Can an intruder remotely reset a Linksys WRT54G v5 router to default?

Discussion in 'Wireless Internet' started by William Bonner, May 13, 2012.

  1. What just happened is clear ... but HOW it happened ... is not clear to me.

    Here's what happened:
    1. I was home with my PC connected wirelessly to my Linksys WRT54G router
    2. The connection was WPA2/PSK with wireless administrator access 'enabled'
    3. The connection went down; the router disappeared from view
    4. Shortly thereafter, the strongest signal was SSID=linksys
    5. My teen-age kid experienced the same thing - at the same time
    6. Only the kid & I were home so NOBODY physically touched the router!
    7. Yet, the Linksys WRT54Gv5 router was clearly reset back to defaults.

    How can that happen without anyone pressing the reset button?
    Can a Linksys home broadband router be reset by an intruder on the net?
     
    William Bonner, May 13, 2012
    #1
    1. Advertisements

  2. First step: make sure you're still hooking up to your own router.
    It's possible the Linksys died and you're hitting a neighbors...
     
    danny burstein, May 13, 2012
    #2
    1. Advertisements

  3. William Bonner

    VanguardLH Guest

    http://homedownloads.cisco.com/downloads/userguide/WRT54G_UG_WEB_20070529.pdf
    Page 1
    "*Reset* There are two ways to reset the Router¬Ęs factory defaults.
    Either press and hold the Reset Button for approximately five seconds,
    or restore the defaults from Administration > Factory Defaults in the
    Router¬Ęs web-based utility.
    Page 2
    "The Linksys default password is admin."

    So how secure was yours after changing it? How strong was the password?

    How long is the WPA[2] shared key or WEP passphrase? Are they *strong*
    keys and not some easily guessed (easily dictionary attacked)?

    Did you enable MAC filtering and add the MAC addresses for just your
    intranet hosts so only they can connect to the router?

    Settings in the router are retained by using NVRAM (non-volatile random
    accessed memory) when power is off. Could be the flash memory is going
    bad and isn't retaining the settings. However, since the flash memory
    is inside the microprocessor (e.g., Atmega88), it means the unit is
    kaput. Cooling is by convection only (no fans inside, just holes in the
    case). If the ventilation holes get blocked then the parts inside
    overheat. Once the unit goes flaky, dusting out the holes and inside
    won't help. Could be someone (kid?) installed DD-WRT and then
    reinstalled the factory or update firmware without first clearing the
    NVRAM. Reinstalling the latest firmware might fix it (but then if the
    reset was caused by flashin in new firmware then you already have it).

    After entering strong keys/passwords for all the settings (to avoid
    hacking), you'll have to watch the unit to see it if screws up again.
    Could be it's getting flaky in its old age. So far with the routers
    that have died for me, they always exhibit some flakiness in operation
    before a catastrophic failure.
     
    VanguardLH, May 13, 2012
    #3
  4. If they can get to the admin web pages, they can reset it to defaults.
    Yes.

    However, that's probably not what happened. Some (not all) WRT54G v5
    and v6 routers are junk.
    <http://www.smallnetbuilder.com/wireless/wireless-reviews/26843-linksyswrt54gv5reallyisalousyrouter>
    They will hang, reboot spontaneously, reset themselves, or do other
    disgusting things. Installing DD-WRT sometimes cures the problems,
    but not always. Oddly, only some WRT54G v5 and v6 routers are like
    this. Some actually work quite well.

    I'm constantly seeing various routers reset to defaults for no obvious
    reason. It's not hackers. It's usually AC power glitches. Give the
    power plug the right waveform, and the router thinks the reset button
    has been depressed. I had this problem on a different product that I
    worked on. The original design had the reset pin on the CPU set to
    normally high and using level triggering. If the DC power went down
    slowly or erratically, it will look like the reset pin was grounded,
    thus causing a reset. It was solved by setting the line to normally
    low, using the reset button to pull up the line. The firmware guys
    also added additional debouncing to the reset pin. We were tempted to
    try edge triggering, but ran out of time.
     
    Jeff Liebermann, May 13, 2012
    #4
  5. Thanks for the advice. I'm absolutely positive it's my router.

    Now I'm in worse shape than I was before.

