Flaw exposes over 700,000 routers to remote hacking

---

More than 700,000 ADSL routers provided to subscribers by ISPs around the world are vulnerable to remote hacking due to a flaw called “directory traversal.”

---

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Security researcher Kyle Lovett first detected the vulnerability a few months ago while analyzing some ADSL routers in his spare time. Upon delving a bit deeper, he discovered hundreds of thousands of susceptible devices from different manufacturers that had been distributed by ISPs to subscribers in nearly a dozen countries.

Most of the routers were found to have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data. It should be noted that the flaw isn’t entirely new; in fact, it was initially reported by multiple researchers dating back to 2011 in various router models that have been distributed in countries such as Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. Some of these routers are also sold off the shelf in the United States.

The researcher unearthed a commonality among all of these routers: the vast majority were using firmware from China-based Shenzhen Gongjin Electronics, which also does business under the trademark T&W. This company manufactures networking equipment for router vendors such as D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear.

The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.The file also contains the password hashes for the administrator and other accounts on the device, the username and password for the user’s ISP connection (PPPoE), the client and server credentials for the TR-069 remote management protocol used by some ISPs, as well as the password for the configured wireless network, if the device has Wi-Fi capabilities.

According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router’s DNS settings. By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers — which is known as router pharming — have become common over the past two years.

Lovett admits that 700,000 is a conservative estimate. There are likely many more devices that possess the same flaws, yet are not configured for remote management. Instead, those can be attacked from within local networks through malware or cross-site request forgery (CSRF).

Want to learn more? You can read the entire article from PC World here. It is becoming increasingly clear that embedded system insecurity affects everyone and every company, so how can you ensure that your device is indeed protected?

Engadget and TechCrunch talk LittleBits Arduino

Yesterday, LittleBits debuted a programmable ATmega32u4-powered Arduino at Heart Module – allowing Makers to easily incorporate sketches into their littleBits circuits. The stand-alone Arduino module can be snapped up for $36, although LittleBits is currently offering an $89 starter bundle that includes a total of 8 prototyping modules.

The LittleBits Arduino module launch has been covered by a number of prominent publications, including TechCrunch, Engadget, Ars Technica, PC World, LifeHacker, TheNextWeb and Geeky Gadgets.

Jon Fingas, Engadget 



“Getting your feet wet with programmable hardware can be tricky; even if you’re comfortable with coding, you may not want to break out the soldering iron just to build a usable device. LittleBits is aware of just how intimidating these make-it-yourself gadgets can be, so it has just launched its first software-programmable module, the Arduino at Heart.

“As the name implies, it’s an Arduino core (the same as the Leonardo) designed to fit into LittleBits’ simple, building block approach to circuit boards. If you want to attach a light, motor or sensor to the Arduino board, you just snap it on — you can spend more of your time coding rather than dealing with wiring and other hardware hassles.”

Greg Kumparak, TechCrunch 



“There’s a reason why one of Google’s top suggestions for ‘littleBits’ is ‘littleBits Arduino.’ The littleBits idea is great — but once a particularly enthusiastic user hit the limits of what their kit could do, the next step (learning to use a standalone Arduino board, which meant also learning proper circuitry, soldering, etc.) was suddenly a pretty big one.

“[That is why] littleBits is introducing an Arduino module into the mix. It’ll snap right into place — no soldering required — just like the other littleBits modules, with one big difference: it’s programmable. You get the programmability of an Arduino, without having to learn the myriad other prerequisite skills. You jack into it via the onboard microUSB port, upload your programming via the standard Arduino IDE, and all of your littleBits modules fall in line.”


Agam Shah, PCWorld  

“Modules for sound and light can be plugged or swapped out in Arduino at Heart for interactive digital art. The board can also be used for input when playing Pong or to show numbers on a simple LED display. Beyond basic electronics, Arduino at Heart can also be used to prototype robots. The servo motor can help build a moving robot and LittleBits is making a robot with an animatronic hand that can play the rock, paper, scissors game.

“Another goal of the kit is to teach hardware basics, including the operation of ports, polarity of LEDs, input-output and other concepts, which are important when writing software to control electronics. The Arduino at Heart board is based on an ATMega328 microcontroller.”

Sean Gallagher, Ars Technica

“The new LittleBits Arduino At Heart module, available on its own or as part of an Arduino Starter Bundle, is a simplified version of the Arduino Leonardo… Using the same ATmega32u4 microcontroller processor as the Leonardo, it pares down the number of inputs and outputs in exchange for the snap-together connections.

“Once you’ve outgrown the snap-on inputs and outputs and want to connect non-LittleBits sensors or outputs, the Arduino At Heart board also has additional breakout ‘pins’ on the board itself. The board also includes a USB connector for programming and connection to a PC as a Human Interface Device (HID) keyboard or mouse.”

Roberto Baldwin, TheNextWeb

“The Arduino has become the darling of the electronics platforming world, with its easy to use software and hardware. The littleBits magnetically connected electronics modules have made a splash of their own in the world of electronic tinkerers. So it was just a matter of time before these two came together.

“[Yesterday], littleBits introduced the Arduino at Heart module. The new programmable module connects to the entire line of littleBits magnetic modules that include lights, speakers, motors, switches, sensors and more. Like the standalone Arduino, hardware and software developers can write tiny programs for the device with the Arduino programming language. The programs are then loaded onto the module via a USB connection.”

Interested in learning more? You can find additional information about the new LittleBits module here.