Flaw exposes over 700,000 routers to remote hacking

---

More than 700,000 ADSL routers provided to subscribers by ISPs around the world are vulnerable to remote hacking due to a flaw called “directory traversal.”

---

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Security researcher Kyle Lovett first detected the vulnerability a few months ago while analyzing some ADSL routers in his spare time. Upon delving a bit deeper, he discovered hundreds of thousands of susceptible devices from different manufacturers that had been distributed by ISPs to subscribers in nearly a dozen countries.

Most of the routers were found to have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data. It should be noted that the flaw isn’t entirely new; in fact, it was initially reported by multiple researchers dating back to 2011 in various router models that have been distributed in countries such as Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. Some of these routers are also sold off the shelf in the United States.

The researcher unearthed a commonality among all of these routers: the vast majority were using firmware from China-based Shenzhen Gongjin Electronics, which also does business under the trademark T&W. This company manufactures networking equipment for router vendors such as D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear.

The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.The file also contains the password hashes for the administrator and other accounts on the device, the username and password for the user’s ISP connection (PPPoE), the client and server credentials for the TR-069 remote management protocol used by some ISPs, as well as the password for the configured wireless network, if the device has Wi-Fi capabilities.

According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router’s DNS settings. By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers — which is known as router pharming — have become common over the past two years.

Lovett admits that 700,000 is a conservative estimate. There are likely many more devices that possess the same flaws, yet are not configured for remote management. Instead, those can be attacked from within local networks through malware or cross-site request forgery (CSRF).

Want to learn more? You can read the entire article from PC World here. It is becoming increasingly clear that embedded system insecurity affects everyone and every company, so how can you ensure that your device is indeed protected?

Building a Mini 7-Segment Clock (V2)

Kevin Rye recently re-designed his already impressive Mini 7-Segment Clock using an SMD version (instead of 28-pin DIP) of the ATmega328 microcontroller (MCU) and a custom PCB.

“I moved the switches a little off-center to the right and shuffled everything else around in order to fit the SMD ATmega,” Rye explained in a recent blog post.

“I rotated the ATmega 45 degrees. I think chips look cooler when they’re rotated, but in all seriousness, it is easier to run a trace from one side of the board to the far side of the chip when it’s rotated.”

Rye also moved most of the (PCB) text from the front to the back. However, with the exception of the ICP and FTDI headers, the board layout remained the same.

 After receiving his new PCBs, Rye decided to kick off a limited test of his new design.

“I didn’t want to put the whole thing together and find out that it didn’t work, [so] I decided to only solder in the ATmega, the 16MHz crystal, and the supporting caps and resistors – just enough so I could test loading the bootloader onto the ATmega and upload a sketch,” said Rye.

“I configured my Arduino Uno (ATmega328) as an ISP and attached the Mini Clock’s 6-pin ICP header to the Arduino via a ribbon cable and some jumpers. I then jumped into the Arduino IDE and burned the bootloader for an Uno.”

After successfully running the bootloader, Rye connected the FTDI adapter and uploaded the blink sketch, jamming an LED into the PCB and watching the LED blink. Last, but certainly not least, Rye validated the ICP and FTDI functions and soldered in the rest of the components.

Interested in learning more about version two of Kevin’s Mini 7-Segment Clock? You can check out his detailed project blog post here and download the source files here.

ATmega256RFR2 powers low-cost Ethernet to wireless gateways: Part 1

Atmel’s low-cost gateway (LCGW) reference design – powered by the ATmega256RFR2 – is a turn-key production-ready solution that connects IEEE 802.15.4 wireless networks to wired Ethernet networks. This gateway allows IEEE 802.15.4 wireless devices to link with mobile devices such as smartphones and tablets running remote-control applications.

“The ATmega256RFR2 wireless system-on-a-chip (SoC) combines best-in-class radio performance with the efficient Atmel AVR 8-bit CPU,” an Atmel engineering rep told Bits & Pieces. “In short, the ATmega256RFR2 provides a responsive CPU and high-performance radio to address the demanding tasks of network coordinator and data concentrator.”

Meanwhile, the WIZnet W5200 embedded Ethernet controller features a 10BaseT/100BaseTX MAC and PHY, supporting numerous popular Ethernet protocols including TCP/IP, UDP and IPv4.

“Essentially, the wired Ethernet interface is a low-cost, reliable and secure connection that works with the end user’s existing routers, access-points, WLANs and ISPs,” the engineering rep continued. “Remember, wired Ethernet lowers cost and also avoids interference problems and regulatory issues inherent with co-located radio solutions.”

The engineering rep also noted that the reference design was formulated with low BOM cost as a primary objective. As such, the design is free of superfluous accessories and non-essential sub-systems, with a standard JTAG interface provided for programming and debug.

Atmel’s design includes optional EEPROM and Data-Flash memory sockets, while DC power is derived from a USB Micro-B Dedicated Charge Port (DCP) – allowing users to power the gateway with common phone chargers or from Wi-Fi Access Points via USB ports. As expected, both the USB and Ethernet connections have ESD/EMI suppression to improve reliability.

In terms of operation, connections to the LCGW are relatively simple. Connect the DCP to a USB power source using the Micro-B connector and D3 will light indicating DC power is ready. Then, connect the RJ45 Ethernet port to a router with a CAT5 patch cable.

“Atmel’s ATmega256RFR2 can be programmed and debugged using the 10-pin JTAG header and Atmel JTAGICE programmers. SW2 is a hardware RESET for the CPU, while Ethernet MAC Reset is driven by software,” the engineering rep explained. “And J5 exposes the power rails for testing. There are several user defined features: UART0, Port F GPIO, SW1 and D1 are uncommitted and available to the application developer.”

On the CPU side, Atmel’s  ATmega256RFR2 is a low-power CMOS 8-bit microcontroller based on AVR enhanced RISC architecture combined with a high data rate transceiver for the 2.4GHz ISM band. By executing powerful instructions in a single clock cycle, the device achieves throughputs approaching 1 MIPS per MHz allowing system designers to optimize power consumption versus processing speed. Meanwhile, the radio transceiver provides high data rates from 250kb/s up to 2Mb/s, frame handling, outstanding receiver sensitivity and high transmit output power enabling a very robust wireless communication.

Interested in learning more about Atmel’s low-cost gateway reference design? Be sure to check back tomorrow for part two of our in-depth look at the ATmega256RFR2-powered LCGW.