A vulnerability in a few Netgear SOHO (Small Office Home Office) routers, already discovered a few months ago by folks from security research firms Compass Security and Shell Shock Labs, has been publicly exploited, permitting hackers to redirect the Web traffic to their servers.
In July, Compass Security's Daniel Haake privately disclosed the security flaw. Furthermore, in September, Shell Shock Labs also publicly disclosed the vulnerability.
Joe Giron, a security researcher from the United States, was interviewed by a media outlet, confirming hackers exploited a security hole in his Netgear router on Sept. 28. Giron did say his browsing data was sent out to a suspicious Internet address.
"Normally, I set mine to Google's [IP address] and it wasn't that, it was something else," Giron said. "For two or three days, all my DNS traffic was being sent over to them."
Meanwhile, in a separate report, Compass Security's Alexandre Herzog said a victim discovered the attack after carrying out an investigation on the reasons behind the instability in his router. The victim found out the DNS queries had been redirected to the hacker's server. The victim's IP address on one of the command and control servers was then provided to Compass for further scrutiny.
Compass said it was able to download data from the server of the hacker, suggesting over 10,000 other routers had been hacked.
“The only prerequisite for the attack is that the attacker can reach the Web management interface, which is attainable by default in the internal network,” explained Herzog. “With enabled remote administration (not by default), the attack just needs to be connected to the Internet to exploit the flaw. An attacker with physical access to the router can subvert it anyway.”
In the meantime, Netgear pointed out the security flaw is serious, affecting fewer than 5,000 devices.
Specifically, nine Netgear models are affected by the security flaw, including NETGEAR_WNR618, NETGEAR_JNR1010v2, NETGEAR_WNR614, NETGEAR_JNR3000, NETGEAR_WNR2020, NETGEAR_JWNR2000v5, NETGEAR_JWNR2010v5, NETGEAR_N300 and NETGEAR_R3250.
The senior director of product management at Netgear, Jonathan Wu, claimed the security hole is indeed serious as it permits hackers to access the router settings with no login credentials.
"[T]hey can alter settings to direct traffic to places you don't want it to go to," said Wu.
Netgear confirmed a patch for the firmware on devices that are affected by the vulnerability will arrive on Oct. 14.