Blackhat – 2010 How to Hack Millions of Routers

uh so my name is Craig Hafner um yay um and obviously I'm going to be talking about hacking routers today specifically what I'm going to be discussing is how an external attacker can gain access to the internal administrative web interface of your common residential gateway router before I start though oh this is the wrong slide set damn it oh well before I start though my my my work did asked me to make a couple statements first of all I'm not doing this on behalf of them I didn't do any research on behalf of them I'm not here as part of my works if you know who I work for stop calling them and emailing them but I decided to focus on router security because there's very little security in home routers I couldn't fit very many screenshots into this slide I had about 17 more and all of these all these vulnerabilities typically are only exploitable from the land because most of them you know end up being in the web interface which typically most people don't have remote administration enabled so the question for an attacker is not how do I attack these devices and hack them the question is how do I get access to the device if I'm not on the land so the answer to that is typically either cross-site request forgery or DNS rebinding and request forgery is really popular because it's very very easy to do but it has a lot of limitations especially when you're going after routers so first of all you can't rely on there being a trust relationship between the internal clients browser and the router because no one ever logs into their routers so you can't exploit that you can't Forge basic authentication logins anymore with cross-site request forgery used to be able to do you know user : password app and then the URL it doesn't work anymore ie doesn't even recognize that as a valid URL and Firefox will actually throw a warning to the user so you can't rely on that either there's also some anti cross-site request forgery mechanisms in some routers this action tech router is one actually that I'll be demoing later and ultimately cross-site request forgery is limited by the same-origin policy in the browser and it always has been so if you're not familiar with the same-origin policy basically what it says is okay if I browse out to attacker comm I load up some JavaScript from attacker comm that JavaScript can interact with any page on attacker comm but it can't interact with Google calm or 192.168.1.1 and that's good because you don't want some random person's JavaScript talking to your router so that's where DNS rebinding comes in the premise behind DNS rebinding is basically okay well if the browser is going to implement security based on the domain name that's fine just tell it that attacker com has switched IP addresses to one ninety two dot one sixty eight dot one dot one so now when the attack is JavaScript connects back to attacker com the request actually goes to your router but DNS rebinding has been around for a long long time you know it's like 1996 cold and wants this exploit back it's been around forever and so people have put in Prevention's to stop it or try to stop it anyway and so browsers have put in patches and you know third-party plugins and put in patches and you also have services and tools like Open DNS no script DNS wall DNS mask also has some anti rebinding stuff in it and these these all attempt to stop people from using DNS rebinding to attack your internal network and the way they do that is they say well no external domain should resolve to an internal RFC 1918 non-routable IP address because if it does you're probably not gonna be able to connect to it anyway and if they're doing something malicious then we want to block it so that's basically how these tools work so I'm going to focus on using the multiple a record attack which is one variation of DNS rebinding and if you're not familiar with it really all it is is DNS load balancing that's it you return multiple IP addresses for a DNS lookup and so pretty much any major site does this you know you do a DNS lookup on Google you get five or six IPS back so what happens is the browser's this okay you have three IP addresses fine and it just rides and connect to each IP address in order and if one of those IP addresses goes down that's fine I've got more IP addresses it switches over to the next IP address in the list this attack is limited though and that you cannot target internal IP addresses with us you can target any public IP you want but you can't go after internal IPs so let's take a look at it using this attack to go after a public server so you've got your attacker out there with an IP address of one four one four and he wants to send some malicious content to the web server on two three five eight now he doesn't want his IP address showing up in the logs for whatever reason so he's going to proxy his requests through this client who's you know feeling very safe sitting behind his router so the attackers registered the domain name of attacker comm and he convinces this client to browse out to attacker comm so the first thing the browser does is a DNS lookup says what's the IP address for attacker comm see attackers DNS server then says oh I actually have two IP addresses 1 4 1 4 and 2 3 5 8 now 2 3 5 8 is obviously not the attackers IP address but the browser has no way of verifying that so this is oK you've got two IP addresses I trust you so it's going to try the first IP address first which is 1 4 1 4 does it's get request to the attacker server and the attacker sends back some JavaScript code now that JavaScript code then initiates a request back to attacker comm and the browser says well you came from attacker com you're going back to attacker comm fine that's allowed but when the browser makes this connection to initiate the request the attacker server sends back a TCP reset packet so now the browser says well crap that server is down I better switch over to the second IP address and so now the attackers JavaScript is interacting with