Verizon FIOS actiontec router vulnerabilities

  • bbgrh
  • Novice
  • Novice
  • bbgrh
  • Posts: 20

Post 3+ Months Ago

Hello,

My home network has not been working for some time now.
As I have worked through each element, I have been learning about windows and general security, but it is all really new to me.
So this is where I am now:

I have a laptop that runs vista.

my mom and dad have pcs with xp.

we have very recently formatted all three machines and put them back onto the network and we are still having problems.

Upon internet research of my router, i found the exact issues I am having in this article:
***********************************************************************************************
"To summarize, of 9 types of attacks discussed, it reports the Actiontec as vulnerable to the following attacks:

DNS Hijacking

quote:
--------------------------------------------------------------------------------
Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.

This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www dot anything dot com"? Logic would suggest that a router would know better than to resolve requests for http://www dot anything dot com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.

--------------------------------------------------------------------------------

Default WEP

quote:
--------------------------------------------------------------------------------
Default configurations are normally not considered "vulnerabilities" in and of themselves, however, any type of default setting becomes an issue when applied to cryptography. WEP and WPA keys are of particular interest with home routers, since few routers come without wireless capabilities these days. You will notice that all of the described attacks have so far required access
to the LAN; wireless provides an attacker with access to the LAN, but still affords him the ability to remain reasonably removed from the LAN's physical location. In an effort to help protect users from wireless attacks, some vendors have begun shipping their products with wireless encryption enabled by default; unfortunately, the encryption method normally chosen is WEP (well known to
be broken [15]), and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks [8].


Many newer home routers still come with no encryption enabled, however, one notable exception is the ActionTec MI424-WR. This particular router is commonly distributed by Verizon, and invariably a plethora of them can be found in areas where Verizon FiOS is available. Unlike the BT Home Hub, the ActionTec routers do not attempt to obscure the method used to generate their default 40 bit WEP key: [att=1]
Because WEP does not encrypt source/destination MAC addresses, any data packets to or from the ActionTec router will instantly reveal the WEP key. Also note that no active clients need be on the network in order for data packets to be generated, as the ActionTec routers are prone to periodically broadcasting un-solicited Spanning-Tree packets.

--------------------------------------------------------------------------------



It should be noted regarding "and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks", the ActionTec MI424-WR also has this same vulnerability. ActionTec's algorithm has been reverse engineered. See »[ fiber tech] Verizon FiOS default WEP key HIGHLY insecure!. No packet sniffers or crack tools are needed... just a calculator.


•Local UPNP

quote:
--------------------------------------------------------------------------------
UPNP attacks are nothing new [10], but started receiving more attention after GNUCitizen demonstrated that UPNP attacks could be carried out remotely when coupled with flash-based CSRF attacks [11]. Because UPNP is an unauthenticated protocol that, by definition, provides control over a router's configuration, insecure UPNP stacks can result in a plethora of exploitation possibilities, including command execution and re-configuration of DNS settings. While most new routers protect against these attacks, there is another UPNP action that we can use to our advantage.

The previously mentioned session hijacking attacks (and some of the CSRF attacks) require an administrator to already be authenticated with the target router. But waiting around for the average user to log into their router makes these attacks unlikely to succeed. Instead, an attacker can use UPNP to terminate a router's WAN connection, interrupting the user's Internet connection.
Eventually, they are likely to:
1. Reset their router
2. Log into the router to diagnose the problem
3. Call their ISP, who will ask them to log into their router to diagnose the problem.
The WAN connection can be terminated using the UPNP ForceTermination action, which was available in all of the routers that we examined. Using Miranda [14], a UPNP administration utility, we can easily send UPNP commands to a router, forcing it to terminate it's WAN connection.

--------------------------------------------------------------------------------



•CSRF UPNP

quote:
--------------------------------------------------------------------------------
One of the most common uses for UPNP is port forwarding. UPNP allows client applications, such as P2P programs and games, to open ports on the router in order to facilitate necessary communications with other peers or services. While these port forwarding rules are meant to forward traffic from external clients to internal clients, an attacker can make use of these rules to expose the router's administrative interface to the WAN by forwarding traffic to port 80 of the router's IP address. Configuring the router as the attacker's personal proxy is also possible, by telling the router to forward traffic not to an internal IP, but an external IP [12]. While most new routers prevent these types of attacks by checking the specified IP addresses, some, like the ActionTec MI424-WR, still allow users to forward incoming connections on external ports to port 80 of the router itself, effectively enabling remote administration on the device.

