Home | Today's Headlines | Contact | New Sites | Job Centre

Aardvark Daily 20 June 2002

Here is the email sent to me by John Burns (at my suggestion) and which describes what
he did, why he did it, and how hundreds of DSL users remain vulnerable to hackers.

 

I have had a Jetstream account for a very short while.  The speed was
great and the always on aspect of it appealed to me.  I have a Nokia M1122
router, the routers are great, they are always on, unless manually
switched off and therefore generally keep their IP address almost
statically.  What you may not realise is that even if your computer is not
turned on, if the router is, hackers may have access to your modem.

I found this out, unfortunately from the receiving end.  After looking
through logs on my modem, I found that the configuration settings had been
changed, or more so extra mapped ports or 'pinholes' had been added, these
pinholes were to overseas servers.  Someone was using my router as a
stepping stone for the transfer of data.  This may have been because of
anonymity as my modem would show as the place the international data was
coming to, and not the person who was receiving the data via my modem.

I looked into this problem and found that there were a number of security
issues plagueing adsl modems.  In my case, it was a case of a small,
undetailed manual and my urgency to get connected to the internet.  After
all, once you're connected and downloading data, the modem is set
up...right??

Almost every modem you can buy, nokia, dynalink, 3com, etc come with
either no administration password, or a default password set.  In some
cases the manuals do not tell you how to change the password, and in other
cases they do not tell you that there are many ways to access the modem
with separate passwords for each method.

Almost all modems have a web based configuration mode, if not set up
correctly, any external user can connect to your ip address (this is in
email headers, mirc whois's, ftp logs, http logs, etc) and acess your
modems configuration by using the default password.  They can view your
settings, including user names, passwords and logs, even to the extent of
restarting your modem.

The possible uses of an incorrectly set up modem for a hacker are endless,
they can bascially connect to anywhere and make it appear to be you.  A
lot of people use the same passwords for email, online banking, inland
revenue, etc.

I decided to walk the thin line of the law and search for internet users
who had insecure modems, then secondly inform them of the problem.  I did
this by searching for insecure modems, then when I did, logged their login
name.  From this login name I attempted to convert it to a valid email
address so I could email the people at the coal face of the problem.  Each
user was individually emailed with a message telling them of the problem,
and how to fix it.  Some probably chose to treat it as a hoax, others
returned by email asking for more information, some fixed the problem and
sent me emails of praise, while others swore privacy infringement and
contacted the police and their lawyers....All because I was trying to help
them.

I have people trying to claim damages, even though I was trying to prevent
them from incurring costs at all.  My oh my its a mixed up world we live
in.

Fortunately due to the early election, the laws on Criminal Hacking have
not yet been passed, all users have not suffered any losses and in terms
of privacy, only myself and the people involved know of their individual
case.  Had this law been passed, I probably would have still done the
unmentionable but then given the stats and figures to the individual isps
concerned.

There are 2 ways that this problem can arise and both ways must be tested
for from an external internet connection. You first need to find out your
IP address get this from www.whatismyip.com or somewhere similar. Your IP
address is a series of 4 numbers separated by 3 dots Have a friend from
another internet connection try to connect to http://youripaddress - If
they are asked for a password, you need to change the settings to not
allow external administration connections, or if this is not possible,
forward port 80 on the modem to port 9999 or similar at ip 127.0.0.1 -
this will mean that a user cannot access the administration mode
externally.

Now, have your friend go to their start menu in windows, select run, then
type in 'telnet youripaddress' and press enter, this feature cannot be
turned off in most modems, but the password to access it can be changed -
do this immediately if it is the default password

I am not going to supply any default passwords here, you should know if
the password is a default one or not, if so, change it.

If you were one of the 500 odd people who received an email from me,
please do not be scared by the problem, but make sure you follow the steps
and change the passwords and settings to fix the problem.

Aardvark Adds:
If you are a DSL user and are unsure as to whether the
above might apply to your setup, make sure you turn
off your modem when you are not using it.  Don't
leave it turned on, even if the computer itself is
turned off.

Contact your ISP or a suitably experienced expert
to check that your passwords are properly set and
that nobody else can change settings without your
permission.


Now Have Your Say

Home | Today's Headlines | Contact | New Sites | Job Centre