the 2 3 5 8 server you can send get requests and get the response back parse the data and even send it back to the attacker if you wants so this is this works this has always worked there's never been anything to stop this from happening and there's certainly you know security issues that arise from this but the real threat has always been attacking the internal lamp so I don't want to go after some public web server I want to go after are the clients router I want to get access to the routers internal interface so this is the same scenario but instead of attacking a public IP the attacker is going to try and rebind to one ninety two dot one sixty eight dot one dot one so again client does a DNS lookup and again the attacker server sends back to IP addresses now the browser says oh we've got two IP addresses oh but one of them is an internal non-routable IP address and the browser will always try internal non-routable IP addresses first regardless of the order in the DNS packet so he's just going to go and send the request to the router and load up the routers web interface in the clients browser this does the attacker no good because the client never got went out to the attackers web server to get his JavaScript so attacker has no presence in the browser he's accomplished nothing um so the problem here is that everyone's focused on protecting internal IP addresses okay routers are kind of unique they have both an internal and an external IP address and so we can actually attack the external IP address using this method and gain access to the internal interface and the reason that works is actually kind of interesting so if you take a look at a netstat on a router and this is actually from an open wrt router take a look at how its binding services these services are bound to every interface on the router so port 80 yeah that's found on your way an interface it's listening on the LAN now what prevents just anyone from on the internet from connecting into the router or your firewall rules now anyone who's looked at open wrt firewall rules notice this is extremely simplified but basically says okay each zero is my way in interface I don't want people connecting in from the web so anything that comes in on each zero drop it everything else will except because that's our internal interfaces that's fine and there's nothing really inherently wrong with this but like the same origin policy this attempts to enforce security based on a name computers don't work on names they work on IP addresses and where this comes back to bite is when you look at how the underlying operating system handles IP packets RFC 1122 defines two different models for implementing an IP stack once called the strong end system model and once called the weak end system model now if you know nothing about these two models other than the names which one do you think is better right but interestingly enough the weak model is actually the more prevalent model of the two it's implemented by Linux BSD I believe Solaris and even previous Windows so let's take a look at how this works this is verbatim from the RFC you can read it if you want RCS are very boring but all this says is okay if if I have if I'm a router or any computer and I receive a packet I'm going to look at the destination IP of that packet and if the destination IP matches any of my IP addresses on any of my interfaces I look set that packet and process it now it could come in on technically the wrong interface so it could come in on a zero and it matches the IP address on the eve one doesn't matter I'll accept it and process it because obviously this is one of my IP addresses and this packets intended for me so let's take a look at how this works in the context of the router okay again we have an internal client a router and the Internet so the router has two interfaces each zero is its public way and interface and eath one is the internal interface now each zero has an IP address of two three five eight that's the routers public IP so what happens when an internal client tries to browse to two three five eight I'm just going to send it TCP syn packet and the routers going to look at this and say ah well the destination IP is two three five eight that's one of my IP addresses awesome and it goes okay the destination port is port 80 well hey guess what I have a service bound to port 80 because remember those services bind to every interface so he says yeah I have a service listening on two three five eight port 80 and two three five eight is my IP address so I'll accept this complete the three-way handshake and so now the client can actually access the routers internal web interface via the public IP so oh wait a minute what happened to that firewall rule where we had a firewall rule that says block everything on each zero right well if you take a look at the traffic the top window is e0 and the bottom window is each one no traffic ever went over each zero the week and system model logic happens pre routing so everything gets accepted and processed on the internal interface so that firewall rule that we have that says block everything on a zero does nothing because there's no traffic on the zero so ultimately an internal client can punch in the public IP and get the web interface now again this by itself is really not a problem it's not a vulnerability per se but as an external attacker can rebind any internal client to any public IP I want including the routers public IP so now if I can do that I can completely bypass all of these protections that are trying to stop me from rebinding to internal IP addresses because I'm not rebinding to an internal IP so let's take another look at our rebinding attack again same scenario as before but this time it's every binding to 192 168 dot one dot one attack is going to rebind to two three five eight so internal client does the DNS lookup and again the attackers DNS sends back to IP addresses the browser looks that says hey you've got two IPS both public IP s that's fine I'll try them in order goes