    Worried that the intruder put software on the router, I tried to upgrade
    the firmware. After about 2 hours of watching the little bars go over nd
    over across the screen, I unplugged it all.

    Now the power light is flashing about twice a second, and I can no longer
    log into the router, despite a bazillion reboots and resets.

    Two questions:
    a) How long should it take for a firmware upgrade?
    b) Should the power light be steady or flashing on the WRT54G v5?
     
    William Bonner, May 13, 2012
    #5
  6. Hi Jeff,
    I know you're one of (if not the) most respected guy on this forum so I do
    appreciate your advice. I'm in the Santa Cruz mountains (like you) and we
    do get glitches in the power a lot. Seems to go down once a month
    sometimes, and other times it lasts for six months before the generator
    kicks in.

    So, maybe that's what happened.

    But, now it's even worse. With the router reset to defaults, I had no
    problem logging in. I decided to update the firmware, just in case, using
    the file FW_WRT54Gv5v6_1.02.8.001_US_20091005.bin downloaded from the
    Linksys site for the v5 that I have.

    This process went on for hours ... from about 11:00 to about 1:30 when I
    finally gave up and pulled the plug. (BTW, how long 'should' a firmware
    upgrade take anyway?).

    Here's a picture of what showed for hours (the lines were moving and
    repeating themselves over and over and over again):
    http://www2.picturepush.com/photo/a/8251595/640/8251595.gif

    Then, after rebooting and resetting a few times, here's what then showed
    up:
    http://www5.picturepush.com/photo/a/8251598/640/8251598.gif

    Now I can't get anything to work on the Linksys router. No connection.

    Two questions:
    Q1: How long should it take for firmware to install itself?
    (I gave up after almost 3 hours)
    Q2: Should the power light be constantly blinking or should it be steady?
    (Mine is blinking)
     
    William Bonner, May 13, 2012
    #6
  7. The WPA2/PSK password was the maximum length - and I did not use a
    dictionary SSID, but it had been setup without change for quite some time
    (years).
     
    William Bonner, May 13, 2012
    #7
  8. William Bonner

    Ant Guest

    Not very long. I think your router had problems and is now dead/bricked.
    Can you reset it with its hole? :( Maybe the router had problems earlier
    too.
    --
    * <-- Tribble ... *********************** <-- Tribbles imitating ants
    (unknown author)
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    Ant is currently not listening to any songs on this computer.
     
    Ant, May 13, 2012
    #8
  9. I held the reset button in for tweny seconds while booting and while
    running - and it still doesn't respond.

    The only indication I have is the power light is blinking two to four times
    a second which I don't remember seeing (but I'm not sure if it's supposed
    to blink).

    I'm hooked directly to the rooftop antenna/radio right now so at least one
    computer will be OK.

    If it's bricked, I might try the WRT54G revival guide:
    http://www.linksysinfo.org/index.php?threads/the-wrt54g-revival-guide.15815

    Or maybe even Tomato or DD-WRT (although I'm merely a basic home user).
     
    William Bonner, May 13, 2012
    #9
  10. William Bonner

    Shadow Guest

    When I was a wireless hacker, I would spoof the MAC address
    without even thinking about it.
    Not really worth the trouble setting up MAC filtering.
    The hard bit is the password cracking.
    []'s
     
    Shadow, May 13, 2012
    #10
  11. I've read much of what Jeff L. has said time and time again, so ...
    a) I don't bother hiding the SSID
    b) I don't bother with MAC address filtering
    c) I use a non-dictionary SSID & passphrase

    Of course, if I have a keylogger trojan on the network, that will negate
    everything ... or it may have been a glitch in the power that reset the
    router to defaults. I'm surprised - because it never happened before and
    I've had the router for years ... but ... either way ...

    My problem now is that the router is (apparently) bricked.

    Q: Does anyone know if the router power light should be flashing or solid?
    Q: How long 'does' it take to do a firmware upgrade?
     
