DNS flaw allows hackers to change DNS settings in 800,000 Draytek routers

News by Rene Millman

Network equipment vendor Draytek has said several of its wireless routers are vulnerable to exploits allowing hackers to remotely change the device's DNS and DHCP settings and potentially steal personal data to hijack web traffic.

Network equipment vendor Draytek has said that several of its wireless routers are vulnerable to exploits that allow hackers to remotely change the device's DNS and DHCP settings and potentially steal personal data to hijack web traffic.

According to a security advisory put out by the company, earlier this month it became aware of new attacks against web-enabled devices, which includes DrayTek routers. It said the recent attacks have attempted to change DNS settings of routers.

It warned that users should check their device's DNS settings, these should either be blank, set to the correct DNS server addresses from their ISP or DNS server addresses of a server which the users have deliberately set. It added that a known rogue DNS server is 38.134.121.95 – “if you see that, your router has been changed,” said the firm.

“In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible,” said Draytek in a statement to the press.

“Until you have the new firmware installed, you should check your router's DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.”

The company has release further details on the flaws and how to resolve the problem – the details can be found here and here. Dreytek added that its wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are not affected and do not need updating.

Sam Haria, global SOC manager of Invinsec, told SC Media UK that he recommends that any organisation or end user with a Draytek router should urgently change their password if it is still set to the default credentials. “Current advice on password security suggests using 20 characters, both uppercase and lowercase letters, numbers, and special characters…the more complex the better!” he added.

Gabriel Gonzalez, principal security consultant at IOActive, told SC Media UK that if the attacks on Draytek routers are spread over phishing attacks, or if the devices are monitored, it may trigger some alarms. 

“These can be caught while they are still being exploited, but if there are some misconfiguration and/or remotely exploitable issues being exploited it might difficult to detect,” he said.

Sion Lloyd, researcher at Nominet, told SC Media UK that Shodan shows there are nearly 800,000 Draytek routers worldwide, so the vulnerability provides a big opportunity for malicious redirections which could result in people and businesses losing credentials, data and ultimately money.

“Connected hardware is constantly being picked apart by attackers, so monitoring security alerts and patching the holes they discover is crucial. In addition, monitoring outbound DNS traffic will help organisations understand whether requests are resolving at the intended host, or being redirected to compromised sites,” he said.
Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events