out to one four one four gets the attackers JavaScript JavaScript initiates connection back to attacker comm so the browser goes back to one four one four because that's what worked before but this time he gets a TCP reset packet back and so now he immediately switches over to two three five eight and now the attackers JavaScript has full interactive access to the routers internal web interface so this is a really really nice attack for DNS rebinding because unlike some other DNS rebinding attacks there's there's no delay or waiting period before you can rebind it's pretty much instant we also don't need to know the routers internal IP address that's always kind of a problem because you know routers can have different internal Eyed Peas and people can change the IPS and we don't care because we're rebinding to the public IP another nice thing is this works in all major browsers because this is just how browsers work it's how they handle DNS redundancy the downsides are we have some very specific requirements on the router okay we basically have three specific requirements okay the router has to bind its services to the win interface the firewall rules on the router have to block based on interface name and not destination IP or some similar configuration and the router also has to implement the week end system model so obviously not all routers are going to be vulnerable to this so the question is which routers are so I tested 30 different routers and out of those 17 rivana below includes routers from Asus Belkin Dell which I didn't even know they made routers but apparently they did Thompson these are actually pretty popular over in the UK pre popular DSL routers and one thing I wanted a test I didn't get a chance is the BT home hub which is really popular in the UK and it's basically a rebranded Thompson so those may be vulnerable as well lots of Linksys lots and lots of Linksys devices and I really like this line because the bottom two routers they're the 54 GL and the 160 are on Amazon's top five most popular selling routers list so awesome of course a lot of people put third-party firmware on there Linksys routers and it works against them too now hopefully you have some other security stuff put in place which we'll talk about later if you're running these but not everyone does my favorite though are the action tech router x' and a lot of people might not have heard of action tech because it's not really a big router name but these are the routers at Verizon FiOS and Verizon DSL customers get so these are everywhere let's see the action tech 701 704 and then two versions of the mi 424 WR all of those I tested and it worked against all of them now what's really interesting about these the one on the far right there that and and on the bottom they're both the same router just different hardware versions what's really interesting is the firmware running on these isn't manufactured by action Tech action tech actually uses a commercial third-party firmware called open RG which is made by a company called jungle and jungle claims that this same firmware is deployed in over 23 million households worldwide so awesome I like that so this attack definitely works but we need to make it practical okay you can't just say oh my JavaScript can see your router's internal interface people go yeah okay whatever I don't care um so we have to make it really a practical drive-by attack really to demonstrate what can be done with this okay so we have to get the targets public IP address automatically because we don't want to have to know that before beforehand we want to be able to get that automatically and it seems kind of simple at first but we have to know this before they ever do a DNS lookup on us so we basically have to know their IP before they come to us and that it actually is a simple fix for that the more difficult part is we have to coordinate all our services so the DNS server the web server and the firewall all have to be coordinated they all have to know what state each client is in they often know when to block a client when to allow a client what IP is returned to each client so that requires custom code and so that's a little bit more difficult and finally like I said we have to make it do something useful so that end I wrote the cleverly named tool rebind so it basically does everything for you except registered domain name it's pretty much slash run and you're done it implements a DNS server web server it interfaces with the IP tables firewall it's got an HTTP proxy for the attacker to use a series of JavaScript code which basically acts as a client-side proxy to proxy requests from the attacker to the router and back I tried to make the the JavaScript as quiet as possible so it supports across domain XML HTTP requests for exfiltrating data if that's supported in the browser um ie8 and firefox 3 5 and later support those and i've tested in all major browsers and it works it's quite nice so here's how rebind works I love the robot devil he's the best so you've got an attacker here and he's sitting behind the 1 4 1 4 server and he's running rebind on that server and he wants to target this clients router again appliance routers public IPS 2 3 5 8 and the attackers domain is attacker com so the attacker gets the client to browse to attack or calm slash in it I NIT so again before he does this he has to have the name server setup and rebind has to basically handle all of your DNS queries because rebonds handling the DNS portion of the attack so the attacker before he gets the client to browse he has to go into his registrar wherever he registered his domain name and register a name server just name it NS wanna tacker calm and put in the attackers IP address and then once that's registered as a name server guys to go into his domains configuration and say hey and that's one down attacker comm is the primary name server for my domain that's all the configuration you have to do so once once the client browse is out to attacker comm of course it has to do a DNS lookup