Internet Security Advisory - Unauthorized Router DNS Edits

[NeverSure]

I have never seen a router that couldn't be changed back to default with some kind of manual switch or button on the box. That includes the most expensive Cisco I ever used.

I really don't know about these TOT units but someone might look to see if there isn't a reset on it someplace. Worth a look unless you know it isn't there.

Cheers.

[cmboy]

I have never seen a router that couldn't be changed back to default with some kind of manual switch or button on the box. That includes the most expensive Cisco I ever used.

I really don't know about these TOT units but someone might look to see if there isn't a reset on it someplace. Worth a look unless you know it isn't there.

Cheers.

I did few times factory reset to router but still not able to login as admin with default factory credentials.

[cmboy]

One 'method' would be to contact your ISP and tell them you've been locked out of your router administration and ask them for help.

I will call ISP (TOT) today. I don't expect them to co-operate much or have proper answer to my question. Like before when I had issue the most common answer was "Cable problem in Malaysia"

[RichCor]

I have never seen a router that couldn't be changed back to default with some kind of manual switch or button on the box. That includes the most expensive Cisco I ever used.

I really don't know about these TOT units but someone might look to see if there isn't a reset on it someplace. Worth a look unless you know it isn't there.

Cheers.

I usually don't recommend this as the first go-to 'method' unless the person has all the relevant setup information and experience configuring routers. Doing a Full Reset may leave them in limbo.

If the unit has auto-configuration (requests config data from ISP provisioning server) it will just put the unknown passwords set by the ISP back in place.

[cmboy]

If the unit has auto-configuration (requests config data from ISP provisioning server) it will just put the unknown passwords set by the ISP back in place.

I believe that's the issue with administrative routes access now.

RichCor you seem to be very professional with networks and possibilities. What is your opinion about these auto-config routers and practises? How about privacy and security?

I don't feel very good now as I don't know how my router is configured.

Can ISP access easily my home network trough their "special configured" router?

Is this something to do with fresh new cyber act?

[RichCor]

ISPs have multiple methods of configuring routers.

Firmware defaults, specifically written to ISP specifications (have the ISP LOGO and parameter data)
Telnet administration for writing quick setup data to non-volatile router memory
TR-069 autoconfig, connects and can send telemetry data to ISP Auto Configuration Server

Web Admin / Web Config access from LAN or WAN (remote)

Most people are interested in the features their router can provide them, not with the insecurity issues (features they provide to would-be hackers).

The systems in place to configure and secure routers are themselves insecure. Yet there are exploits on almost all consumer brand equipment.

"Can ISP access easily my home network trough their "special configured" router? Is this something to do with fresh new cyber act?"

Sometimes I look as ISPs as people who want to liberate money from your pocket on an ongoing basis, looking for the minimum they have to invest and do in order to keep doing that and not have you stop them. If they have to actually provide a 'service' then they'll do it only if that's what it takes to get the money.

I don't believe it's the ISP you have to worry about.

ISPs are definitely not in the business of making money through fines, bribes, blackmail and shakedowns.

Though other people might be.

Hackers taking advantage of a certain Router OS and PC OS exploits can 'own' your home gateway/routers gaining access to ALL of the WAN/LAN traffic running over your network, potentially directly controlling you PC at will.

But why go through all that trouble when it's far easier to redirect all your outgoing requests via a rogue DNS that influence whose ads get delivered to your browser. Or, when possible, make your PC also a remote controlled bot doing the bidding of remote command and control servers. No actual work involved.

Yea, not having Admin access to your own router sucks.

[KhunHeineken]

A lot of the posts on this thread are above my technical ability.

I just have a couple of simple questions.

If I am in a hotel, guest house, restaurant or cafe, and they have one of these exposed routers, can any harm be done to my computer, given I have decent antivirus software?

Also, is there any information that the firmware upgrades or patches for these exposed routers have plugged the hole?

I was thinking of buying a new router, but if they have been on the shelf for a while, they will have this problem. How can you tell you are buying a new model router that is not exposed to this vulnerability?

[RichCor]

I just have a couple of simple questions.

If I am in a hotel, guest house, restaurant or cafe, and they have one of these exposed routers, can any harm be done to my computer, given I have decent antivirus software?