    William Bonner, May 14, 2012
    #11
  12. William Bonner

    Ant Guest

    Yeah. Also, try posting on Linksys forum. Good luck. Aren't computer
    problems fun? I hate doing firmware problems and upgrades! :(
    --
    "I've been on some fairways that are as good as the greens we putted on
    back then. We had crab grass. I remember one green where I putted
    through ants." --Sam Snead
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    A song is/was playing on this computer: 505 - Blue Period
     
    Ant, May 14, 2012
    #12
  13. William Bonner

    Shadow Guest

    V. Good
    Never allow wireless access to your admin account on the
    router. Always use a temporary cable for that.
    I use a Netgear. 1 to 2 minutes. I've used D-link. Just over a
    minute. That includes the re-boot.
    Your upgrade took way too long.
    []'s
     
    Shadow, May 14, 2012
    #13
  14. Hang on while I polish my ego.
    That's fairly typical for a low end consumer router. I have a home
    made power line logger running at my palatical office looking for
    power line glitches. It's fairly crude and only catches the big
    glitches. We've had major two power glitches in the area during the
    last week. I've been getting calls for dealing with hung routers,
    modems, and computahs all week. It sometimes takes several days for
    the effects of the glitch to show up. All that needs to happen is for
    the glitch to trip one bit in RAM. No problem until the device needs
    to use that bit. Then, it goes nuts. ECC RAM is not used on
    commodity routers.
    Highly likely. I can see a wireless attack in a crowded metro area,
    but not in the sparcely populated hills. Attacks from the internet
    are possible, but unless the router has some built in vulnerabilities,
    is grossly misconfigured, or is sensitive to malformed packets, it's
    not going to happen. Just in case, try:
    <http://www.pcflank.com/exploits.htm>
    It's old and incomplete, but I'm still finding modern routers that
    fail some of the exploit tests.
    The update should take about 60 seconds plus reboot time. Something
    went wrong. Hopefully, you didn't try to do the upgrade via a
    wireless connection. That's usually a guaranteed disaster.

    Checking the web site, you have the correct version:
    <http://homesupport.cisco.com/en-us/support/routers/WRT54G>
    No checksum, so I have no way to verify if it was correctly
    downloaded. You might want to try another download just to be sure.
    It's bricked, but probably not fatal.
    About 60 seconds plus a reboot.
    Nope. That means there's a checksum error in the firmware.

    I would normally consider this a great opportunity to purchase a new
    router and get rid of the v5 abomination. However, if you want to
    raise the dead, try this simple test:
    1. Power OFF the router.
    2. Temporarily set your computah to a static IP address of
    192.168.1.99.
    3. Start a continuous ping to 192.168.1.1 For Windoze, that's
    ping -t 192.168.1.1
    Don't worry if you see errors at this point. If you don't have TFTP:
    <http://www.dd-wrt.com/dd-wrtv2/downloads/others/tornado/Windows-TFTP/tftp2.exe>
    IP=192.168.1.1
    no password - leave blank
    select the firmware
    set retries to 99
    4. Apply power to the router. You should see proper returns from the
    pings after about 8 seconds. The returns will revert to errors after
    about 5 more seconds. Try to record the times. You'll need them.
    5. If you get proper returns in the previous step, there is hope.
    6. Rename the firmware to "code.bin". This might also be a good time
    to try loading the mini version of DD-WRT.
    7. Under Windoze, type the following onto the command line (in a cmd
    window):
    tftp -i 192.168.1.1 PUT code.bin code.bin
    Do not hit enter quite yet. Do not hit enter quite yet. Do not hit
    enter quite yet. Do not hit enter quite yet. Got that? If you're
    using tftp book, get ready to hit the start button.
    8. Apply power to router and start counting seconds. The idea is to
    start the TFTP program in the middle of when the pings were correctly
    returned. You may have to do this several times to get it right.
    9. When you hit enter, nothing should happen until code.bin is
    properly uploaded. You'll get a message about ok to reboot (it varies
    with the firmware). Ignore it and do nothing for at least 5 minutes.
    Go get some coffee and keep your fingers off the keyboard. After 5
    mins, pull the power to the router, wait for it to boot, and see if
    you can get to the management page at 192.168.1.1.
    10. If that works, don't foget to change the static IP address of the
    computah back to DHCP. If it doesn't work, try again, or just get a
    better router.