rebind is only going to send back one IP address because again remember at this point we don't know the clients public IP we have no idea what it is so he's just gonna say yeah I'm at 1 4 1 4 so the browser grows out to 1 4 1 4 and request /a met now we have the clients public IP because he's made a direct TCP connection to the web server running on rebind so rebind says ah ok I've got your public IP of 2 3 5 8 he then sends back a randomly generated sub domain redirection so randomly generates whack me the attacker comm slash exec and he redirects the client to that now he logs this so the DNS server knows as well and so now the browser says ok this is a 302 HTTP redirect that's fine but this is a new domain so I have to do a new DNS lookup so it's okay whereas wacky attacker.com and so now the DNS server says aha the web server just redirected an IP address of two three five eight to whack my attacker com so if you're requesting whack mean attacker com you must be two three five eight so at this point it sends back the two IP addresses one four one four and two three five eight so again the browser is going to try 1 4 1 4 first request the slash exact page gets the JavaScript and now once rebind does this is going to tell I P tables hey reject any connection on port 80 from 2 3 5 8 with a TCP reset packet so when that JavaScript attempts to connect back to attacker comm he gets a TCP reset from IP tables so now he switches over to 2 3 5 8 and we've rebound attacker com2 the routers public IP successfully now once this happens the JavaScript start going is going to start sending it to request pull requests back to attacker comm on port 81 because remember he's blocked on port 80 so it gets sent to port 81 and basically this pull request is the JavaScript saying what do you want me to do well at this point rebind doesn't have anything for him to do so it sends back nothing but once these pull requests start coming in the attackers web interface has that clients IP address in there yes I know that's not the same IP address but that's ok so all the attacker has to do is click on that IP address and when he does he has his browser configured to use the rebind HTTP proxy so his request actually goes off to the rebind server and repine says ok you want me to do a get request on the index page of 2 3 5 8 no problem so he holds that connection open to the attackers browser and the next time this pull request comes in from the JavaScript he says yeah I got something for you to do do a get request on the index page so the JavaScript that's all right no problem since the get request to whack my attacker comm which is the subdomain that we rebound gets the response sends the response back to rebind and then rebind forwards that back to the attackers browser and so now the attacker is browsing around in side the routers web interface as if he's on the land and you can click on links and submit forums and do everyone's so this is much more fun when you do it as a demo than sitting down and explaining everything so see if I can get a demo going here I will smack you will Shh all right so rebind running and yeah that's it you just run it there's there's no configuration beyond that it does support a bunch of command line options if you want them so my breath this is my browser as the attacker and I've already configured it to use rebind as my proxy so if I type in rebind I should get the web interface for repine and let me fullscreen this so it fits a little better there we go so now I got an attacker over here who's connected to the internal land of this router so I'm going to have him browse to attacker comm slash in it and he should pop up here there we go so now as an attacker I just click and I'm in so this is the login page for Verizon FiOS routers default login is admin password one and no one ever changes it oh that's not good I knew my damn it would fail yeah apparently my client stopped calling back or something terrible happened I swear this works yeah so he caught stopped calling back and I have no idea what let's try it again wouldn't doubt try again right all right so he's back yay okay so we logged in so what I'm going to do now is I'm going to go ahead and just enable remote administration oh yes I do want to proceed thank you let's go down here to remote administration yes I want to proceed Kenton's user interface is so annoying okay so I'm going to enable remote telnet okay okay we're done we've been able to tell that on this guy now you will notice here that the images don't get displayed that's because rebind blocks image requests because I don't give a crap about images and they eat up a lot of bandwidth so now we should be able to if my terminal comes up here telnet to three five eight log in same as before admin password one and you get this weird wireless broadband router thing just type in shell and you get a root shell so yeah so a lot of people say well I get into your router I'll change your DNS settings yet that I hate that that's stupid I don't want to do that I want to own your router so yeah I've got a root shell now I can do you know ARP like oh there's an internal client now I know his IP the downside to these these thing is of course they're running Linux um but it's really stripped-down you don't have netcat you don't have double you get you don't have all these fun things but you do have TFTP so i've cross-compiled a scanning tool to run on the I XP 425 processor this inside this router so I should be able to TFTP it down here and to start attacking the internal land ok so there I got it let me trim on it real quick ok so again this is kind of a real quick thing I threw together a poor-man's netcat that runs on the ARM processor because I had trouble cross compiling netcat for some reason but let's just go ahead and scan that internal IP address we got from the ARP 192 168 1.3 yeah if I type in the right IP it would probably help wouldn't it and let's scan ports 21 22 23 80 and 443 oh that was quick for date is open so we can now do a quick