--------------------------------------------------------------------------------




I have changed the default wep and disabled upnp.
I noticed a lot of the issues were coming from the firewall, which was enabled even though I turned it off, on my machine.

my dns is not right and i dont know how to fix it.

both of my parents PCs seem okay right now.

my computer had a file in the c drive today, which the board wont let me write, but it was iph dot ph

i have tunnel connections using isatap network controllers????

i have tried to disable ipv6 on my machine using the netsh command but it is not seeming to work.

any advice would really be appreciated.
thanks in advance, angela
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

I noticed over a year ago how easy it was to crack WEP on Actiontec routers but even though you can blame that on the Actiontec, I haven't seen one user who has changed the default password or used MAC filtering to add security. That's not Actiontec's fault. Using WPA2 with MAC filtering makes the router quite secure. It's much harder to capture, not to mention crack, hand shakes than it is initialization vectors (IVs). So far I haven't had any luck but I'm going to take another look at it. The rainbow tables seem like a lot of work.

If at all possible, wire all the machines & disable wireless. Case closed.
  • bbgrh
  • Novice
  • Novice
  • bbgrh
  • Posts: 20

Post 3+ Months Ago

Hello,
Sorry I forgot to mention that I did switch to mac filtering and changed the wep key to WPA.

Im not sure how to secure the lan connections, because what is happening is there is a rotating remote connection that i cannot figure how to disable, since i have disabled it in the router settings and on all of my machines.

So for instance, if i am off the network, it will take my address and pretend to be me.

This happened after i did mac filtering on wireless.

What to do about the wired security? I have tried disabling wireless.

Thank you
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Have you looked into the possibility of one of the PC's being infected? If that is the case then nothing you do on the router is going to make much of a difference since your PC is compromised.
  • bbgrh
  • Novice
  • Novice
  • bbgrh
  • Posts: 20

Post 3+ Months Ago

I considered that already, yes, i believe they were all infecting eachother at one point very recently, so I took them all off of the network, formatted, reinstalled windows, and put them back on the network at the same time. Mine was immediately compromised.

I have reason to believe someone would want what is on my computer, i have a lot of personal pictures.

whatever is happening is very persistent.

thanks very much
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Unless you are some kind of nude model, I seriously doubt they are after your personal picture collection.

Unless you fully patched Windows prior to hooking it up to the network it only takes a few minutes to become compromised.

Have you contacted Verizon about this issue?
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

bbgrh If you have Verizon television service, it also gives IP addresses to the TVs but they can be duplicated to computers. One of the Verizon national managers couldn't explain that to me, nor could he explain the other vulnerabilities I mentioned before.

Open the web interface to the router. Look at the device list. Post it here. It's not any info that can aid in hacking. Show me that rotating connection that you believe is someone pretending to be you. It's not strange that DHCP rotates. The list will show you if it's wireless or not. Try to hack that PC. In the run box enter it's IP address preceded by \\ Example \\192.168.1.102 &/OR
\\182.168.1.102\c$


If you're wired connections are password protected, that is, when you boot, you have to enter a password, then someone from the outside also has to provide the password.
  • bbgrh
  • Novice
  • Novice
  • bbgrh
  • Posts: 20

Post 3+ Months Ago

yes im a nude model...

and i contacted verizon, they told me i have a virus.

yes i know, verizon, thanks.

i told them, i formatted everything, installed the latest anti virus from cds on each, then put them each onto the network, immediately went to microsoft update and got everyting up to date. restarted. ipconfig. same problem.


they said the virus is bouncing around the network then.

verizon is a dead end.

ill try the suggestion, thank you :)



also, i want to add, that yesterday my moms pc was slow, so i checked it out, and there was a new LOGON called aspnet and a remote desktop connection.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

When people don't have an answer, they tell you that there is a virus & that you should format.

If you are using MAC filtering, WPA & all machines are password protected, no one is going to be able to see your files unless there is a trojan.

May I suggest that you store all your private files on an external hard drive & only connect it when you need to modify those directories.

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 9 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.