    Some notes (and complications):
     
    Jeff Liebermann, May 14, 2012
    #14
  15. Once a wireless hacker, always a wireless hacker.
    I found one situation where MAC filtering was needed. A customer was
    using about 10 assorted IBM Thinkpads of varying vintage. Some were
    sufficiently old that they only supported WEP. There was also a wi-fi
    range extender (repeater) that would only pass WEP. However, the
    customer was not comfortable with using easily crackable WEP. So, I
    added MAC address filtering to the security obstacle course. It
    really wasn't necessary because they live in the deep dark forest and
    know all the neighbors. Still, it made him feel better.
    Sorta. Give me a few minutes with one of the client computers and
    I'll extract a usable portable hash key. Much easier than over the
    air pass phrase cracking.
    <http://www.nirsoft.net/utils/wireless_key.html>
     
    Jeff Liebermann, May 14, 2012
    #15
  16. Hmm... that's what I needed to know. Bummer.
    Something definitely went wrong.
    Hmm... OK. Well at least that matches what I'm seeing as the power light is
    blinking three or four times a second (or so).

    As for the recovery procedure ... I'll get ready for that and respond
    when/if it works!

    Thanks.
     
    William Bonner, May 14, 2012
    #16
  17. Whew! The version 5 Linksys WRT54G is back in business!

    After unplugging everything but power, I did the 30/30/30 procedure which
    was to hold the button for the entire 90 seconds - the first 30 while the
    unit is powered - the second 30 while the power cord is removed - and the
    third 30 seconds while the power is back on. Then I let go of the reset
    button.

    Following Jeff's hint, I again downloaded the same file I had downloaded
    before - overwriting the old file for my WRT54G version 5 router:
    http://homesupport.cisco.com/en-us/support/routers/WRT54G

    I then pinged 192.168.1.1 and this worked (much to my surprise) even though
    the power light was still blinking and no other light was on (not even the
    "CiscoSystems" orange light).

    I opened up Firefox and went to 192.168.1.1 and was surprised to see:
    Management Mode Firmware Upgrade

    So, I hit the "Browse" button and then the "Apply" button and ... lo and
    behold, after about 2 minutes and much flashing of the LAN light on the
    router, the web page changed to "Upgrade Success".

    I was worried because the power light still blinked for about two minutes
    or so, but then it settled down, and now is a solid green!

    I was able to log into the router at 192.168.1.1 and immediately noticed I
    was at version 1.02.8 (plus the blue color changed in tone).

    Thanks for all your help! I've disabled wireless access to the router just
    in case it 'was' an intruder. Also I noticed this setting by default:
    Wireless->Advanced Wireless Settings->Secure Easy Setup->Enable

    Googling for "Linksys Secure Easy Setup" I find PC Magazine loves the
    feature ...
    http://www.pcmag.com/article2/0,2817,1854719,00.asp
    But, I also find a 1/21/2012 Cisco security vulnerability bulletin:
    http://tinyurl.com/7uu38cs
    http://homecommunity.cisco.com/t5/W...-Setup-SES-Security-Vulnerability/td-p/483796

    It's also described by Cert:
    http://www.kb.cert.org/vuls/id/723755
    Vulnerability Note VU#723755
    WiFi Protected Setup (WPS) PIN brute force vulnerability

    So, I disabled the "Secure Easy Setup" and the orange Cisco light went out!

    I wasn't sure if this flaw was related to WPA2/PSK but apparently it is.
    According to Wikipedia http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
    "The flaw allows a remote attacker to recover the WPS PIN and, with it, the
    network's WPA/WPA2 pre-shared key in a few hours".

    Maybe that's what happened to me?
     
    William Bonner, May 14, 2012
    #17
  18. UPDATE:
    Apparently my Linksys WRT54G v5 router 'can' be reset by an intruder and/or
    by a glitch in the power line. Drat!

    To make it harder for the 'next' intruder, I realized belatedly we should
    all turn OFF the Linksys/Cisco/ "Secure Easy Setup" feature!

    Beware, it's not only Linksys that is affected by the SES vulnerability.

