Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password

If they fall for this social-engineering trick, of course


Vid Beware using your web browser's autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password.

The problem – found by SureCloud's Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration security.

It's not a particularly scary or an easy-to-leverage vulnerability, and we think most miscreants will find it too much of a faff to exploit. However, it is interesting and quirky, and worth checking out.

How to protect yourself

If you're using Chrome, make sure you're running at least version 69.0.3497.81, which was released this week and mitigates the security weakness Thompson privately disclosed to Google in March. This particular build brings the browser in line with Firefox, Edge, Internet Explorer, and Safari, which are all harder to exploit via Thompson's technique.

In short: if you're suddenly kicked off your Wi-Fi, and rejoin to a page trying to get you to confirm your router administration username and password, be on alert and don't autofill the login form. Check to make sure you're actually on the Wi-Fi network you think you're on and can trust. Alternatively, don't save your router login details in your browser's autofill feature.

The login page could instead be a spoof that's waiting for you to autofill the boxes so it can snatch the username and password.

UK-based SureCloud dubbed this information-stealing technique Wi-Jacking, explaining: “When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.”

No walk in the park

In order to swipe someone's router login details in this manner, they need to be physically nearby and on the target wireless network. They could be a cafe owner using their own Wi-Fi from their own laptop at the counter, for instance. They also need to have joined an open wireless network at some point, with automatic reconnections allowed. Their browser should remember their router configuration login details. The router must also use plaintext HTTP for its configuration webpages. All these conditions are required.

You then flood the victim's computer with network deauthentication requests over the air to kick them off their own Wi-Fi, and onto an open wireless network you control. You then redirect any of their HTTP connections to a URL that matches their router's admin page URL, such as 192.168.1.1, and serve a webpage that masquerades as the gateway's login interface.

If the victim has previously used that URL to manage their router from their browser, and saved their credentials to autofill, a vulnerable browser may drop the username and password into the appropriate fields on the page, ready for your page to automatically obtain and use.

Chrome used to require the victim to interact with the spoofed login page, such as clicking somewhere on the page background, before the autofill kicked in.

Now, from this week, it's more robust, and works like Firefox, Internet Explorer, Safari, and Edge in that the user has to be tricked into selecting the router's credentials from a drop-down menu in order to autofill the login form. "At this point the attack is mostly social engineering," Thompson noted. If you can't get the details from autofill, then you could try guessing them – admin:password is a good start.

The next stage – whether you managed to get the victim to select their autofilled credentials, or simply guessed them – is to quickly and silently let the victim rejoin their wireless network with the spoofed admin page still open. Then some JavaScript on the malicious webpage can use the login details – autofilled or guessed – to access the gateway's configuration interface, grab the Wi-Fi access password, change its DNS settings to redirect other clients to dodgy websites, and so on.

According to Thompson:

Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most Wi-Fi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point, or anything else we can do from within the router’s interface.

We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand.

"Fundamentally this is just a flaw in the way origins are shared and trusted between networks," he added.

"In the case of home routers, they are predictable enough to be a viable target. The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft."

Below is a video showing how to exploit a victim's setup...

Youtube Video

Essentially, if you're using Chrome, update it. Then, regardless of your browser, be on alert for attempts to phish your router admin password if you're suddenly kicked off your Wi-Fi by making you autofill your router's admin page login boxes. As well as the above advice, consider deleting any open networks your machine has saved, refusing automatic reconnections, and don't use the router's default credentials, in order to avoid being Wi-Jacked. ®


So it appears some of you really don't want us to use the word 'hacker' when we really mean 'criminal'

The votes have been cast and counted... and it's a landslide

Register debate Last week, we argued over whether or not the media, including El Reg, should stop using the word hacker as a pejorative.

This debate came about after infosec pro Alyssa Miller and a few others from the Hacking Is Not A Crime movement politely asked Register vultures on Twitter to quit using the h-word as a lazy shorthand for criminal.

We said we'd think about it. And we thought about it, and we thought about it some more. And in the end, since we're writing for you, we decided to put it to the audience: we published an article for and an article against the proposal, and let everyone vote for whichever side they agreed with.

Continue reading

Vodafone chief gushes over OpenRAN, says commercial deployments to start this year

But still some way to go before standards-based tech can match mainstream products

Last year Vodafone bet big on OpenRAN, announcing it would shift a huge portion of its tower estate to the standards-based tech. Now Andrew Dona, the telco's director of network and development, has shed some light on how this will work.

Speaking to Telecom TV, Dona said Vodafone had already deployed two OpenRAN sites to its production network, situated in the southwest of England. These deployments are part of its testing process, which Dona said would conclude in May.

The wide-scale macro rollout, which will replace roughly 2,600 4G masts with OpenRAN alternatives, is expected to commence later this year, winding up in 2027 in time to meet the UK government's edict to excise high-risk vendors from the telecommunications networks.

Continue reading

Swedish startup Logical Clocks takes a crack at scaling MySQL backend for live recommendations

Takes a 'different approach' to YouTube's Vitess to munch complex transactions in microseconds

Swedish startup Logical Clocks is launching a new key-value database as a managed service, based on the MySQL derivative MySQL NDB Cluster.

The vendor told us its RonDB can be used to provide live data to machine learning models for real-time decision-making – as commonly used in online recommendations and fraud detection.

Although it has a history going back to the late 1990s, the new open-source distribution is currently in closed beta, with interested users encouraged to apply to participate. General availability is expected in the second quarter.

