Two weeks ago D-Link announced the introduction of a CAPTCHA to confirm configuration changes on some of its wireless routers. According to D-Link, the objective is to prevent that users whose machines have been owned by malware have the DNS settings in the router changes without the user's knowledge.
Changing the DNS settings on a wireless router allows that the access gets redirected to a site a hacker chooses. For instance, by redirecting legitimate access it's possible to make you believe that you're accessing a legitimate online banking website when you're actually entering your account number and PIN into a hacker's system. There are as many DNS redirection uses in attacks as there are cheese in France and it all depends on the hacker's creativity to fool the user.
A CAPTCHA is a challenge presented by a system to ensure that it's a human that is interacting with this system. Usually these challenges are based on the interpretation of something, normally being the answer to questions such as the number of vowels in a word or synonyms for that specific word. These challenges are quite common on free e-mail or online storage websites to prevent hackers from automating the creation of users accounts on these websites to store piracy.
The first thing I thought when I read the release was the if the user's workstation is already taken by malware, this very same malware has absolutely full control over the workstation and could change the DNS configuration of the user's workstation itself, without the added complexity of drilling down a wireless router configuration that could be any brand! Furthermore, why has only D-Link introduced this feature and other manufacturers didn't do the same? The answer is not obvious.
The access to a router's configuration depends on proper authentication of an administrative user. If any malware is able to gain administrative access to a router up to to point of being able to change the DNS setting, something is gotta be wrong with access control to the router. D-Link claims that some malware capture the keystrokes and thus would be relatively easy to obtain the password. Well, keystrokes capture software are relatively common in the wild and this is precisely why "virtual keyboards" are so easy to find on several websites and a lot more effective than the deployment of a CAPTCHA, specially if we take into consideration that wireless router microcodes are supposed to be a lean piece of software.
For me, the story only makes sense if we imagine that it's feasible to workaround the traditional router authentication and somehow obtain directly access to the configuration pages, possibly exploiting a more severe (and more expensive to be fixed as well) vulnerability on the router operating system. Even worst if this vulnerability can be remotely exploited despite the fact that remote management from the Internet is not enabled on the router. Theory os conspiracy? Perhaps. Notwithstanding, until fully understanding what is behind this story, if I have to chose between a D-Link router and the router from another brand I think I will go with the later. If D-Link's idea was to introduce a feature just for marketing purposes, that might actually work against them if more geeks like me start to think the same way I do.
By the way, a CAPTCHA is not not a security feature. It serves to differentiate a machine from a human being. If a system is only secure while it ensures only human beings can get access to it, this system is not secure at all. Maybe the security of this system is all based in the fact that human beings commit mistakes or are not as fast or as persistent as a piece of software handcrafted by a hacker.
