D-Link adds captcha to routers

D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.

[photo: fbz]

Comments

  1. shyft says:

    why is the photo of a linksys router if the article pertains to d-link?

  2. Issac Kelly says:

    I would assume that on new models that the captcha would be default, and you could turn it off when you change the password. Certainly it’s problematic for people who bought their wireless box up until now, and never changed anything; but what else can you do for them anyway?

  3. scabby says:

    article image aside, i don’t really see what this’ll do to add a ton of security. captcha hacks come out just as fast as captcha variants, and a stationary target that, by the merits of having a default password, invariably won’t get updated, patched, or have its logs checked, makes the perfect target for captcha hacks.

    statistically, some captcha hacks are above 50% success rate, so… instead of one password attempts to figure out of it’s using a default password, you’ll need to use 2 or 3. looking at my router’s logs, botnets are nothing if not tenacious. this seems like a boondoggle to me, and one that will likely be lost on their target audience (people who don’t care about their network security).

  4. xrazorwirex says:

    You’re never gonna prevent someone who wants to get in (or steal from you or kill you or break your stuff, etc) from doing it – but it adds a bit of protection.

    But not much, as scabby’s correct in implying that if somebodies already doing something with bots then they probably are equally capable of running a few captcha scripts while their at it..

    This is a welcome feature – but not groundbreaking by any means – captcha is almost standard now – go host a website that has free account creation (any drupal, joomla, any forum site) and leave it completely blank and don’t use captcha. You will wind up with 100’s of spam accounts within days… and no real visitors….

    Captcha stops the lazy general populous – but it won’t do anything to protect you from any legitimate attacks – or even your neighbors who leech your internet and want to screw with you. It’s like the “ADT” signs you can put in your yard but you don’t really have ADT and your doors unlocked…

  5. Bill says:

    Wow so every time I set up a dlink router I alone get the pleasure of being fooled by a captcha? In conjunction with the excellent points made above…. malware is going to sit there and try 24/7 with no flagging happening…. a 50% effective captcha hack being run 24/7 from a machine on a LAN will almost certainly succeed, and once it does, the change wont be caught since the end user thinks the captcha makes them think its more secure and makes them LESS likely to checl periodically…. nice.

  6. bizzaro says:

    d-link has been epic fail for networking for many years. switches, fine, i have a good d-link switch. i also have 3 d-link paperweights. captcha? please. if you dont set your password away frm default you deserve worse than having your dns messed with. avoiding bots logging should need no more than that. for a determined intruder, as one of the above replies mentioned, u aint gunna stop it anyway.

  7. Dirk says:

    Saying ‘this security measure is useless because people will just hack it’ is just like saying ‘i don’t lock my doors because people will just pick it’.

    New security features are rarely a bad thing. Anything that makes the bad guys work a little harder is good.

  8. Darwin Survivor says:

    What ever happened to simply printing a completely random alpha-numeric string on the bottom of the device and having that as your personal default password?

  9. CaitSith2 says:

    captcha is absolutely useless for this type of protection. Instead, every router should have a unique default password, and a physical access procedure to reset the device to it.

    By unique default, means that the default password could be an encrypted version of the routers mac address, or even something programmed into it at the factory, and stuck on a sticker where you would find the routers mac address, and also on a sticker in the manual.

    Having one router with a unique default password is not going to get you into your neighbour’s router, since his default password will be different. This would also increase security even when the user just plugs and plays the router, since no one else can get into it, unless they get physical access to that router, or compromise its password some other way.

  10. bertoelcon says:

    no computer thing is random, and unless people wise up and set passwords with unguessable chars (like the odd ascii chars) or shut them off since the average casual user isnt running 24/7 net stuff then they are gonna get hacked

  11. punmaster says:

    This captcha “feature” is a classic example of a legitimate problem being met by a completely incorrect solution. I completely agree with [Darwin Survivor] and [CaitSith2]. The solution is very simple: have a machine at the factory generate two random alphanumeric strings, print them on a label on the bottom of the device, and program one as the WPA key and the other as the config page password. The user never needs to care about security; they just read the number off the bottom and type it into their wifi manager. Also, what [bertoelcon] said is incorrect. There are plenty of ways to securely generate random numbers on a computer. As long as the attacker doesn’t have access to the machine at the factory that generated the keys, there is no way for them to guess someone’s password, even if they looked at the keys off a hundred other similar routers.

  12. jeicrash says:

    I think all routers (wireless ones especially) should force users to go through a setup process before allowing Internet access. And forget those lame cd’s that come packaged with them. Every few weeks/months it should ask the user to change the password again. The vendors can’t fix lazy and stupidity so I guess the point is moot.

    Although no matter how much security is put into the routers interface won’t make much difference until someone comes out with one that completely separates the wifi side from the lan side. Otherwise access is only a sniffer away.

    And I agree with many of the others. A user thats too lazy to RTFM and configure their router is not going to bother or care about a new feature such as captcha

  13. Tim says:

    What happened to having *no* default password and forcing you to set a password when you first use the device? I.e. all http requests get redirected to a “Please set the password” page.

  14. cde says:

    They are already doing the a non-default password for the wireless on most devices. Verizon and comcast both ship router/modem combos where the modem’s s/n is the wifi password.

  15. TJHooker says:

    @tim: I had default password lists to networking equipments all through the 90s. It’s nothing new.

    The most heavily propagated malware is still using SMTP. people are stupid, it’ll take secure by default solutions like you see in linux, bsd, and mac.

    You can use UpNp for bypassing a lot of filtering too.

  16. niun says:

    why not require the user to push a hardware button some seconds/minutes before the first login. if no button is pressed, nobody gets in.
    If you have changed the password, there is no need to push the button anymore. If you forgot to change the password you have to push the button again before the next login. This would be the perfect turing test, because there will be no program that can press a hardware button in the near future.

    but a random default password is also a nice solution.