Also, is there any information that the firmware upgrades or patches for these exposed routers have plugged the hole?

There are MANY issues to worry about when using a SHARED hotel, guest house, restaurant or cafe Internet connection.

When you connect to ANY Internet connection that isn't under your control, and you are worried about privacy and security (as you well should be), then you should always deploy a VPN connection to safeguard both your traversing data and the data connections.

The best practice when on a Public Internet Connection is to use a VPN that encrypts all of your outgoing and incoming sessions.

And use security software that prevents anyone from connecting to your machine while sharing the same LAN (so no shared folders, shared printers, etc,).

Some Security Suite Software will automatically you lock down your system when using Public Internet Connections, while others may need you to enable the mode manually.

For home use, there are online tests you can run to try and detect the 'known' exploits that can affect home routers. But there are ALWAYS unknown exploits, some truly unknown (yet to be discovered) as well as those unknown to many people but kept to private by manufacturer or government agency or spy for hire.

The best defense is to buy a professional security router and run all your home/business connection through it.

A dedicated security router is less likely to have issues that plague low-cost home routers.

And run security suite software on any equipment that connects to the Internet.

[kbirkins]

I just have a couple of simple questions.

If I am in a hotel, guest house, restaurant or cafe, and they have one of these exposed routers, can any harm be done to my computer, given I have decent antivirus software?

Also, is there any information that the firmware upgrades or patches for these exposed routers have plugged the hole?

There are MANY issues to worry about when using a SHARED hotel, guest house, restaurant or cafe Internet connection.

When you connect to ANY Internet connection that isn't under your control, and you are worried about privacy and security (as you well should be), then you should always deploy a VPN connection to safeguard both your traversing data and the data connections.

The best practice when on a Public Internet Connection is to use a VPN that encrypts all of your outgoing and incoming sessions.

And use security software that prevents anyone from connecting to your machine while sharing the same LAN (so no shared folders, shared printers, etc,).

Some Security Suite Software will automatically you lock down your system when using Public Internet Connections, while others may need you to enable the mode manually.

For home use, there are online tests you can run to try and detect the 'known' exploits that can affect home routers. But there are ALWAYS unknown exploits, some truly unknown (yet to be discovered) as well as those unknown to many people but kept to private by manufacturer or government agency or spy for hire.

The best defense is to buy a professional security router and run all your home/business connection through it.

A dedicated security router is less likely to have issues that plague low-cost home routers.

And run security suite software on any equipment that connects to the Internet.

This a a rather interesting and infomative thread. What diferentiates a "a presessional security router" from a basic "off-the sheof" router that I could buy at Fortune Town (BKK)?

And, a big thank-you to Richcor for sharing his deep knowledge on these subjects!

[Chicog]

I quite literally had fibre installed a couple of days ago and was asking the engineer about the router, so I could configure the Wifi.

He gave me the GUI username and password, so I went to change it and he told me I couldn't.

When I asked him why he said "Because ***** (the ISP) might need to come into your network to fix something"

So of course I changed it and told him that if they want to come into my network, they'd better have a bloody good reason because they'll be asking me for the password!

[cmboy]

My ISP was able to took over my router admin and set new admin password. Looks like they have done same for their all clients. I asked them new admin acess password but they didn't want to reveal those anymore.

Thanks to member here, I got control of Web admin and telnet root.

[cmboy]

So of course I changed it and told him that if they want to come into my network, they'd better have a bloody good reason because they'll be asking me for the password!

I've heard they still have change to gain control of your router, configure it and set new admin password. Anyway if you change Web admin and telnet root passwords they problem do exclusion for you and leave your router as it is.

[Chicog]

I don't see how they can when I have the root password. But what is your router?

Also turn off SSH and Telnet.

[cmth]

I don't see how they can when I have the root password. But what is your router?

Also turn off SSH and Telnet.

If TOT is your ISP they still have a backdoor that you can't close. Changing the passwords for both telnet and web admin will help but not completely stop them from getting access if they want it. Turning off SSH and Telnet will not stop them. It could however cause problems for you as you have taken away at least one of your options to regain control.

[Chicog]

So how else can they get in without exploiting a flaw?

[RichCor]

I don't see how they can when I have the root password. But what is your router?

