Broadband routers: SOHOpeless and vendors don't care

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care

(yes that's the original article title)

Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities.

Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate.

Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers.

A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities.

more at link above