1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Featured Ars: Internet routers running Tomato are under attack by notorious crime gang

Discussion in 'General Network Security' started by Dan Goodin, Jan 21, 2020.

  1. Dan Goodin

    Dan Goodin Guest

    ArsTechnica_logo-18.png
    Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.

    The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

    Continue reading on ArsTechnica
     
    Last edited by a moderator: Jan 21, 2020
    sd70mac likes this.
  2. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    620
    Location:
    Canada
    If one is smart enough to load a 3rd party firmware, you should also know to change the default passwords.
     
    gfondeur, DonnyO, royarcher and 2 others like this.
  3. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,322
    Location:
    San Diego, CA
    There's a fair amount of Tomato DNA/code in AsusWRT...
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,143
    Location:
    Canada
    The httpd authentication code has been completely rewritten by Asus over the years. Plus, Asus forces you to choose a password at setup time, while Tomato expect you to be aware that you should manually change it after installing it.
     
  5. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,322
    Location:
    San Diego, CA
    True.... but I seem to recall where I blew apart an AsusWRT travel router based on an old Tomato link - and that hole is still open.
     
  6. Razor512

    Razor512 Senior Member

    Joined:
    Sep 29, 2012
    Messages:
    473
    But that is too difficult, it requires pushing keys on the keyboard (potentially multiple times).
    It can be as high as 55 centinewtons of force for each key press, and given the length of a secure password, the user could end up having to press those keys multiple times.
    Also keep in mind that many key switches require as much as 2mm of key travel before a press is registered

    With such an arduous task, it is simply too large of an undertaking compared to installing the 3rd party firmware.
     
    Last edited: Jan 22, 2020
    gfondeur, KW. and royarcher like this.
  7. ajh

    ajh Occasional Visitor

    Joined:
    Jan 13, 2020
    Messages:
    10
    I was curious so I went back to check your posts. I believe that the thread where you discuss using an open guest network to blow up an Asus WL-330NUL travel router dongle is here. Beyond your posts, the entire thread, including @RMerlin's comments, is worth a quick read.
     
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,143
    Location:
    Canada
    That Adm page was locked down YEARS ago by Asus... And it has nothing to do with Tomato either.
     
  9. dosborne

    dosborne Senior Member

    Joined:
    May 11, 2019
    Messages:
    454
    Location:
    /dev/null
    Anyone who uses the default passwords should be banned from the internet for life :)

    Seriously, manufacturers should not be permitted to even have default passwords. This sort of thing should be a forced config at setup. Unfortunately it doesn't stop people from using "1234567". Oh crap, I just revealed MY password..... :)
     
    gfondeur, royarcher and L&LD like this.
  10. royarcher

    royarcher Senior Member

    Joined:
    Apr 25, 2019
    Messages:
    419
    Location:
    Preston west Melbourne Victoria Australia
    Good stuff now I can hack your router amm a little help does anyone know how to hack a router?
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,143
    Location:
    Canada
    Thing is, Tomato isn't a manufacturer tho...

    They lack a configuration wizard on first setup, so the only thing they could do is show a modal requester when logging in with a default password to strongly encourage you into changing it.

    That can be done. Asuswrt for instance checks and will complain about what it calls "trivial passwords".
     
  12. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    4,177
    ars is a terrible news site. Basically so much fear mongering and hype. Everyday EVERY DEVICE is being scanned for default credentials, not just 1 particular type. Using default credentials is something that happens to EVERY DEVICE, there is no DEVICE SPECIFIC VULNERABILITY/EXPLOIT mentioned in the article or being used that is tomato specific.

    Its basically fear mongering because tomato firmware is considered better than ye default consumer router firmware so making people believe that better firmware is defeated making people feel worse.
     
  13. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,322
    Location:
    San Diego, CA
    There's a hella amount of binary blob's in every router code base - some of it from chipset vendor SDK's, some from the OEM's, and then the GPL drops.

    Folks fix things where they can.

    And once in a while, things get missed.