AT&T, 2Wire Ignoring Active Security Exploit [Updated]

An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."

Re:Anybody have any ideas...

[Anti_Climax]

Most of them have wireless, provided he's getting good coverage in the basement he could do it from there.

Bridge Mode

[John Hasler]

Never trust these combination modem/router/firewalls. Put the thing in bridge mode and run a real router behind it (such as an old pc running Debian or OpenBSD or even an old Cisco).

Re:Large install base

[cicatrix1]

By default they come with 32 bit WEP, I think. It's technically not "unsecured", but the difference is basically negligible :p

Re:Funny Post

[rhizome]

Fine, replace the line with "CSRF rocks" (pronouncing the acronym as "sea surf").

Re:OK, now we all know

[eonlabs]

Easy, if they think it's no skin off their back for not updating their hardware, they think they can save money by not doing it. If they have 10,000 customers and it's $100 to replace one of their old modems, then it's a million bucks to swap them all out. If they don't think there's a risk of being held responsible for more than that for not changing their hardware, where is the incentive.

Hell, the security flaws typically affect the customer. Will that stop most people's internet addictions?

Here's another one... How many places does At&t hold a local monopoly? What other options doe people have, especially if they're dealing with constant (Video/Voice)oip? That stuff costs bandwidth and with more computers shipping with cameras and mics built in, more people are using it. A dialup line, and even a decent DSL can't really handle streaming video like that.