get request to port 80 on this internal server and yeah we get the secret web server page fun so one time into your router I can now go ahead and put whatever tools I want on this thing and run them against your internal network I mean I'm on your internal network at this point which is the great thing about routers they're connected to the Internet and your land fun so really I can turn this into an attack platform to go after your entire internal network at this point and of course routers don't have any kind of and I virus or anything on there so I'm pretty much do whatever the hell I want but we're not we're not limited to attacking the main web interface of the router so again you notice okay I had to login and yeah most people are going to leave the default login so that's a big problem but I can also go after soap services what about you PNP UPnP lets me open up ports on your router to any internal client without any authentication at all I can interface with you PNP using JavaScript it's awesome there's also H snap which I'm not going to go into but HF is the home network administration protocol which some routers implement it does require authentication but I found some issues with certain implementations that allow me to get around that we can also rebind to any public IP we're not restricted to the routers public IP so the repined tool allows you to say hey I don't want to rebind to this guy's router I don't really care about his router I just want to use him as an on-demand botnet to attack this other server over here so here's a list of IP addresses I want you to rebind clients to and then the attacker just has a script that goes through and attacks that service through someone else's web browser so how do we stop this forcefields would be awesome unfortunately I don't have those working yet the luckily is it's fairly easy to stop and to identify so you know first of all if you can punch in the public IP of your router as an internal client and you get the web interface yeah this will work there we go the next line now once you identify that this works the best way to stop it is to break any one of those three requirements we have on the router okay so you can stop the way stuff binds to interfaces you can change firewall rules containes routing rules of course just disabling the HTTP interface is probably the best thing to do anyway we can also do that and then we can also reduce the impact of the attack which is basic security precautions so if you want to block the attack of the router you can potentially tell the router services to bind to specific interfaces not all routers let you do this and most people will not have the technical skill or the access to the router in order to do this so is probably not the best option but if you can do it that's really the best way to do it you can also reconfigure the firewall rules and these are again iptables rules basically says okay my internal interface is 'if one if someone on eath one tries to go to my public IP drop it now the downside just new notice I put in actually slash 16 here the downside of putting in your specific public IP is that as soon as it changes this rule breaks and you have to update it so instead what you should do is do a whois lookup on your public IP for your ISP see what the range is but they're handing out for DHCP and just block that entire range because unless internal clients are trying to like hack your neighbors which hopefully they shouldn't be doing then this won't really affect any kind of internet connectivity that you have you're just blocking all everything in the DCP range that comes from your ISP and then you don't have to update the rule yet don't use HTTP use HTTP at least because if I try and rebind to http you're going to get at least a cert error and that's going to break the attack now if you're administrating a router it's best to use SSH even telnet is better than the web interface most people can't do that though so best suggestion is just disable HTTP and enable HTTPS also disable UPnP while you're at it yeah I noted I know you need for your Xbox you need it for your Skype and all that other crap it's bad don't use it however there are some problems don't just enable HTTPS and leave HTTP enabled because then I can still get to http some routers actually don't let you disable HTTP I've seen routers where there's a checkbox to enable HTTPS and you can't disable HTTP at all so that's a problem some routers have HTTP services listing on alternate ports this router for example listens on both port 80 and port 8080 so if you're if you're disabling this make sure that all of those ports get disabled again I'm bringing up a chap it's a home network administration protocol it uses HTTP not HTTP and in some routers you cannot change that and you cannot disable it so I can still go after that if you have a weak password blocking attacks on the host let's say you don't have access to your router to do this you just don't have sufficient access to make these changes or you don't want to make the changes for whatever reason you can go around to all of your internal hosts and basically put in the same rule say don't allow this host to browse out to the routers public IP because again I need an internal client in order to do this attack so if the internal client can access the router then it breaks the attack the downside of this is you have to do this on every single device that connects to your network and will ever connect to your network that includes your iPad's and your iTouches so that that can certainly be a management nightmare if you have you know more than two or three computers you can also configure dummy routes as well to say hey route everything is going to my public IP me to boot back and of course the connection will never succeed um basic security precautions for God's sakes change your routers default password no one does this hopefully everyone in this room does this but many people don't keep your firmware up-to-date there are a lot of vulnerabilities