Security

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'


Taiwanese network kit maker DrayTek has 'fessed up to a vulnerability in a large number of its routers which could allow miscreants to hijack internet traffic or steal personal data.

The flaw means attackers could remotely alter DNS settings on 28 Vigor model routers. DrayTek has released a series of firmware updates addressing the issue.

Users have complained about the problem for the last week on the AbuseIPDB forum. One noted the zero-day attack had infiltrated their servers, CRM and workstations.

"We now cannot log in as it is obvious this zero-day attack has changed our passwords including our VPN accounts [that] our remote users use to log in to the environment."

DrayTek routers are considered high end in the UK – retailing at around £200, more than twice the price of garden-variety alternatives – and are mostly used by businesses. In 2015, BT's Openreach accredited DrayTek for use of its very-high-bit-rate digital subscriber line 2 (VDSL2) fibre-to-the-cabinet products.

One business customer, who discovered his router was open to the vulnerability, told El Reg: "DrayTek routers are really expensive compared with other makes, they have an awful lot of features on them and this is the first known exploit I've come across."

In a statement, the company said:

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.

The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router's DNS settings on your router and correct them if changed (or restore from a config backup).

A survey by Broadband Genie recently found the vast majority of punters are potentially leaving themselves exposed by failing to change the password and security setting on their routers. ®

Send us news
34 Comments

Prisons transcribe private phone calls with inmates using speech-to-text AI

Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

Continue reading

<i>Battlefield 2042</i>: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

Another terrible launch, but DICE is already working on improvements

The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

Continue reading

American diplomats' iPhones reportedly compromised by NSO Group intrusion software

Reuters claims nine State Department employees outside the US had their devices hacked

The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

Continue reading

Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

All together now - R, A, N, S, O...

A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

"We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

Continue reading

Feds charge two men with claiming ownership of others' songs to steal YouTube royalty payments

Alleged scheme said to have netted $20m since 2017

The US Attorney's Office of Arizona on Wednesday announced the indictment of two men on charges that they defrauded musicians and associated companies by claiming more than $20m in royalty payments for songs played on YouTube.

The 30-count indictment against Jose Teran, 36, of Scottsdale, Arizona, and Webster Batista, 38, of Doral, Florida, was returned by a grand jury on November 16, 2021. It accuses the two men of conspiracy, wire fraud, transactional money laundering, and aggravated identity theft in connection with a scheme to steal YouTube payments.

"In short, Batista and Teran, as individuals and through various entities that they operate and control, fraudulently claimed to have the legal rights to monetize a music library of more than 50,000 songs," the indictment [PDF] alleges.

Continue reading

Hot not-Spot-bot spot: The code behind Xiaomi's CyberDog? Ubuntu

Your four-legged open-source friend? CIMON says 'Maybe'

Linux fans rejoice: the smarts running behind Xiaomi's Not-Spot, CyberDog, emanate from none other than Ubuntu 18.04.

The Register asked Canonical why not something a little fresher, such as 20.04, and were told by robotics product manager, Gabriel Aguiar Noury, that "the operating system is running 18.04 rather than 20.04 because they are using Jetson, and 18.04 is more compatible for the approach the team had in mind."

The CyberDog bounded onto the global stage in August and represented the company's first foray into the world of quadruped robotics.

Continue reading

What will life in orbit look like after the ISS? NASA hands out new space station contracts

The end is coming, and nobody wants a homeless 'naut

NASA has splashed the cash on design contracts for space stations and a multibillion-dollar job for more Artemis boosters.

With the days of the International Space Station (ISS) numbered, NASA is looking to maintain an uninterrupted US presence in low-Earth orbit. Although Axiom Space has plans to build from the ISS, the $415.6m award is about developing space station designs and "other commercial destinations in space."

Blue Origin, which has partnered with Sierra Space to develop the Orbital Reef, received $130m. Nanoracks, which is working on a commercial low-Earth orbit destination called "Starlab" (with Voyager Space and Lockheed Martin), received $160m, and Northrop Grumman's Cygnus-based station received $125.6m. The Cygnus currently does duty as a freighter for the ISS.

Continue reading

Why your external monitor looks awful on Arm-based Macs, the open source fix – and the guy who wrote it

Q&A with the developer of BetterDummy: from macOS secrets to his motivations

Interview Folks who use Apple Silicon-powered Macs with some third-party monitors are disappointed with the results: text and icons can appear too tiny or blurry, or the available resolutions are lower than what the displays are capable of.

It took an open source programmer working in his spare time to come up with a workaround that doesn't involve purchasing a hardware dongle to fix what is a macOS limitation.

István Tóth lives in Hungary, and called his fix BetterDummy. It works by creating a virtual display in software and then mirroring that virtual display to the real one, to coax macOS into playing ball. The latest version, 1.0.12, was released just a few days ago, and the code is free and MIT licensed.

Continue reading

Chill out to the sounds of an expert typing on a variety of mechanical keyboards

A truly rare groove

Discerning writers and programmers know that keyboards matter. It's mostly the feel, but the best feel tends to come from mechanical key switches and they make a noise as they activate.

That feeling goes hand in hand with a chorus of soft clicks… and thanks to custom keyboard guru Taeha "Nathan" Kim and weirdo label Trunk Records, you can relax to 43 minutes and 24 seconds of soothing sounds from 13 rare and limited-edition mechanical keyboards.

Your correspondent is a bit of a fan of devices like this (this piece was typed on a 1991 IBM Model M; accept no substitute) – but no such brash, commonplace kit features on the album. Instead you can luxuriate to the Alps switches of a 1987 Apple Standard (why, yes, I do happen to have one of those too, but the linear cursor keys hinder daily use), and an M0110A from a Mac Plus, as well as more exotic kit.

Continue reading

Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website

Don't just install the patch, change your router passwords too

Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.

The vulns rely on authenticated access to affected devices so aren't an immediate threat. They do, however, allow someone with remote access to the router to pwn the device's underlying OS, threatening the security of data passing through the router.

Helpfully, Netgear itself publishes default login credentials for "most" of its products on its website. If you haven't been into your Netgear router's admin panel and changed these default creds, you're at increased risk.

Continue reading

Not only was the UK Financial Ombudsman Service's Workday system months late, 38 IT workers' jobs are at risk

Questions remain over data warehouse dependencies and redundancies

The UK's Financial Ombudsman Service (FOS) has gone live on Workday finance and HR systems around three months later than planned, drawing questions over an interdependent data warehouse project.

At the same time, the process has seen IT roles marked for redundancy and set to be transferred to a service supplier.

The watchdog was set up by Parliament in 2001 to resolve complaints between financial businesses and their customers. This week, Workday published a statement boasting that the implementation of its software at the FOS had gone live.

Continue reading