Also turn off SSH and Telnet.

If TOT is your ISP they still have a backdoor that you can't close. Changing the passwords for both telnet and web admin will help but not completely stop them from getting access if they want it. Turning off SSH and Telnet will not stop them. It could however cause problems for you as you have taken away at least one of your options to regain control.

What proof do you have in making this mis-statement? Or at least explain what you mean??

While an ISP can deny service to anyone not abiding by their terms of service agreement, I'm not sure where you get the idea that closing down all router services (when possible) will "not completely stop them from getting access if they want it."

ISP's can only remotely gain access and make changes to customer routers if they have the active login credentials, take advantage of a known firmware bypass feature (or a firmware exploit), or invoke features provided via TR-069 implementation.

Yes, killing services on some routers/gateways can lock you out from using that as a secondary entry point to regain normal access it if your primary access was compromised and shut down. But hopefully a factory reset could set everything back (depending on the firmware feature).

You make statements about back doors, but if a replacement router was purchased outside of the ISP's distribution channel, are you saying the ISP would have access to that device as well. If so, I know a roomful of security people who would like to hear you speak.

If you're saying that most any Consumer-Grade router/gateway can be 'owned' because of hard-coded daemons left permanently 'on', and the easter-egg like zero-day exploits available on these low-cost pieces of junk then that's SO TRUE but also a different story entirely. The ISP isn't the one that normally instantly 'owns' these.

[merijn]

I have a 3BB optical viber router (provided by 3BB).

I'm not very happy with it and after reading the stories here i'm planning change the router to another viber router with more options etc.

The only problem i have is that i'm not able to find third party optical routers which i can use instead of the 3BB supplied router.

Does anybody have any suggestions which one is available in Thailand.

[cmth]

I don't see how they can when I have the root password. But what is your router?

Also turn off SSH and Telnet.

If TOT is your ISP they still have a backdoor that you can't close. Changing the passwords for both telnet and web admin will help but not completely stop them from getting access if they want it. Turning off SSH and Telnet will not stop them. It could however cause problems for you as you have taken away at least one of your options to regain control.

What proof do you have in making this mis-statement? Or at least explain what you mean??

While an ISP can deny service to anyone not abiding by their terms of service agreement, I'm not sure where you get the idea that closing down all router services (when possible) will "not completely stop them from getting access if they want it."

ISP's can only remotely gain access and make changes to customer routers if they have the active login credentials, take advantage of a known firmware bypass feature (or a firmware exploit), or invoke features provided via TR-069 implementation.

Yes, killing services on some routers/gateways can lock you out from using that as a secondary entry point to regain normal access it if your primary access was compromised and shut down. But hopefully a factory reset could set everything back (depending on the firmware feature).

You make statements about back doors, but if a replacement router was purchased outside of the ISP's distribution channel, are you saying the ISP would have access to that device as well. If so, I know a roomful of security people who would like to hear you speak.

If you're saying that most any Consumer-Grade router/gateway can be 'owned' because of hard-coded daemons left permanently 'on', and the easter-egg like zero-day exploits available on these low-cost pieces of junk then that's SO TRUE but also a different story entirely. The ISP isn't the one that normally instantly 'owns' these.

Sorry RichCor, I didn't make myself clear on that post. I was only referring to the ISP supplied router. Especially the one's provided by the ISPs here. I know you are aware of the issues with these routers, how they provision and what this means for ISP access. With this being said, changing the telnet and web admin passwords will stop batch commands from affecting you but if they force the changes through another route, there is little you can do. The ISP is probably not going to try this hard to get in. I am just saying that it is still possible. Change to a different router and all of this goes out the window.

[RichCor]

I have a 3BB optical viber router (provided by 3BB).

I'm not very happy with it and after reading the stories here i'm planning change the router to another viber router with more options etc.

The only problem i have is that i'm not able to find third party optical routers which i can use instead of the 3BB supplied router.

Does anybody have any suggestions which one is available in Thailand.

If you were asking about ADSL2+ Modem/Router it would be easy to buy a retail replacement. ISPs providing ADSL connections don't generally lock the provisioned connection to a specific brand of hardware or hardware ID as each client is on a dedicated circuit terminated at a dedicated ADSL port. So in most cases you can Bring Your Own Device to the service.

