Routers, by definition, have multiple personalities. One Ethernet port is connected to the outside world, four (typically) Ethernet ports offer Internet access to wired devices on a Local Area Network (LAN), and a radio transmitter offers access to Wi-Fi clients.
The Wi-Fi interface may even offer multiple
Every device on a TCP/IP-based network (and almost all networks use TCP/IP to communicate) gets a unique number, called an IP address. IP addresses are 32 bits and are written as four decimal numbers, each between zero and 255 separated by periods. A common IP address is 192.168.1.1. You can enter an IP address directly into the address bar of a Web browser to visit a website.
Most IP addresses are on the public Internet, but some are reserved for internal use only. That is, everyone can use the same internal-use-only addresses on their LAN without any confusion. These special IP addresses are not allowed on the public Internet.
The most commonly used internal IP addresses start with either 192.168 or 10. A computer connected to an internal Ethernet port of a router, may see the router as having IP address 192.168.0.1, for example. Millions of routers on millions of LANs can all use this IP address because it is guaranteed never to go out the other side of the router, to the Internet. Routers ship with a default internal IP address and the owner of the router can change it to any internal-use-only address.
A router uses a different IP address, a "public" one, when communicating on the Internet. The router owner has no control over the public IP address, it is assigned by the Internet Service Provider (ISP) that connects the router to the Internet.
All the computers on the LAN appear to the outside world to have the same IP address. You can think of the router as the public spokesperson for all the LAN-side computers.
As you may suspect by now, the security problem that some routers have, has to do with not keeping the public and private personalities totally separate and distinct.
The public IP address should only be visible to a computer on the Internet and the private IP address should only be visible to computers on the LAN, be they wired or wireless.
If this barrier is not maintained, bad guys on the Internet can possibly log into the router. And, if that happens, you're in big trouble.
Routers are configured using internal websites; that is, websites that live in the router itself, not on the Internet. To modify a router, a computer on the LAN gets to the internal website by IP address. For example, you might type http://192.168.0.1 into the address bar of a Web browser and then log in with a userid and password.
The router is normally addressable only by the internal IP address. This insures that only computers on the LAN can make changes to it.
Every website that you communicate with knows the public IP address of your router. And, of course, so too does your ISP. But, a couple of things prevent someone from the outside from logging in to a router.
First, there is the firewall in the router, which normally denies unsolicited incoming traffic. In addition, routers have an option for remote administration. Non-techies with far away tech helpers can allow their remote helpers to log in to their router without having to physically visit. Typically, remote administration is disabled.
LAN-based computers should be limited to accessing the router by its internal IP address, something that remote Web sites cannot learn. Since a remote Web site can easily learn your public IP address, a malicious bug can allow a bad guy to log on to your router.
Making things worse, is that far too many don't change the default password for their router. The bad guys have ready access to the default passwords for routers and can detect, to some degree, which router you have.
Are you vulnerable?
It's easy to test if your router is vulnerable to this attack.
You can learn your public IP address at many websites, such checkip.dyndns.com. Just enter this address into your favorite Web browser and see what happens. For example, if the public IP address were 18.104.22.168, then try browsing to http://22.214.171.124 (there is no period at the end of an IP address).
If you get prompted for a userid and password, your router is vulnerable to this type of attack. If you get an error that the Web page can't be loaded, you're safe.
On the technical side, the attack is a new wrinkle on an old problem called DNS rebinding. It depends on the fact that a single website can have multiple IP addresses. When you first visit a malicious website, your computer is given two IP addresses for the bad site. The first is legit, the second is not, it's your public IP address. Then, through caching tricks and purposefully generated errors, the malicious Web page tricks your computer into accessing what it thinks is the alternate IP address of the malicious site, but is actually the public IP address of your router.
Remote administration does not need to be enabled for this attack to work. All that is required is that a user inside the target network surf to a Web site that is controlled, or has been compromised, by the attacker." Implicit in this, is that that the attack works regardless of the Web browser or the victim's operating system. The attack is against the router, that's where the vulnerability lies.
Defend your router
The simplest defense is to not use the router's default password. Change it to something that can't be guessed, the longer the better. As always with passwords, don't use a word in the dictionary.
If your router is vulnerable, check if the manufacturer has a newer firmware that fixes the problem.
Any new router should be tested for this problem first thing, while it can still be returned.
Although not directly relevant to this problem, advice is that verifying that remote administration is, in fact, turned off on your router.
If you use Wi-Fi, check if your router can limit administrative access to wired connections. This should prevent any and all wireless users from ever logging in to the router.
WEP (Wireless Encryption Protocol) works by establishing a shared key between the clients (network cards) and the wireless router, then using the key to encrypt and de-encrypt the data passing between them. Most routers offer both 64-bit encryption and 128-bit encryption. It is usually a 10 number key for 64-bit, and a 22 number key for 128-bit. If you do not know this number, you cannot enter the wireless network.
WPA – PSK (Wi-Fi Protected Access Pre Shared Key) is a Wi-Fi standard that improves upon the security features of WEP. To use WPA-PSK, a shared key or “passphrase” is set. Using TKIP (Temporal Key Integrity Protocol), WPA-PSK automatically changes the keys at a preset time interval, making it much more difficult for hackers to find and exploit them. MAC address filtering: Each network adapter or card (wired or wireless) has a unique number assigned to it called a MAC address. So if you have a wireless USB adapter plugged into your computer, when connected to the internet, it will show its own mac address. Here’s how to find your mac address in Windows XP You can add all the mac addresses of the computers you want to access the network, therefore blocking any others.