  17. H.B. says:

    @niun

    A hardware buton is crap. My router is in the basement. My computer in the second floor. I don’t want to take the hole router up just to switch of the dyndns feature or change a Port Forwarding.

    captchas are way to easy to find a workaraound nowadays, but they are a first step.

    http Startup Page could be a solution

    The best idea would be a unique password printed on the bottom of the router. Also configuration shpuld be disabled from Wlan which is still not the standard if you buy a router.

  18. strider_mt2k says:

    I’m usually among those who bitch when things get stupid, so let me also acknowledge the awesome dialog going on over this subject.

    -and speaking of routers, is it just me or has that old linksys model become like a speak-n-spell where you have to really look to find one that hasn’t already been bent by someone?

    I was just given an old Netgear router that gave me some encouragement because of it’s removable antennas, but I still have to look up the model to see if anything interesting is posible with it.

    Regardless, great dialog here folks, kudos to the group.

  19. steve says:

    @Dirk

    There is a balance between security and usability. Moreover, your comparison with a physical lock is poor. Are there millions of automated drones constantly (and simultaneously, even) trying to pick your lock?

  20. Wwhat says:

    The problem is that your password might be great but if it’s stored in your browser any old java or even vbscript can mess you up, so a captcha will prevent casual misuse by simple scripts on websites through standard browser/windows holes, which in turn might prevent lots of IE users from falling victim for starters.

  21. Ross Snider says:

    Everyone here arguing over whether CAPTCHA is secure has never heard of UPnP. How does your xBox port forward for xBox live?

    Most information and settings on your router don’t need the HTTP interface to be accessed. In fact, most have several protocols (I’ve definitely seen telnet).

    Hackaday, keep trying. You’ve jumped the shark several times but there might be hope yet.

  22. Wwhat says:

    This is obviously a response to the recent events where trojans started to access router settings, to the embarrassment of router manufacturers, they had to make some move to show they care and do something surely.
    UPNP already had it’s bad news moment and routers already only accept LAN UPNP now and my very old router has an option to limit UPNP to only give info and not let it change settings, or to allow limited settings or full, so they dealt with that issue already some time ago.
    And they also presumably dealt with the now very old issue of UPNP not ever closing ports I’m assuming, those are issues of the past.

  23. Shadow says:

    Sorry but home users are retarded and will never change from default, because if they can connect to the internet ‘it works’ and when it works ‘leave it alone’. Is this really worth it? becuase people who actually buy WRT54G want them for only one reason and that is openWRT.

  24. shibathedog says:

    Does anyone else find DLink bashing as stupid as I do? I’ve been seeing this a lot on other sites and I just wanted to see if anyone else felt the same way because the users here are typically a little more reasonable. I have a DIR-655 and a WRT54GS, I used to use DD-WRT on it for years and not long ago switched to Tomato. The DLink blows it away in every aspect. It can handle faster speeds (the WRT has trouble keeping up with my connection and effectively caps it), it can handle more connections without slowing down, it has more effective QOS, and the list goes on. I also had another DLink that performed better than the WRT, I forget the model number but it was called “Wireless N with Rangebooster” a pretty basic model. Now I don’t use the wireless at all except for when friends come over with laptops so maybe that has something to do with it, but I can always plug my WRT into the DLink to use as a wireless access point :D

  25. scabby says:

    @dirk: ‘i don’t lock my doors because people will just pick it’

    i don’t think that’s it, really. here’s the scenario, in the guise of a terrible analogy: a majority of houses are unlocked and have no security. when you come to a house and there’s a ‘beware of dogs’ sign on the door, but no dogs barking, why wouldn’t you go in, especially if it’s not really ‘you’ going in, but rather some botnet zombie in malaysia doing the door opening. (sorry, my analogy totally flopped at the end.)

    i too agree with all the folks here who think that simply forcing security onto the unwitting masses would be a boon. “we don’t trust you to keep your door locked, so here’s a spring loaded door that auto-locks. problem solved. (and while we’re at it, here’s some contraception so you don’t pass on your ‘can’t-read-the-setup-instructions’ gene.)”

  26. amk says:

    so, now in addition to a default username/password list, malware will also require built in captcha cracking algorithms designed for specific router models.

    it’s a speed bump. it might slow malware down a bit, but it’s definitely not going to stop anything.

    how about a router that requires a user to actually configure it before it even thinks about DNS? i guess that might be inconvenient, and apparently convenience is more important that security.

  27. Wwhat says:

    I think it will definitely stop lots of stuff, because any fool can make a script that puts in the default password, whereas making complex captcha cracking algorithms, especially in a small java script, is a whole hell of a lot harder.

  28. niun says:

    @h.b.

    you’ll only have to climb your stairs, to push the hardware button, the first time you want to set up the password. once the password is different from the default one, you can change it via the web interface or something else.

  29. nba says:

    @all
    They messed up again, and gave admin access to everyone, no password needed since they exposed the md5 ash.
    See http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

  30. first off these hacks are trivial… pardon me while i blow your minds::
    a:: you dont even need to log in if u know some trivial htm commands.
    b:: the entire internet including the pentagon is vulnerable to command overload via xss
    c:: xss isnt all that complicated its basically loading up other pages as script reference and using their commands as a form of library and or dll and or lib, not to mention some web pages have tools built right in such as advanced gps mac finder etc. and that leads to other types of hacks that are really too easy.. such as evil twin… nuking… ddos. theres more be sure of it ;)
    final note.. currently there is a programmer who knows how to sniff any type password.. but hes not interested right now hes working on a yobi level compression system

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,528 other followers