But Fiber Optic Routers (like Cable DOCSIS Modem/Routers) are a different kettle of fish. Even though ISPs providing ftth connections are deploying several makes and models of GPON ONT devices here, the service profile used in the OLT is usually limited to working with GPON ONTs from the same vendor, or a small list of compatible vendors and Fiber Optic to Ethernet Media Converters as ONTs.

Because fttx GPON is usually provisioned as a 'shared circuit' serving up to 32 passive drop line clients, each client has to be identified and authenticated then issued a timebase for when they are allowed to send/upload data on the shared Fiber Optic line. This means the OLT needs to be compatible with the client's GPON ONT, identify a PON Serial No. and successfully authenticate the subscriber, and be compatible with the other client GPON ONTs on the shared Fiber Optic line.

So your usual options are limited to only the GPON ONT equipment the ISP provides, usually meaning an Fiber Optic Router or in some cases a Fiber Optic to Ethernet Media Converter (not a Router) where you provide your own compatible Ethernet Router (supporting VLAN and PPPoE protocols).

...

Try calling 3BB and ask them what 3rd-party GPON ONT Routers will work with their service.

Most likely they'll say that only x-brand GPON ONT provided by them will work.

Try asking if they can furnish just a Fiber Optic Media Converter that you can then use with your own service compatible Ethernet Router (supporting VLAN and PPPoE).

Yet another option is to ask your ISP to place your current GPON ONT Router into BRIDGE MODE, thus disabling the built-in router services and sending all received data on to your own compatible Ethernet device or router.

[merijn]

I have a 3BB optical viber router (provided by 3BB).

I'm not very happy with it and after reading the stories here i'm planning change the router to another viber router with more options etc.

The only problem i have is that i'm not able to find third party optical routers which i can use instead of the 3BB supplied router.

Does anybody have any suggestions which one is available in Thailand.

If you were asking about ADSL2+ Modem/Router it would be easy to buy a retail replacement. ISPs providing ADSL connections don't generally lock the provisioned connection to a specific brand of hardware or hardware ID as each client is on a dedicated circuit terminated at a dedicated ADSL port. So in most cases you can Bring Your Own Device to the service.

But Fiber Optic Routers (like Cable DOCSIS Modem/Routers) are a different kettle of fish. Even though ISPs providing ftth connections are deploying several makes and models of GPON ONT devices here, the service profile used in the OLT is usually limited to working with GPON ONTs from the same vendor, or a small list of compatible vendors and Fiber Optic to Ethernet Media Converters as ONTs.

Because fttx GPON is usually provisioned as a 'shared circuit' serving up to 32 passive drop line clients, each client has to be identified and authenticated then issued a timebase for when they are allowed to send/upload data on the shared Fiber Optic line. This means the OLT needs to be compatible with the client's GPON ONT, identify a PON Serial No. and successfully authenticate the subscriber, and be compatible with the other client GPON ONTs on the shared Fiber Optic line.

So your usual options are limited to only the GPON ONT equipment the ISP provides, usually meaning an Fiber Optic Router or in some cases a Fiber Optic to Ethernet Media Converter (not a Router) where you provide your own compatible Ethernet Router (supporting VLAN and PPPoE protocols).

...

Try calling 3BB and ask them what 3rd-party GPON ONT Routers will work with their service.

Most likely they'll say that only x-brand GPON ONT provided by them will work.

Try asking if they can furnish just a Fiber Optic Media Converter that you can then use with your own service compatible Ethernet Router (supporting VLAN and PPPoE).

Yet another option is to ask your ISP to place your current GPON ONT Router into BRIDGE MODE, thus disabling the built-in router services and sending all received data on to your own compatible Ethernet device or router.

RichCor,

Thanks for the comprehensive explanation.

[cmth]

RichCor,

Are you aware of any cases where a subscriber has been able to get their ISP provided router switched to Bridge Mode? This would be a good solution for those who want to set up their own router. So far, I have not had any luck and have not heard of anyone who has. Any insight into this would be greatly appreciated.

[johng]

I've heard the Thai's call it "bit mode" instead of bridge mode !

