D-Link’s CAPTCHA – A Big Question on Security

As per the security report, it took nearly a week for the researchers at SourceSec to detect a flaw in the implementation of CAPTCHA (completely automated public Turing test to tell humans and computers apart) by D-Link in its routers, which was originally meant to stop the malware that changes DNS from attaining its goal automatically.

SouceSec stated that the flaw in implementation allowed a malware/attacker to obtain Wi-Fi Protected Access (WPA) passphrase that too by means of merely user-level access, and without a properly solved CAPTCHA. This is apparently because the authentication system based on CAPTCHA was improperly integrated into some of the pages.

Further, a combination of simple JavaScript code using anti-DNS (Domain Name System) may be implemented without having the need for attacker to install the malware on router. Rather, the assault can be launched by visiting a site. In other words, a D-Link user's visit to a site with its router may simply result in downloading of malware on his/her system, all due to this malicious flaw.

Earlier in 2007, security firm Symantec revealed that a botnet-created worm could easily and successfully launch an attack on D-Link routers. However the purpose of the worm could not be discovered, but it was also able to launch DDoS attacks, i.e. distributed denial of service attacks, on other routers or Internet servers. With this news, a fear has evolved that the routers might now be the prime targets of cybercriminals.

The evidence of router assaults are, though, not clear at the moment, but these attacks could include various aspects. The most convenient way to access routers is by means of either usernames or user default passwords (as they are generally not changed by the users) or merely using simple hacking tactics that use common possibilities, resulting in router being assaulted by malware distributors.

According to security experts, CAPTCHA is simply insufficient to stop the malicious activities of hackers as this authentication technique is being continuously targeted by cybercriminals. There is solid evidence of particular CAPTCHA code been broken by malware authors, which is most of the time sufficient to hack compromise this technique.

Related article: Duo Use Spyware to Perpetrate ID Theft

» SPAMfighter News - 5/23/2009