    According to CERT, these companies are affected by the vulnerability:
    1. Belkin, Inc. Affected - 10 May 2012
    2. Buffalo Inc Affected - 10 May 2012
    3. Cisco Systems, Inc. Affected - 10 May 2012
    4. D-Link Systems, Inc. Affected 05 Dec 2011 10 May 2012
    5. Linksys/Cisco Affected 05 Dec 2011 10 May 2012
    6. Netgear, Inc. Affected 05 Dec 2011 10 May 2012
    7. Technicolor Affected - 10 May 2012
    8. TP-Link Affected - 10 May 2012
    9. ZyXEL

    The CERT advisory is:
    http://www.kb.cert.org/vuls/id/723755

    Here is a pictorial look at what I did AFTER my router was bricked:

    0. I ran the 30/30/30 procedure which left the power light blinking but
    allowed me to ping the router. This was a good sign.
    http://www4.picturepush.com/photo/a/8252512/640/8252512.gif

    1. In a browser, I went to 192.168.1.1 and was happy to see the Management
    Mode Firmware Upgrade page. I downloaded a 'new' Firmware upgrade and
    browsed to it and hit the "apply" button.
    http://www1.picturepush.com/photo/a/8252514/640/8252514.gif

    2. After only a couple of minutes, I saw the Upgrade Success notification
    in the browser:
    http://www3.picturepush.com/photo/a/8252516/640/8252516.gif

    3. Logging into 192.168.1.1, I immediately noticed a different shade of
    blue and that the firmware had been updated to version 1.02.8.
    http://www5.picturepush.com/photo/a/8252518/640/8252518.gif

    4. In my googling, I had found the CERT vulnerability so I disabled
    Wireless -> Advanced Wireless Settings -> Secure Easy Setup -> Disabled
    http://www2.picturepush.com/photo/a/8252520/640/8252520.gif

    Hopefully, with a new non-dictionary SSID, non-dictionary password, a
    rather long WPA2-PSK/AES key, & with remote management and wireless web
    access disabled, I'm a bit more secure from outside hacking (if that's what
    had happened).

    I didn't bother hiding the SSID or filtering the MAC address based on
    advice previously provided in this forum.

    Minor question:
    Q: Does setting the administrator access to https buy me any security over
    http?
     
    William Bonner, May 14, 2012
    #18
  19. No. All that does is prevent anyone from sniffing the wireless
    traffic and extracting your admin password and WPA2 key if they were
    able to capture a WPA2 setup session.

    Congrats. What the 30/30/30 did was wipe the firmware completely
    leaving only the TFTP loader and in your case, the initial firmware
    loader. I forgot about that. It doesn't appear in all models.
    Maybe, but I don't think so. I've always assumed that using WPS
    requires that the button on the router be pressed in order to start
    the WPS session. I can't currently determine if it's really required,
    or if WPS is running all the time. I'll check later (time
    permitting).
    <http://www.pcworld.com/businesscent...s_exploit_router_security_setup_problem.html>
    "Further, some access points don't provide an option
    to disable WPS or don't actually disable WPS when the
    owner tells it to."
    Groan...

    Linksys has only fixed the WPS vulnerability problem on newer models.
    I don't expect a fix for the WRT54G.
    <http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154>
    That's from Jan 27, 2012. Since then there have been fixes for E1200
    v2, E1500, E3200, and E4200 v1. Note that the WRT54G is not listed,
    probably because it's not a currently selling product. If you must
    use WPS/SES/AOSS/EZ-SETUP, I suggest you get an alternative firmware,
    such as DD-WRT.

    11,000 attempts works out to 9 hrs maximum. When I tried Reaver, I
    was able to recover the PIN in about 6 hrs at about 1.5 seconds per
    attempt. I only tried it once:
    <http://code.google.com/p/reaver-wps/wiki/README>
    It generated considerable wireless traffic, which was easily detected.
    More:
    <http://www.datacenterjournal.com/it/protect-your-network-from-the-wi-fi-wps-vulnerability/>
     
    Jeff Liebermann, May 14, 2012
    #19
  20. William Bonner

    Arklin K. Guest

    My Linksys WRT54G version 5.0 has the option to disable secure easy setup
    but I can't find out from Linksys if that option actually works.
    http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154

    They say nothing about the WRT54G here either:
    http://tools.cisco.com/security/center/content/CiscoSecurityResponse/
    cisco-sr-20120111-wps

    I called Cisco technical support three times:
    1-877-770-4113

    They didn't know what I was talking about.

    They gave me two more numbers to call:
    1-800-326-7114 Cisco Consumer Support for Linksys
    1-800-546-7597

    They answer pretty quickly but none have a clue.
     
    Arklin K., May 14, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.