“Modem hack used to infect millions with banking fraud malware.” – Ars Technica, 2012
My old Netgear has at least one security hole. There’s no fix for it, possibly because it’s so old.
Like the attack reported in Ars Technica, the security hole involves CSRF. In simple terms, asking the local administrator to click on a web link, perhaps in an email.[*] Can you prevent an old router being hijacked by CSRF?
Option 1: Visit your router web interface and make sure you’re logged out. In future, only access it using a “private browsing” window, and close the window afterwards. This will prevent a CSRF attack from webpages in other browser windows.
Option 2: use Firefox with NoScript. If you don’t already use NoScript, you can start off by setting “allow scripts globally”.
You can demonstrate these protections using the ROUTERPWN webapp. Click Netgear and scroll down to “DG834G enable telnet root shell”. NoScript will pop up and block it. Or if you follow the private browsing option, you can test ROUTERPWN in a different window. It should ask you for your password, which shows that ROUTERPWN has failed.
The security issue on my router also requires local network access to exploit. At first the combination sounds awkward to exploit automatically – send the admin a link and telnet from the LAN. However once you’re on the LAN it’s easy to force the admin to visit a link using a HTTP man-in-the-middle. The combination makes this difficult to automate. It would be hard even if you were unlucky enough to be specifically targeted.
I expect there are more issues in my router that I don’t know about. They might involve CSRF on its own. Or they could be even easier to exploit. Newer Netgear routers had issues which simply bypassed the router password. That’s not CSRF, and my CSRF prevention measures won’t help. There’s only one way to fix a password bypass: upgrade the router firmware to a secure version.
Don’t have nightmares, do sleep well.