in this routers if you go online and you have routing like oh there's no vulnerabilities in it that means someone hasn't looked at it close enough yet I'm serious these things are full of security holes so make sure you keep your firmware up-to-date because there's probably a vulnerability out there and if something gets published you want to make sure you have a patch for it assuming your offender actually patches it and don't trust untrusted content and yes everything on the internet is untrusted you cannot trust stuff on the internet especially something called attacker comm yet I would suggest disabling JavaScript or using no script but to be honest that's completely impractical for the average user I can't even I get so annoyed browsing around the internet without JavaScript it's like god damn and I just enable it anyway because it's so annoying everything uses JavaScript and stuff will just break epically if you don't have JavaScript enabled so if you want to do that knock yourself out but again it's not really a good suggestion for the average user because they're not going to do it so vendor and industry solutions so fix the same origin policy in the browser's please this attack has been around for almost 15 years so I know you notice that I don't have fixed DNS up here I know a lot of people say oh we need to fix the NS you know fix ENS this is not a DNS problem I think it's completely unfair to put the burden on the DNS hey DNS was around long before the same-origin policy was DNS was never intended to be used for security but whoever decided in their infinite wisdom to create the same-origin policy set up riku's a DNS which is a completely unauthentic ated unverifiable unsecure protocol and based a security model on it so the problem is with the same origin policy in the browser and that's what needs to be fixed it for if you're if you're a router vendor implement the strong end system model in your router and users will not know or care it will not break anything for them and it will keep them secure from this particular attack you can also build DNS rebinding mitigations into routers the only router that I know of that does this is PF sense because when they saw this post it up on the blackhat site when the talk got accepted and they contacted me I said yeah just check your HTTP host setters make sure the HTTP host header has your host name in it or IP address and not someone else's and so their their actual their beta release for the 2.0 release of pfSense has that check in it so kudos to them but no one else does this to my knowledge and that's a very very simple way to stop any DNS rebinding attack in its tracks so how am i doing on time by the way how many 20 Wow no hope you guys have a lot of questions I went through that a lot faster than I expected so DNS rebinding still poses a threat to the land even with all the security protections out there and things that people have put in because ultimately what they put in doesn't work there is it's like going to the doctor and saying hey I've diarrhea and he gives you a cork it's not a real fix we have tools available to exploit DNS rebinding okay they work well they work the second time at least and really you are ultimately responsible for the security of your network you need to be aware of this stuff I know a lot of people just I talked are talking about DNS rebinding like what the hell are you talking about seriously well I'm gonna smack you yet so make sure that you have this you know about this stuff and you take the proper precautions because I mean you really can't rely on vendors to fix patches in their routers I mean if you have a router this like you know they drop support for it a month ago they're like oh well you just had to buy a new router darn so make sure you're aware the stuff there is stuff that you can do to stop this make sure you do it so with that said the rebind code is going to be posted up on rebind code comm um it's I don't have the code checked in yet but it'll be up there sometime today if you want to contact again do not contact my work contact me and do we have questions yeah yes my question was the JavaScript that you said you had on the client that she put on the client that feeds the routers web interface to your attacker machine yeah it proxies request from the attacker to the router and back so it does that pull request back to rebind and the rebind tells it what to get it gets from the router and then sends it back okay one question yeah no more oh there we go so files is the problem with file says they use mocha for their for their cable connection so you have to have a mocha enabled router and those are not very prevalent so most people just use the action tech supposedly you can get them into bridging mode where they just pass through but everyone I've talked to has tried that it's like it's a big pain in the ass and it never worked so pretty much everyone on FiOS is using these routers with very few exceptions okay yeah so if you if you have let's say you have the action tech okay the action tech router is your border gateway and you put another router behind that doesn't matter I'm still attacking the public IP of the action tech so I can still access the action tech router yeah it'll protect your it'll help protect your internal IP once I get on the router but it won't stop me from getting to the router right yeah what are the manufacturers you list was links us we knew who the parent company of that is I'm kind of surprised that they haven't contacted you um my work told me that they contacted them about something and then I never heard anything back from it so I don't know if they just gave up or what happened with that again simply because my work was listed on on the on the presentation everyone contacted them instead of me but yeah I haven't heard anything from them specifically and again but again this isn't really a prop I guess it's kind of a problem with the routers but there's no real vulnerability in the routers it really needs to be fixed in the