Bill Gerrard Photography - Portrait Photography, Fine Art Photography & Event Photography

An alleged flaw in the LinkSys by Cisco WRT160N and WRT310N Wireless Internet Router that presents a serious potential security vulnerability has gone unacknowledged and ignored by Cisco for months

Last update posted 18 February 2010. See the updates to this article below.

Article by Bill Gerrard - February 9, 2010

Messages posted by users of the LinkSys by Cisco WRT160N Wireless Internet Router and Linksys by Cisco WRT310N Wireless-N Gigabit Router have been appearing on Twitter, Facebook, blogs and even on the LinkSys by Cisco User Support Forum. The stories have all been the same. At random times, the user of the LinkSys by Cisco WRT160N Wireless Internet Router attempts to view one Internet website such as www.facebook.com and another unrelated website (e.g. www.myspace.com) is displayed instead. The websites vary but the symptoms are the same, the user is redirected to the wrong website.

Probable Reason and Workaround

User "wbundrick" on the Cisco forum provides the following information with a workaround that resolves the issue until Cisco decides to step up, acknowledge and fix the problem at the source.

Nov 10 2009:

It's likely that the problem in part or in whole is because the LinkSys by Cisco WRT160N Wireless Internet Router is acting as a DNS proxy (and perhaps as a cache), as evident by the fact that the WRT160N is assigning its own IP as the primary DNS in the DHCP configuration it sends to connected PCs. In theory this is a nice feature for a router to slightly speed things up. But it is apparently broken, and broken in a big way.

I've just configured the TCP/IP on my PC to not automatically obtain DNS server addresses, instead I put in my ISP's servers manually. We'll see if this bypasses the problem.

Nov 12 2009:

Everything has been absolutely trouble-free since I manually took the router address out of my DNS server list two days ago. I'm satisfied that the DNS proxy dis-service that is built into the WRT160N is entirely responsible for the screwy DNS issues described above.

It's bad enough when a DNS query fails to resolve, but at least the outcome is 404s, blank webpages, or red-X broken graphics everywhere. But when DNS returns an IP that is ENTIRELY WRONG, such that a query for facebook.com returns the IP of myspace.com and we end up on the WRONG SITE (a true example experienced by more than one of us), that is not just a failure, it's a security vulnerability as dangerous as a hacked Hosts file. LinksysByCisco needs to do more than just take it seriously, they need to FIX IT.

In the meantime, I suggest everyone take these steps to work around the problem:

  1. Open a commant prompt and run IPCONFIG /ALL . Notice that your active network adapter shows your WRT160N's address (mine is 192.168.1.1) is listed as the first DNS server. This is the problem and we are about to do something about it.
  2. You should also see at least two more DNS server addresses following the router's address. If not, then log into your router and go to the Status page and look at the DNS servers listed there.
  3. In Windows, go to your network adapter settings and edit its TCP/IP properties as follows:
  4. Change the DNS from automatic to manual, and enter the two DNS servers from step 2. Do not include your router's address here! (Optional: if you have more than two DNS servers then you can click the Advanced button to add them to the DNS list.)
  5. Apply/OK all the changes, then run IPCONFIG /ALL again to confirm that your router's address is no longer in the list of DNS servers.
  6. Enjoy the wonders of the internet thanks to DNS that works as expected.
  7. Wonder when Linksys is going to fix it.

Potential Security Vulnerability

User "jonhughes" wrote about his scary experience on the Cisco forum:

I have had an experience with facebook re-directing to myspace (a page for JJ Morales). I had run numerous malware scans and ruled out it being an issue with my computers. Yesterday I woke up to an $1800 CC charge from 1 JJ Morales' PayPal account. I started searching for the re-direct issue and JJ Morlaes and came across the discussions regarding issues of re-direct on the WRT160N. I then contacted Linksys and explained the whole thing to them. They said they had been unaware of any issues but said they would replace my unit. So I went through their RMA process only to find they will replace my unit with the exact same model...a refurbished one to boot.

While I see many of you have changed DNS on your machines this doesn't change the fact that there may be a rather large security issue with this router and possibly others. While my CC charge has been taken care of I don't want this to happen to others.

Computer operating system, Internet provider, and Web browser version do not matter. This is a non-discriminating bug.

The response from Cisco always seems to remain the same. The LinkSys by Cisco WRT160N Wireless Internet Router user calls Cisco to complain about the problem and Cisco's response is always "this is the first we have heard of this problem, please update your firmware and reset the router". While the "update the firmware and reset the router" advise is usually a good idea to start with when diagnosing computer technology issues, in this case, hundreds of users have already tried this and it is well known it does not correct the issue permanently. The issue will go away after a reset or DNS flush, however it has not been fixed and will return shortly.

When contacted to comment on this article, Cisco responded with "this is the first we have heard of this problem, please update your firmware and reset the router".

Updated Information

Since posting this article, I have received the following information:

On 18 February 2010, User "Brak" reports:

The issue also effects the Linksys by Cisco Wireless-N Gigabit Router WRT310N

On 18 February 2010 a post on brownbatterystudios.com states:

From Shannon M. via email:

I received a call from Ciscos security department and was told that troubleshooting has been difficult because they cannot re-create the scenario in their lab environment. I agreed to download Wireshark from wireshark.org. Wouldn't ya know, the computer now refuses to re-direct. If someone could download Wireshark, capture a log of events, and post the results here, it would be a great help. If you cannot post here, send a copy of the log to security@cisco.com, and hope that the person who receives it is as helpful as the person who contacted me. Thanks, and good luck.

Also, from the security department: we need the actual packet capture (Normally .pcap file) not the summary file.

References


Home | Portraits & Events | Fine Art Images | Automotive | View Your Photos | Facebook | Blog