[RichCor]

RichCor,

Are you aware of any cases where a subscriber has been able to get their ISP provided router switched to Bridge Mode? This would be a good solution for those who want to set up their own router. So far, I have not had any luck and have not heard of anyone who has. Any insight into this would be greatly appreciated.

Many members have had mentioned either manually configuring an ISP supplied router into Bridge Mode (or Bit mode), or reported that they were successful in having their ISP set it. It will really depend on the capability of the router or the knowledge of the ISP service technician.

Changing Over to TOT Fiber from ADSL Service !

Started by sub101uk, 2014-04-19 09:42 -- Dork and Robblok at post #18

3BB FTTx fiber optic Bangkok

Started by AJBangkok, 2014-09-13 19:05 -- Robblok again mentioning manually setting Bridge Mode at post #35,

[KhunHeineken]

I just have a couple of simple questions.

If I am in a hotel, guest house, restaurant or cafe, and they have one of these exposed routers, can any harm be done to my computer, given I have decent antivirus software?

Also, is there any information that the firmware upgrades or patches for these exposed routers have plugged the hole?

There are MANY issues to worry about when using a SHARED hotel, guest house, restaurant or cafe Internet connection.

When you connect to ANY Internet connection that isn't under your control, and you are worried about privacy and security (as you well should be), then you should always deploy a VPN connection to safeguard both your traversing data and the data connections.

The best practice when on a Public Internet Connection is to use a VPN that encrypts all of your outgoing and incoming sessions.

And use security software that prevents anyone from connecting to your machine while sharing the same LAN (so no shared folders, shared printers, etc,).

Some Security Suite Software will automatically you lock down your system when using Public Internet Connections, while others may need you to enable the mode manually.

For home use, there are online tests you can run to try and detect the 'known' exploits that can affect home routers. But there are ALWAYS unknown exploits, some truly unknown (yet to be discovered) as well as those unknown to many people but kept to private by manufacturer or government agency or spy for hire.

The best defense is to buy a professional security router and run all your home/business connection through it.

A dedicated security router is less likely to have issues that plague low-cost home routers.

And run security suite software on any equipment that connects to the Internet.

Thanks for your reply.

I'm aware of the benefits of using a VPN, and I do use a VPN often.

When using a public network, like a cafe, I connect to their wifi by asking for their password, and once I am on the internet, then connect to my VPN. It takes a few minutes, all up. In the time between connecting to the public network internet, and then connecting to my VPN, without opening any web pages, is my computer exposed?

Also, what is a professional security router? Can you post any links for some examples?

I'm due to update my router and might look at something commercial grade.

[RichCor]

<...>

When using a public network, like a cafe, I connect to their wifi by asking for their password, and once I am on the internet, then connect to my VPN. It takes a few minutes, all up. In the time between connecting to the public network internet, and then connecting to my VPN, without opening any web pages, is my computer exposed?

Also, what is a professional security router? Can you post any links for some examples?

I'm due to update my router and might look at something commercial grade.

"Is my computer exposed?"

Yes.

Especially if your PC Software Security Suite / Firewall Software does not accommodate the different security states necessary when running on a "Public", "Office" and "Home" network, changing what network services are keep exposed.

WiFi Hotspots are usually a 'shared' LAN service. You're essentially giving any other 'shared' user direct physical access to your network connection, allowing them the opportunity to monitor and analyze all the traffic it sends/receives and access any network services willing to talk -- also giving them full-bandwidth speed in which to initiate attacks and/or search for and take advantage of exploits.

Use of a VPN does not change this exposure. The VPN only encapsulates data that travels over an existing network connection. The original connection is still in play.

As for a professional router, take a look at this ThaiVisa Topic:

Network monitoring and security

Started by JohnnyJazz, 2015-08-15 10:14

[simonhog423]

 

Just wanted to say thanks for this blog. I’ve been looking through a few of these types of articles, and usually when they are from a software company, they end up doing little more than promoting their own software.

 

 

Great subject! It’s an amazing post. Thank you. It sounds like you are gathering lots of different ideas in your blog.  Good work. Instead of thinking about what you haven’t written, look at how much you HAVE written 

[Chicog]

That's 18 months ago, most of it is out of date now (RichCor's gonna kill me).

 

But on the bright size the US gov't took DLink to court for shipping grossly insecure products, so that's progress.