D-Link adds captcha to routers

posted May 12th 2009 4:54pm by Eliot Phillips
filed under: news, security hacks, wireless hacks

D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.

[photo: fbz]

Comments [30]

tagged: d-link, default password, dns, firmware, malware, password, zlob

Reader Comments

why is the photo of a linksys router if the article pertains to d-link?

Posted at 5:10 pm on May 12th, 2009 by shyft

I would assume that on new models that the captcha would be default, and you could turn it off when you change the password. Certainly it’s problematic for people who bought their wireless box up until now, and never changed anything; but what else can you do for them anyway?

Posted at 5:34 pm on May 12th, 2009 by Issac Kelly

article image aside, i don’t really see what this’ll do to add a ton of security. captcha hacks come out just as fast as captcha variants, and a stationary target that, by the merits of having a default password, invariably won’t get updated, patched, or have its logs checked, makes the perfect target for captcha hacks.

statistically, some captcha hacks are above 50% success rate, so… instead of one password attempts to figure out of it’s using a default password, you’ll need to use 2 or 3. looking at my router’s logs, botnets are nothing if not tenacious. this seems like a boondoggle to me, and one that will likely be lost on their target audience (people who don’t care about their network security).

Posted at 5:47 pm on May 12th, 2009 by scabby

You’re never gonna prevent someone who wants to get in (or steal from you or kill you or break your stuff, etc) from doing it – but it adds a bit of protection.

But not much, as scabby’s correct in implying that if somebodies already doing something with bots then they probably are equally capable of running a few captcha scripts while their at it..

This is a welcome feature – but not groundbreaking by any means – captcha is almost standard now – go host a website that has free account creation (any drupal, joomla, any forum site) and leave it completely blank and don’t use captcha. You will wind up with 100’s of spam accounts within days… and no real visitors….

Captcha stops the lazy general populous – but it won’t do anything to protect you from any legitimate attacks – or even your neighbors who leech your internet and want to screw with you. It’s like the “ADT” signs you can put in your yard but you don’t really have ADT and your doors unlocked…

Posted at 6:05 pm on May 12th, 2009 by xrazorwirex

Wow so every time I set up a dlink router I alone get the pleasure of being fooled by a captcha? In conjunction with the excellent points made above…. malware is going to sit there and try 24/7 with no flagging happening…. a 50% effective captcha hack being run 24/7 from a machine on a LAN will almost certainly succeed, and once it does, the change wont be caught since the end user thinks the captcha makes them think its more secure and makes them LESS likely to checl periodically…. nice.

Posted at 6:09 pm on May 12th, 2009 by Bill

d-link has been epic fail for networking for many years. switches, fine, i have a good d-link switch. i also have 3 d-link paperweights. captcha? please. if you dont set your password away frm default you deserve worse than having your dns messed with. avoiding bots logging should need no more than that. for a determined intruder, as one of the above replies mentioned, u aint gunna stop it anyway.

Posted at 7:23 pm on May 12th, 2009 by bizzaro

Saying ‘this security measure is useless because people will just hack it’ is just like saying ‘i don’t lock my doors because people will just pick it’.

New security features are rarely a bad thing. Anything that makes the bad guys work a little harder is good.

Posted at 8:28 pm on May 12th, 2009 by Dirk

What ever happened to simply printing a completely random alpha-numeric string on the bottom of the device and having that as your personal default password?

Posted at 8:30 pm on May 12th, 2009 by Darwin Survivor

captcha is absolutely useless for this type of protection. Instead, every router should have a unique default password, and a physical access procedure to reset the device to it.

By unique default, means that the default password could be an encrypted version of the routers mac address, or even something programmed into it at the factory, and stuck on a sticker where you would find the routers mac address, and also on a sticker in the manual.

Having one router with a unique default password is not going to get you into your neighbour’s router, since his default password will be different. This would also increase security even when the user just plugs and plays the router, since no one else can get into it, unless they get physical access to that router, or compromise its password some other way.

