Outdated Firmware Led to 4.5M Hacked DSL Modems

On Monday Kaspersky researcher Fabio Assolini reported that hackers exploited a firmware vulnerability in DSL modems used in Brazil to launch a "sustained and silent mass attack" on the country's web surfers. This attack on Brazil originally began back in March 2011.

According to the report, the attack consisted of two malicious scripts, forty malicious DNS servers, and one outdated Broadcom chipset driver used in 4.5 million DSL modems offered by six manufacturers. The flaw allowed a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes.

"The attack was quite simple," Assolini reports. "Criminals swept the internet in search of exposed modems on the network. Even if you have a strong password configured on the device, the flaw allows an attacker to access the control panel, capture the password, log into the device and make changes."

Assolini said the attackers used two bash scripts that were executed in a dedicated server purchased exclusively for this purpose. A range of IPs was set to be scanned and tested by the script, and whenever a modem was found, an attempt to exploit the flaw was performed.

Once the modem was accessed, the hackers launched another script called "roda.sh" that would access the modem's administration panel and change the configuration of its DNS settings. The password would be changed as well to prevent the owner from making changes to the modem later on.

"The [exploit] situation is further complicated by the fact that even without the vulnerability, many modems are shipped with default passwords that are publicly known and users often fail to change these defaults," he writes. "Other modems are set up when local ISPs enable remote access accounts, mostly used for tech support, and these credentials are known by criminals."

Even more, some manufacturers neglected to act even after they were told about the issues, he says. That means users were exposed to attacks, as companies were slow to release the necessary firmware upgrades to solve the problem. "The negligence of the manufacturers, the neglect of the ISPs and ignorance of official government agencies create a perfect storm, enabling cybercriminals to attack at will," he adds.

By March 2012, CERT Brazil announced that the attacks had compromised about 4.5 million modems in Brazil alone. This finally prompted banks, internet providers, hardware manufacturers and government agencies to meet to discuss a solution to the problem. Customers by then were flooding tech support call centers, demanding a solution. Eventually several manufacturers released firmware updates to current the problem.

To read the full story, head here.

Contact Us for News Tips, Corrections and Feedback

  • knightmike
    What did they do after they changed the password?
    Reply
  • knightmike
    I don't see an edit button. Otherwise I would delete my previous post. The answer to my question was in the first paragraph of the full article. They changed the DNS servers to direct users to malicious sites.
    Reply
  • cats_Paw
    Would be nice to know the model of the Modem so we could try to solve the problem if we get it...
    Reply
  • Onihikage
    This is why you never go with the modem your ISP gives you. (it's always a piece of junk anyway)
    Reply
  • kawininjazx
    All you had to do was hold the reset button with a pin and then possibly put your DSL login information back, then it's back online.
    Reply
  • freggo
    knightmikeI don't see an edit button. Otherwise I would delete my previous post. The answer to my question was in the first paragraph of the full article. They changed the DNS servers to direct users to malicious sites.
    Under the RED "add your comment" button is a link to "Read the comments on the forums"

    click it, find your message down at the end and there is an edit button there; apparently only until someone leaves a reply or vote on your original comment.
    Reply
  • pacioli
    I'm sorry, I got to the part where the the researchers name was Fabio As$olini and I couldn't keep reading the article because I fell out of my chair laughing...
    Reply
  • A Bad Day
    My cable modem's firmware dates back to like 2005...
    Reply
  • Donsai
    pacioliI'm sorry, I got to the part where the the researchers name was Fabio As$olini and I couldn't keep reading the article because I fell out of my chair laughing...This.
    Reply
  • merikafyeah
    OnihikageThis is why you never go with the modem your ISP gives you. (it's always a piece of junk anyway)People who receive digital home phone service and internet through their ISP modem cannot change their modems like people who receive only internet through their modem, and even then the market for decent third-party modems is slim. In fact, the only modem that comes to mind is the Motorola Surfboard. Do you know of any others?

    Besides, the modem Comcast provided is more than enough for my connection tier (24mbit/s burst / 16mbit/s sustained). You only need a better modem when your connection tier exceeds 50mbit/s and that is not cheap in the US due to the cost of laying cable over our LARGE LAND AREA (hear that tiny, tiny countries of the world with cheap high-speed internet), and of course the ridiculous ISP monopolies that plague almost all residential areas may also have something to do with the jacked service fees, but that's another battle.

    I'm still one of the lucky ones to even have decent internet and even more so to be one of the few to not have any real bad experiences with Comcast (shocking I know). My only wish is that someday my upload speed will match my download speed. Seriously, sending large files takes forever, but at least the connection is extremely stable. Never had a dropout or excessive latencies before *knock on wood*.

    To all the Canadians and Australians of the internet, my deepest condolences.
    Reply