What's new

Ars: Internet routers running Tomato are under attack by notorious crime gang

D

Dan Goodin

Guest
ArsTechnica_logo-18.png
Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.

The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

Continue reading on ArsTechnica
 
Last edited by a moderator:

Makaveli

Very Senior Member
If one is smart enough to load a 3rd party firmware, you should also know to change the default passwords.
 

RMerlin

Asuswrt-Merlin dev
There's a fair amount of Tomato DNA/code in AsusWRT...
The httpd authentication code has been completely rewritten by Asus over the years. Plus, Asus forces you to choose a password at setup time, while Tomato expect you to be aware that you should manually change it after installing it.
 

sfx2000

Part of the Furniture
The httpd authentication code has been completely rewritten by Asus over the years. Plus, Asus forces you to choose a password at setup time, while Tomato expect you to be aware that you should manually change it after installing it.
True.... but I seem to recall where I blew apart an AsusWRT travel router based on an old Tomato link - and that hole is still open.
 

Razor512

Senior Member
If one is smart enough to load a 3rd party firmware, you should also know to change the default passwords.
But that is too difficult, it requires pushing keys on the keyboard (potentially multiple times).
It can be as high as 55 centinewtons of force for each key press, and given the length of a secure password, the user could end up having to press those keys multiple times.
Also keep in mind that many key switches require as much as 2mm of key travel before a press is registered

With such an arduous task, it is simply too large of an undertaking compared to installing the 3rd party firmware.
 
Last edited:

ajh

Occasional Visitor
True.... but I seem to recall where I blew apart an AsusWRT travel router based on an old Tomato link - and that hole is still open.
I was curious so I went back to check your posts. I believe that the thread where you discuss using an open guest network to blow up an Asus WL-330NUL travel router dongle is here. Beyond your posts, the entire thread, including @RMerlin's comments, is worth a quick read.
 

RMerlin

Asuswrt-Merlin dev
That Adm page was locked down YEARS ago by Asus... And it has nothing to do with Tomato either.
 

dosborne

Very Senior Member
searches for devices using default credentials
Anyone who uses the default passwords should be banned from the internet for life :)

Seriously, manufacturers should not be permitted to even have default passwords. This sort of thing should be a forced config at setup. Unfortunately it doesn't stop people from using "1234567". Oh crap, I just revealed MY password..... :)
 

royarcher

Very Senior Member
Anyone who uses the default passwords should be banned from the internet for life :)

Seriously, manufacturers should not be permitted to even have default passwords. This sort of thing should be a forced config at setup. Unfortunately it doesn't stop people from using "1234567". Oh crap, I just revealed MY password..... :)
Good stuff now I can hack your router amm a little help does anyone know how to hack a router?
 

RMerlin

Asuswrt-Merlin dev
Seriously, manufacturers should not be permitted to even have default passwords.
Thing is, Tomato isn't a manufacturer tho...

They lack a configuration wizard on first setup, so the only thing they could do is show a modal requester when logging in with a default password to strongly encourage you into changing it.

Unfortunately it doesn't stop people from using "1234567"
That can be done. Asuswrt for instance checks and will complain about what it calls "trivial passwords".
 

System Error Message

Part of the Furniture
ars is a terrible news site. Basically so much fear mongering and hype. Everyday EVERY DEVICE is being scanned for default credentials, not just 1 particular type. Using default credentials is something that happens to EVERY DEVICE, there is no DEVICE SPECIFIC VULNERABILITY/EXPLOIT mentioned in the article or being used that is tomato specific.

Its basically fear mongering because tomato firmware is considered better than ye default consumer router firmware so making people believe that better firmware is defeated making people feel worse.
 

sfx2000

Part of the Furniture
I was curious so I went back to check your posts. I believe that the thread where you discuss using an open guest network to blow up an Asus WL-330NUL travel router dongle is here. Beyond your posts, the entire thread, including @RMerlin's comments, is worth a quick read.
There's a hella amount of binary blob's in every router code base - some of it from chipset vendor SDK's, some from the OEM's, and then the GPL drops.

Folks fix things where they can.

And once in a while, things get missed.
 

randomName

Very Senior Member
Are cable modems vulnerable to this kind of attack if default credentials are used?
 

ColinTaylor

Part of the Furniture
I've personally not come across a cable modem that was accessible at all from the public internet.

If you mean a wireless router with a built-in cable modem then I guess it's no different than any other wireless router with regards to enabling WAN access with default passwords.
 

L&LD

Part of the Furniture
I've personally not come across a cable modem that wasn't accessible from the public internet (at least by the ISP). :)

That is why we need our own routers instead of just being a node on the ISP's network. :)
 

ColinTaylor

Part of the Furniture
I've personally not come across a cable modem that wasn't accessible from the public internet (at least by the ISP). :)
Really? In my experience ISP's don't connect to their customers cable modems from the public internet. There would be no point when they can connect to them over their internal network.
 

L&LD

Part of the Furniture
If it's external to my network, it is the public one, by default. :)

They operate the WWW/WAN, their 'internal' network is just semantics, I believe?
 

ColinTaylor

Part of the Furniture
No, the public internet is the public internet. That was why I made a point of saying "public".

A commercial company's internal network infrastructure is not "public", whether they're an ISP, a bank, or whatever. For example, I am connected to the internet but I cannot connect to a Comcast user's modem (which was the point of the question).
 

coxhaus

Part of the Furniture
I guess you guys forgot about the Cable Haunt Security vulnerability for cable modems reported on this site. I read here late as I was out of state. I added a ACL to block 192.168.100.1 to protect me.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top