Posted at 8:48 pm on May 12th, 2009 by CaitSith2

no computer thing is random, and unless people wise up and set passwords with unguessable chars (like the odd ascii chars) or shut them off since the average casual user isnt running 24/7 net stuff then they are gonna get hacked

Posted at 9:58 pm on May 12th, 2009 by bertoelcon

This captcha “feature” is a classic example of a legitimate problem being met by a completely incorrect solution. I completely agree with [Darwin Survivor] and [CaitSith2]. The solution is very simple: have a machine at the factory generate two random alphanumeric strings, print them on a label on the bottom of the device, and program one as the WPA key and the other as the config page password. The user never needs to care about security; they just read the number off the bottom and type it into their wifi manager. Also, what [bertoelcon] said is incorrect. There are plenty of ways to securely generate random numbers on a computer. As long as the attacker doesn’t have access to the machine at the factory that generated the keys, there is no way for them to guess someone’s password, even if they looked at the keys off a hundred other similar routers.

Posted at 10:42 pm on May 12th, 2009 by punmaster

I think all routers (wireless ones especially) should force users to go through a setup process before allowing Internet access. And forget those lame cd’s that come packaged with them. Every few weeks/months it should ask the user to change the password again. The vendors can’t fix lazy and stupidity so I guess the point is moot.

Although no matter how much security is put into the routers interface won’t make much difference until someone comes out with one that completely separates the wifi side from the lan side. Otherwise access is only a sniffer away.

And I agree with many of the others. A user thats too lazy to RTFM and configure their router is not going to bother or care about a new feature such as captcha

Posted at 10:47 pm on May 12th, 2009 by jeicrash

What happened to having *no* default password and forcing you to set a password when you first use the device? I.e. all http requests get redirected to a “Please set the password” page.

Posted at 1:21 am on May 13th, 2009 by Tim

They are already doing the a non-default password for the wireless on most devices. Verizon and comcast both ship router/modem combos where the modem’s s/n is the wifi password.

Posted at 1:57 am on May 13th, 2009 by cde

@tim: I had default password lists to networking equipments all through the 90s. It’s nothing new.

The most heavily propagated malware is still using SMTP. people are stupid, it’ll take secure by default solutions like you see in linux, bsd, and mac.

You can use UpNp for bypassing a lot of filtering too.

Posted at 3:07 am on May 13th, 2009 by TJHooker

why not require the user to push a hardware button some seconds/minutes before the first login. if no button is pressed, nobody gets in.
If you have changed the password, there is no need to push the button anymore. If you forgot to change the password you have to push the button again before the next login. This would be the perfect turing test, because there will be no program that can press a hardware button in the near future.

but a random default password is also a nice solution.

Posted at 5:31 am on May 13th, 2009 by niun

@niun

A hardware buton is crap. My router is in the basement. My computer in the second floor. I don’t want to take the hole router up just to switch of the dyndns feature or change a Port Forwarding.

captchas are way to easy to find a workaraound nowadays, but they are a first step.

http Startup Page could be a solution

The best idea would be a unique password printed on the bottom of the router. Also configuration shpuld be disabled from Wlan which is still not the standard if you buy a router.

Posted at 5:54 am on May 13th, 2009 by H.B.

I’m usually among those who bitch when things get stupid, so let me also acknowledge the awesome dialog going on over this subject.

-and speaking of routers, is it just me or has that old linksys model become like a speak-n-spell where you have to really look to find one that hasn’t already been bent by someone?

I was just given an old Netgear router that gave me some encouragement because of it’s removable antennas, but I still have to look up the model to see if anything interesting is posible with it.

Regardless, great dialog here folks, kudos to the group.

Posted at 6:39 am on May 13th, 2009 by strider_mt2k

@Dirk

There is a balance between security and usability. Moreover, your comparison with a physical lock is poor. Are there millions of automated drones constantly (and simultaneously, even) trying to pick your lock?

Posted at 7:29 am on May 13th, 2009 by steve

The problem is that your password might be great but if it’s stored in your browser any old java or even vbscript can mess you up, so a captcha will prevent casual misuse by simple scripts on websites through standard browser/windows holes, which in turn might prevent lots of IE users from falling victim for starters.

Posted at 9:48 am on May 13th, 2009 by Wwhat

Everyone here arguing over whether CAPTCHA is secure has never heard of UPnP. How does your xBox port forward for xBox live?

Most information and settings on your router don’t need the HTTP interface to be accessed. In fact, most have several protocols (I’ve definitely seen telnet).

Hackaday, keep trying. You’ve jumped the shark several times but there might be hope yet.