browser ultimately if the attacker knows the internal IP address of your router can they mount the same attack despite the strong in system model or filters that based on IP address they can't do it with this because remember when you try and do the pub the private IP it'll fail with it with this particular attack if they know the internal IP address you can try and do anti DNS rebinding the downside to that is you have to wait like an exorbitant amount of time at least in Firefox it's like two minutes or three minutes before you can do the rebind so so so the realm of practicality starts decreasing there but yeah you can also do cross-site request forgery attacks too but like I said they're limited good I can't hear what you're saying can't you mount this attack without relying on back same origin policy in the browser course you can still do cross sight post so you can still do one post request to log in another post request should we figure the yeah but not if they're using okay so first of all that will work on this because it has anti cross-site request forgery there's a JavaScript token in there that you have to get so you can't do that type of attack here you also can't like I mentioned you can't do that against stuff that uses basic authentication that won't work anymore so yes you can you can use cross-site request forgery certainly on a lot of routers to do that the other nice thing about this is because I can see the responses this also open up opens up multiple other vulnerability types that are not exploitable cross-site request forgery like information disclosure so for example dd-wrt by default when you go to dd-wrt routers paid you know splash page it doesn't require you to log in but it gives me a nice list of all your internal IP addresses and your MAC addresses and the exact build version of DD WT you're running and so I can't exploit that with cross-site request forgery but I can with this so I don't even have to log in in order to get a decent amount of information about your network and granted that doesn't give me necessarily a definite exploit but it's certainly not information you want to be sharing with everyone on the internet known as a domain name so yeah you I'm not trying to disparage cross-site request forgery and there's certainly a lot of really awesome things you can do with it and it's definitely an easier attack but this has several advantages over it which is kind of the point of doing DNS rebinding no more questions go back to what yeah what's that oh you just wanted to see the show okay and now we got one question back there getting a microphone do we have it a quick one while he's doing that all right hi I'm curious about you with the same origin policy you mentioned this bill it's built on DNS which is an untrusted platform with the changes motion toward getting DNS SEC more widely a probe feasible have you would would that same statement be true or could you still do certain attacks be in it because I legitimately own attacker.com I've registered it I own it so I can set up a legitimate DNS SEC enabled DNS server for it yeah it DNS SEC does nothing to stop this I can't see anything good hands yeah and back there so you said that you tried it on hold on hold on two routers and I think you said about 17 of them worked and the rest didn't did you have time to investigate the ones that didn't work and figure out why they didn't work and what they're doing there that time we prevented it on most of them I suspect they're not using the week-end system model some of them actually were fairly smart about how they rebound services so they weren't listening on the LAN port I didn't get a chance to look at all of them but it from what I've tested if you're running a Linux or BSD based system you're at a much higher risk for attack because they implement the week-end system model in the OS now that doesn't necessarily mean it will work because there are some Linux based routers this didn't work against again because of the way they bind interfaces and set up their firewall rules but but I mean if you're running Linux you already a third of the way there and the other two configuration options are actually fairly prevalent so if you're not if you're running some kind of custom OS on the underlying router it's probably less like because interestingly the week-end system model is more difficult to implement and strong because you have to go through and look at all your IP addresses and see if they match rather than just checking the 1 1 IP said it so yes there is the question is if you didn't hear it is there anything an ISP can do to help stop this attack say notice I'm returning to IP addresses I have seen one really weird ISP that actually would filter out the the extra IP addresses so if I did a DNS lookup on Google it would only give me one IP address back and that will break this attack but it also breaks redundancy for Google as well so it's a pro and a con that it I have no idea why they chose that I really don't and I suspect it's one of those things they chose before you know javascript is real big and you had cross you know you had XML HTTP requests and that kind of thing but yeah I mean ultimately you're trying to enforce security based on domain name but the domain name can point anywhere so it is really just a fundamentally flawed policy but I have no idea why they chose to do that other than it's probably pretty difficult to do it based on IP especially if you want to allow DNS redundancy because then you have to have to allow to switch IPs no I haven't got anything for action tech interestingly though two days ago buddy of my mind forwarded me an email he got from Verizon saying we're very secured about our customer security and here's a link to a website that says you had to change your default password and all this other stuff but yeah I haven't been contact the only router company this contacted me as pfsense they're not really a company there's the open source project anything else all right awesome thanks very much