Sign in with
Sign up | Sign in

Outdated Firmware Led to 4.5M Hacked DSL Modems

By - Source: Kaspersky Lab | B 11 comments

Kaspersky Lab tells the grim story of outdated DSL modem firmware which opened the door to the big bad hackers throughout Brazil.

On Monday Kaspersky researcher Fabio Assolini reported that hackers exploited a firmware vulnerability in DSL modems used in Brazil to launch a "sustained and silent mass attack" on the country's web surfers. This attack on Brazil originally began back in March 2011.

According to the report, the attack consisted of two malicious scripts, forty malicious DNS servers, and one outdated Broadcom chipset driver used in 4.5 million DSL modems offered by six manufacturers. The flaw allowed a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes.

"The attack was quite simple," Assolini reports. "Criminals swept the internet in search of exposed modems on the network. Even if you have a strong password configured on the device, the flaw allows an attacker to access the control panel, capture the password, log into the device and make changes."

Assolini said the attackers used two bash scripts that were executed in a dedicated server purchased exclusively for this purpose. A range of IPs was set to be scanned and tested by the script, and whenever a modem was found, an attempt to exploit the flaw was performed.

Once the modem was accessed, the hackers launched another script called "roda.sh" that would access the modem's administration panel and change the configuration of its DNS settings. The password would be changed as well to prevent the owner from making changes to the modem later on.

"The [exploit] situation is further complicated by the fact that even without the vulnerability, many modems are shipped with default passwords that are publicly known and users often fail to change these defaults," he writes. "Other modems are set up when local ISPs enable remote access accounts, mostly used for tech support, and these credentials are known by criminals."

Even more, some manufacturers neglected to act even after they were told about the issues, he says. That means users were exposed to attacks, as companies were slow to release the necessary firmware upgrades to solve the problem. "The negligence of the manufacturers, the neglect of the ISPs and ignorance of official government agencies create a perfect storm, enabling cybercriminals to attack at will," he adds.

By March 2012, CERT Brazil announced that the attacks had compromised about 4.5 million modems in Brazil alone. This finally prompted banks, internet providers, hardware manufacturers and government agencies to meet to discuss a solution to the problem. Customers by then were flooding tech support call centers, demanding a solution. Eventually several manufacturers released firmware updates to current the problem.

To read the full story, head here.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    knightmike , October 3, 2012 12:04 PM
    What did they do after they changed the password?
  • 2 Hide
    knightmike , October 3, 2012 12:10 PM
    I don't see an edit button. Otherwise I would delete my previous post. The answer to my question was in the first paragraph of the full article. They changed the DNS servers to direct users to malicious sites.
  • 5 Hide
    cats_Paw , October 3, 2012 12:15 PM
    Would be nice to know the model of the Modem so we could try to solve the problem if we get it...
  • Display all 11 comments.
  • 7 Hide
    Onihikage , October 3, 2012 12:24 PM
    This is why you never go with the modem your ISP gives you. (it's always a piece of junk anyway)
  • 3 Hide
    kawininjazx , October 3, 2012 1:00 PM
    All you had to do was hold the reset button with a pin and then possibly put your DSL login information back, then it's back online.
  • 3 Hide
    freggo , October 3, 2012 1:40 PM
    knightmikeI don't see an edit button. Otherwise I would delete my previous post. The answer to my question was in the first paragraph of the full article. They changed the DNS servers to direct users to malicious sites.


    Under the RED "add your comment" button is a link to "Read the comments on the forums"

    click it, find your message down at the end and there is an edit button there; apparently only until someone leaves a reply or vote on your original comment.
  • 2 Hide
    pacioli , October 3, 2012 3:07 PM
    I'm sorry, I got to the part where the the researchers name was Fabio As$olini and I couldn't keep reading the article because I fell out of my chair laughing...
  • 0 Hide
    A Bad Day , October 3, 2012 10:14 PM
    My cable modem's firmware dates back to like 2005...
  • -1 Hide
    Donsai , October 4, 2012 12:07 AM
    pacioliI'm sorry, I got to the part where the the researchers name was Fabio As$olini and I couldn't keep reading the article because I fell out of my chair laughing...

    This.
  • 0 Hide
    merikafyeah , October 4, 2012 2:17 AM
    OnihikageThis is why you never go with the modem your ISP gives you. (it's always a piece of junk anyway)

    People who receive digital home phone service and internet through their ISP modem cannot change their modems like people who receive only internet through their modem, and even then the market for decent third-party modems is slim. In fact, the only modem that comes to mind is the Motorola Surfboard. Do you know of any others?

    Besides, the modem Comcast provided is more than enough for my connection tier (24mbit/s burst / 16mbit/s sustained). You only need a better modem when your connection tier exceeds 50mbit/s and that is not cheap in the US due to the cost of laying cable over our LARGE LAND AREA (hear that tiny, tiny countries of the world with cheap high-speed internet), and of course the ridiculous ISP monopolies that plague almost all residential areas may also have something to do with the jacked service fees, but that's another battle.

    I'm still one of the lucky ones to even have decent internet and even more so to be one of the few to not have any real bad experiences with Comcast (shocking I know). My only wish is that someday my upload speed will match my download speed. Seriously, sending large files takes forever, but at least the connection is extremely stable. Never had a dropout or excessive latencies before *knock on wood*.

    To all the Canadians and Australians of the internet, my deepest condolences.
  • 0 Hide
    Donsai , October 4, 2012 2:34 AM
    merikafyeahTo all the Canadians and Australians of the internet, my deepest condolences.

    Australia's not so bad for broadband. They have a national plan to get FTTP to 93% of the population by 2021.