Posted at 1:51 pm on May 13th, 2009 by Ross Snider

This is obviously a response to the recent events where trojans started to access router settings, to the embarrassment of router manufacturers, they had to make some move to show they care and do something surely.
UPNP already had it’s bad news moment and routers already only accept LAN UPNP now and my very old router has an option to limit UPNP to only give info and not let it change settings, or to allow limited settings or full, so they dealt with that issue already some time ago.
And they also presumably dealt with the now very old issue of UPNP not ever closing ports I’m assuming, those are issues of the past.

Posted at 2:44 pm on May 13th, 2009 by Wwhat

Sorry but home users are retarded and will never change from default, because if they can connect to the internet ‘it works’ and when it works ‘leave it alone’. Is this really worth it? becuase people who actually buy WRT54G want them for only one reason and that is openWRT.

Posted at 5:22 pm on May 13th, 2009 by Shadow

Does anyone else find DLink bashing as stupid as I do? I’ve been seeing this a lot on other sites and I just wanted to see if anyone else felt the same way because the users here are typically a little more reasonable. I have a DIR-655 and a WRT54GS, I used to use DD-WRT on it for years and not long ago switched to Tomato. The DLink blows it away in every aspect. It can handle faster speeds (the WRT has trouble keeping up with my connection and effectively caps it), it can handle more connections without slowing down, it has more effective QOS, and the list goes on. I also had another DLink that performed better than the WRT, I forget the model number but it was called “Wireless N with Rangebooster” a pretty basic model. Now I don’t use the wireless at all except for when friends come over with laptops so maybe that has something to do with it, but I can always plug my WRT into the DLink to use as a wireless access point :D

Posted at 7:24 pm on May 13th, 2009 by shibathedog

@dirk: ‘i don’t lock my doors because people will just pick it’

i don’t think that’s it, really. here’s the scenario, in the guise of a terrible analogy: a majority of houses are unlocked and have no security. when you come to a house and there’s a ‘beware of dogs’ sign on the door, but no dogs barking, why wouldn’t you go in, especially if it’s not really ‘you’ going in, but rather some botnet zombie in malaysia doing the door opening. (sorry, my analogy totally flopped at the end.)

i too agree with all the folks here who think that simply forcing security onto the unwitting masses would be a boon. “we don’t trust you to keep your door locked, so here’s a spring loaded door that auto-locks. problem solved. (and while we’re at it, here’s some contraception so you don’t pass on your ‘can’t-read-the-setup-instructions’ gene.)”

Posted at 7:32 pm on May 13th, 2009 by scabby

so, now in addition to a default username/password list, malware will also require built in captcha cracking algorithms designed for specific router models.

it’s a speed bump. it might slow malware down a bit, but it’s definitely not going to stop anything.

how about a router that requires a user to actually configure it before it even thinks about DNS? i guess that might be inconvenient, and apparently convenience is more important that security.

Posted at 1:08 am on May 14th, 2009 by amk

I think it will definitely stop lots of stuff, because any fool can make a script that puts in the default password, whereas making complex captcha cracking algorithms, especially in a small java script, is a whole hell of a lot harder.

Posted at 7:00 am on May 15th, 2009 by Wwhat

@h.b.

you’ll only have to climb your stairs, to push the hardware button, the first time you want to set up the password. once the password is different from the default one, you can change it via the web interface or something else.

Posted at 1:06 pm on May 15th, 2009 by niun

@all
They messed up again, and gave admin access to everyone, no password needed since they exposed the md5 ash.
See http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

Posted at 7:25 pm on May 15th, 2009 by nba

first off these hacks are trivial… pardon me while i blow your minds::
a:: you dont even need to log in if u know some trivial htm commands.
b:: the entire internet including the pentagon is vulnerable to command overload via xss
c:: xss isnt all that complicated its basically loading up other pages as script reference and using their commands as a form of library and or dll and or lib, not to mention some web pages have tools built right in such as advanced gps mac finder etc. and that leads to other types of hacks that are really too easy.. such as evil twin… nuking… ddos. theres more be sure of it ;)
final note.. currently there is a programmer who knows how to sniff any type password.. but hes not interested right now hes working on a yobi level compression system

Posted at 12:22 pm on Nov 21st, 2009 by geniusthemaster

D-Link adds captcha to routers

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments