Avoiding CSRF attack on old routers

“Modem hack used to infect millions with banking fraud malware.” – Ars Technica, 2012

My old Netgear has at least one security hole. There’s no fix for it, possibly because it’s so old.

Like the attack reported in Ars Technica, the security hole involves CSRF. In simple terms, asking the local administrator to click on a web link, perhaps in an email.[*] Can you prevent an old router being hijacked by CSRF?

Option 1: Visit your router web interface and make sure you’re logged out. In future, only access it using a “private browsing” window, and close the window afterwards. This will prevent a CSRF attack from webpages in other browser windows.

Option 2: use Firefox with NoScript. If you don’t already use NoScript, you can start off by setting “allow scripts globally”.

You can demonstrate these protections using the ROUTERPWN webapp. Click Netgear and scroll down to “DG834G enable telnet root shell”. NoScript will pop up and block it. Or if you follow the private browsing option, you can test ROUTERPWN in a different window. It should ask you for your password, which shows that ROUTERPWN has failed.


Netgear DG834Gv5.
Security issue affecting DG384 series routers.
CSRF explained by Wikipedia.

[*] Disclaimer

The security issue on my router also requires local network access to exploit. At first the combination sounds awkward to exploit automatically – send the admin a link and telnet from the LAN. However once you’re on the LAN it’s easy to force the admin to visit a link using a HTTP man-in-the-middle. The combination makes this difficult to automate. It would be hard even if you were unlucky enough to be specifically targeted.

I expect there are more issues in my router that I don’t know about. They might involve CSRF on its own. Or they could be even easier to exploit. Newer Netgear routers had issues which simply bypassed the router password. That’s not CSRF, and my CSRF prevention measures won’t help. There’s only one way to fix a password bypass: upgrade the router firmware to a secure version.

Don’t have nightmares, do sleep well.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s