Outdated Firmware Led to 4.5M Hacked DSL Modems

On Monday Kaspersky researcher Fabio Assolini reported that hackers exploited a firmware vulnerability in DSL modems used in Brazil to launch a "sustained and silent mass attack" on the country's web surfers. This attack on Brazil originally began back in March 2011.

According to the report, the attack consisted of two malicious scripts, forty malicious DNS servers, and one outdated Broadcom chipset driver used in 4.5 million DSL modems offered by six manufacturers. The flaw allowed a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes.

"The attack was quite simple," Assolini reports. "Criminals swept the internet in search of exposed modems on the network. Even if you have a strong password configured on the device, the flaw allows an attacker to access the control panel, capture the password, log into the device and make changes."

Assolini said the attackers used two bash scripts that were executed in a dedicated server purchased exclusively for this purpose. A range of IPs was set to be scanned and tested by the script, and whenever a modem was found, an attempt to exploit the flaw was performed.

Once the modem was accessed, the hackers launched another script called "roda.sh" that would access the modem's administration panel and change the configuration of its DNS settings. The password would be changed as well to prevent the owner from making changes to the modem later on.

"The [exploit] situation is further complicated by the fact that even without the vulnerability, many modems are shipped with default passwords that are publicly known and users often fail to change these defaults," he writes. "Other modems are set up when local ISPs enable remote access accounts, mostly used for tech support, and these credentials are known by criminals."

Even more, some manufacturers neglected to act even after they were told about the issues, he says. That means users were exposed to attacks, as companies were slow to release the necessary firmware upgrades to solve the problem. "The negligence of the manufacturers, the neglect of the ISPs and ignorance of official government agencies create a perfect storm, enabling cybercriminals to attack at will," he adds.

By March 2012, CERT Brazil announced that the attacks had compromised about 4.5 million modems in Brazil alone. This finally prompted banks, internet providers, hardware manufacturers and government agencies to meet to discuss a solution to the problem. Customers by then were flooding tech support call centers, demanding a solution. Eventually several manufacturers released firmware updates to current the problem.

To read the full story, head here.

 

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
11 comments
    Your comment
  • knightmike
    What did they do after they changed the password?
    0
  • knightmike
    I don't see an edit button. Otherwise I would delete my previous post. The answer to my question was in the first paragraph of the full article. They changed the DNS servers to direct users to malicious sites.
    2
  • cats_Paw
    Would be nice to know the model of the Modem so we could try to solve the problem if we get it...
    5