Those with BT firmware should be okay - I suspect the exploit will get plugged. It's those of us with SBC firmware that are less likely to get (or, perhaps, find) an update, but then that's one of the risks we take when we buy a router with no official support channel.

That said, putting a couple of small precautions in place make it even more unlikely to happen.

[somanyholes]

out of interest sebby, what sort of precautions would you put in place?

[Gary]

Those with BT firmware should be okay - I suspect the exploit will get plugged. It's those of us with SBC firmware that are less likely to get (or, perhaps, find) an update, but then that's one of the risks we take when we buy a router with no official support channel.

That said, putting a couple of small precautions in place make it even more unlikely to happen.

Not sure about that Sebby, they said they plugged a hole in their awful home hub, and they had not, hopefully two wire themselves would put out a patch for all 2 wire routers that have this exploit, since its been there since last August I honestly cant see a fix coming fast from BT.

[Sebby]

out of interest sebby, what sort of precautions would you put in place?

Personally, I think that setting the DNSs in Windows, rather than using the router for DNS requests, is ample (and set a password on the router, of course). As I understand it, the exploit allows an attacker to change the DNSs on the router, so you'll go to a site that will appear to be, say, Google, but it's not. If you are not using the router for DNS requests, even if your router was compromised, it would have no effect.

[Sebby]

Not sure about that Sebby, they said they plugged a hole in their awful home hub, and they had not, hopefully two wire themselves would put out a patch for all 2 wire routers that have this exploit, since its been there since last August I honestly cant see a fix coming fast from BT.

Perhaps not straight away, Gary, but they should eventually, especially given that it's their Business Hub.

[somanyholes]

bit more info on here seb, sounds like you need password access before the rest follows, fun fun

http://www.dslreports.com/forum/r19987755-2Wire-Cross-Site-Request-Forgery-Vulnerability

[Rik]

Nothing is simple or safe anymore.

[madasahatter]

Nothing is simple or safe anymore.

especially when Jerry's around causing trouble

[Rik]

Simple would still apply, wouldn't it?

[somanyholes]

  there are many following you out of the door rik 

[Rik]

 

There were quite a few ahead of me, Jerry. 

[Ann]

One very simple thing you could do, Ann (which is what I've done) is to set Windows to use certain DNS servers (IDNets, or OpenDNS if you prefer), rather than letting Windows use the router for DNS requests. You can still let your PC get a local IP manually.

How?

[Rik]

Double-click on the LAN icon in the system tray, select Properties. On the General tab, scroll down to Internet Protocol (TCP/IP), highlight it and select properties. In the resultant dialogue, select Use the following DNS server addresses, and enter either the IDNet servers or OpenDNS.

[Ann]

ok thanks, I've done that. 

[Rik]

By doing it in Windows, Ann, you can change it at any time without dropping the PPP session. This is especially useful when there is an issue at IDNet like the switch failure that occurred a couple of weeks ago. As that took out one of the DNS servers and an authentication server, changing the router settings would have lost the connection, but switching in Windows allowed me to change to OpenDNS and bypass the IDNet DNS servers.

[Ann]

Yes but I found out from somewhere what to put in for the IDNet servers but what do you put in for openDNS? 

And now I can't get to the routers details.. oh I'm going to put it back the way it was and leave well alone...

[Rik]

The OpenDNS servers are 208.67.222.222, 208.67.220.220, Ann.

[Inactive]

And now I can't get to the routers details.. oh I'm going to put it back the way it was and leave well alone...

Very wise Ann, if it ain't broke etc.

[Sebby]

Except it is, In.

Well, not broke us such, but exposed.

[Inactive]

You are all paranoid,  I tell ya.. 

[Ann]

I'd have thought that the worst that can happen is that I get a virus that I can't get rid of in which case I'll format and reinstall the OS.  Other than that what can happen?

[Sebby]

Unfortunately, it's worse than that, Ann. What this exploit would do is change the DNS addresses on the router, so you'll type in, say, www.hsbc.co.uk, and it will look like you're on the HSBC website, except you're not.

That's why setting the DNS' on your PC, rather than using the router for requests, would prevent this being a possibility. I can't think why you weren't able to access the router after putting in the settings manually. If you'd like, I'm sure one of us can try and help you get to the bottom of that.

[Gary]

Perhaps not straight away, Gary, but they should eventually, especially given that it's their Business Hub.

True, you would think they would have patched already as its a business hub, but they always leave it late sadly to patch holes for most software/hardware these days 

[Sebby]

I think BT have to wait on 2Wire to patch the underlying firmware. Have a look here, though; it looks like the wait might not be too much longer.

[Sebby]

It looks like the BT Business Hub isn't the only hardware offering from BT that has a security flaw.

http://www.theregister.co.uk/2008/04/14/bt_home_hub_encryption_weakness/

[somanyholes]

they do seem to be going round it all the wrong way, it was mentioned recently that sky had a similar issue. when will they learn that preconfigured security doesn't work, make people set their own usernames and passwords, their own wep keys, tell them to write them down, and if they get stuck get help, but noo they don't want to do that because that would increase their call/mail volumes, gits....

[Rik]

Liversage (the BT press officer) said BT didn't believe any customers have been affected by the default settings, although he didn't explain how the company could even know.

He hasn't yet recovered from trying to explain the Phorm trials, apparently.

[somanyholes]

He hasn't yet recovered from trying to explain the Phorm trials, apparently

[Sebby]

[Sebby]

I know this is pretty old now, and it's probably not really a major risk, but I was just messing around with OpenDNS and found something that may be of interest.

You may or may not be aware that with OpenDNS, you can customise a whole array of settings for your network whilst using their servers, such as blocking specific/categories of websites, and so on and so forth.

I came across one setting that would probably prevent the 2Wire security flaw from being an issue. It reads:

Block internal IP addresses

When enabled, DNS responses containing IP addresses listed in RFC1918 will be filtered out. This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.

The three blocks of IP addresses filtered in responses are:
10.0.0.0     - 10.255.255.255  (10/8)
172.16.0.0   - 172.31.255.255  (172.16/12)
192.168.0.0  - 192.168.255.255 (192.168/16)

There are several other very handy settings there, so it might be worth checking out.

[Rik]

Good tip, Seb.