Home router vendor D-Link has taken the unusual step of adding a CAPTCHA login to its range of broadband routers in order to bolster them against automated Internet attacks.
Only one product currently includes the technology, the DIR-685 Wireless N Storage Router, but a number of others will shortly add it to their feature set by upgrade, the DIR-615, DIR-635, DIR-655, DIR-825, and DIR-855. All future products in this part of the market will include CAPTCHA, the company said.
In future, anyone logging into a D-Link router will have to complete a CAPTCHA (completely automated public Turing test to tell humans and computers apart) field similar in design to those used on webmail systems such as Google and MSN to foil automated bots from creating bogus email accounts en masse.
Despite the fact that routers come with user name and password fields, D-Link is concerned that these can still be circumvented by Trojans programmed using one of a number of possible attack methods suggested by researchers over the last couple of years.
Evidence of router attacks on even a modest scale is, in truth, sketchy, but could include a number of scenarios. The easiest way would be to gain access to routers by either by user default passwords and user names - these are often not changed by inexpert users - or just force hacking them using common possibilities.
Such an attack was posited by researchers at the University of Indiana last year, who predicted that a large-scale attack could quickly spread malware in a population of Wi-Fi access points.
A second method would be to use vulnerabilities in the web interfaces to take over the routers using specially-written code , as suggested by DNS flaw discoverer, Dan Kaminsky.
The issue that might be weighing most heavily on D-Link, however, was the report two years ago from Symantec that claimed D-Link routers had been successfully attacked by a bot-launched worm. The purpose of the worm was not established but could have included launching DDoS attacks on other Internet servers or routers. The report was never confirmed but raised suspicions that routers were now in the firing line of malware distributors.
One unanswered issue is whether CAPTCHA will be enough to stop the hackers - the technology has been under sustained attack for some time in its more usual context of blocking the creation of bogus email accounts. There is evidence that specific CAPTCHA designs have been broken by malware writers often enough to compromise the technology.
"CAPTCHA has mainly been used as an effective tool to prevent spamming, but due to the rise in Internet attack methods such as DoS, DDoS and new attacks originating from the LAN/WAN, D-Link has introduced CAPTCHA as an advanced security layer for its home routers," said a D-Link source, repeating the established line that CAPTCHA is better than nothing.
D-Link is the first such vendor to include such a defence, but the competitive nature of the market could see it reach other vendor's products before long.