Continue reading

Microsoft quantum lab retracts published paper: Readings that cast doubt on crucial discovery went AWOL

Quasiparticle eggheads were 'caught up in the enthusiasm of the moment'

A paper published in Nature two years ago and spearheaded by a Microsoft scientist has been retracted after it emerged that the data presented simply didn't add up.

The work was produced at a quantum computer lab set up by Microsoft and QuTech, a research center co-founded by the Delft University of Technology (TU Delft) in the Netherlands. The study, led by Microsoftie and TU Delft Professor Leo Kouwenhoven, reported the discovery of a theoretical quasiparticle the academics believed would prove useful for future quantum computers.

"A 2018 academic paper published in Nature and led by one of our scientific directors, primarily in his capacity as a Professor at TU Delft, was retracted,” Zulfi Alam, a Microsoft Quantum unit veep, told The Register on Monday.

Continue reading

Deploy AI workloads with confidence using OpenVINO

Write once, deploy anywhere

Sponsored Artificial Intelligence techniques have been finding their way into business applications for some time now. From chatbots forming the first line of engagement in customer services, to image recognition systems that can identify defects in products before they reach the end of the production line in a factory.

But many organisations are still stuck at where to start in building machine-learning and deep-learning models and taking them all the way from development through to deployment. Another complication is how to deploy a model onto a different system than the one that was used to train it. Especially for situations such as edge deployments, where less compute power is available than in a datacentre.

One solution to these problems is to employ OpenVINO™ (Open Visual Inference & Neural Network Optimization), a toolkit developed by Intel to speed the development of applications involving high-performance computer vision and deep-learning inferencing, among other use cases. OpenVINO takes a trained model, and optimises it to operate on a variety of Intel hardware, including CPUs, GPUs, Intel® Movidius™ Vision Processing Unit (VPU), FPGAs, or the Intel® Gaussian & Neural Accelerator (Intel® GNA).

Continue reading

China outlines plan to boost economy with AI, a cloud OS it controls – and bringing in skilled foreigners

Other fun bits: An 'asteroid patrol', brain:computer fusion, DNA storage, enhanced privacy laws

China has put quantum communications networks and a brain:machine interface on its to-do list in plans unveiled at its annual "Two Sessions" parliamentary sittings.

The centerpiece of the Two Sessions, which sees 5,000 of the nation's political elite gather for meetings of the National People's Congress (NPC) and top political advisory body the National Committee of the Chinese People's Political Consultative Conference (CPPCC), is discussion of a new five-year plan for the nation's development.

The 14th Five-Year Plan, a document outlining objectives from 2021 until 2025, is not allowed to be released before finalization. However a 142-page long draft in Mandarin was made legally public and select parts have been translated by Chinese journalist, Zichen Wang of state-controlled Xinhua News.

Continue reading

Mobile World Congress seemingly serious about in-person Barcelona event in June, shares safety plan

Is Spain really ready for 50,000 people at one venue? Sounds like a super spreader event ready to happen

Mobile World Congress appears determined to run its annual Barcelona super-conference as an in-person event this year, mid-pandemic, posting a safety plan online on Monday.

The tech-fest is due to take place at the end of June, having been pushed back from its usual late February slot, giving it less than four months until doors open: a risky timeline given that the vaccination rate for Spain and the Catalan region currently stands at just under nine per cent.

But the organizers reckon that the global COVID-19 pandemic can be defeated within the walls of its conference venue with a few simple steps: social distancing, personal hygiene, event hygiene, and training staff.

Continue reading

GitHub bug briefly gave valid authenticated session cookies to wrong users

Don’t panic: Fewer than 0.001% of sessions compromised through flaw that couldn’t be maliciously triggered

If you visit GitHub today you’ll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes “misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user.”

GitHub disclosed the problem today, explain that it could only happen under “extremely rare circumstances” and “occurred in fewer than 0.001% of authenticated sessions on GitHub.com.”

The service knows which users’ sessions were exposed by the flaw and says it has contacted them with guidance and additional information.

Continue reading

Azure flings out free virtual trusted platform module for cloudy VMs

Take that, rootkits and other low-level nasties - if they take a crack at fresh VMs, on certain instance types under a handful of OSes

Microsoft has revealed that its Azure IaaS platform now offers free a virtual trusted platform module.

Dubbed “Azure Trusted Launch for virtual machines” and launched as a preview on March 8th, Microsoft’s CTO for Azure Mark Russinovich said the new offering “allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised.”

All of which is pretty familiar stuff on-prem, as TPM has been around for over a decade and is just-about standard issue on modern servers. Google brought virtual TPM to its cloud in mid-2018 and made it the default server configuration in April 2020.

Continue reading

Cisco issues blizzard of end-of-life notices for Nexus 3K and 7K switches

Service options decline starting next year... so there may be a Nexus 9K switch in your future

Cisco has in recent days issued a blizzard of end-of-life and end-of-sale announcement for switches in its Nexus 3000 and Nexus 7000 ranges.

By The Register’s count, the networking giant has announced that the 18 devices, listed below, across the ranges will soon be sent to the knacker's yard.

The initial batch of notices advised users that the listed devices would not be sold after late August 2021, with shipments to end in November of the same year and support services dwindling as of August 2022. November 2025 was set as the last date on which a service contract could be renewed.

Continue reading

Biting the hand that feeds IT © 1998–2021