February 15, 2007 3:33 PM PST
Hack lets intruders sneak into home routers
- Related Stories
-
Cisco's new security target: consumers
February 13, 2007 -
Internet backbone at center of suspected attack
February 6, 2007 -
DNS servers--an Internet Achilles' heel
August 3, 2005
Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.
The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.
"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said. "You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."
After a router's DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet. DNS functions like the phonebook of the Internet, mapping text-based addresses such as www.news.com to actual numeric Internet Protocol addresses of a Web site.
The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.
"One of the issues is that the set-up steps in the router don't prompt you to change the password," Ramzan said. As a result, many people never properly configure their networking gear, he said.
In crafting their proof-of-concept attack code, Ramzan and researchers at Indiana University built upon earlier research that showed how JavaScript could be used for malicious purposes. Jeremiah Grossman, chief technology officer at WhiteHat Security, demonstrated how JavaScript let outside attackers target internal corporate networks.
Grossman is impressed by the Symantec and Indiana University work. "This is very dangerous stuff and could be highly effective if used in the wild," he said.
Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said.
On its Web site, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states.
Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.
See more CNET content tagged:
router,
DNS,
Linksys,
attacker,
Cisco Systems Inc.
They should know that people are not engineers, and need a more friendly interface. Many more things should be automatic, rather than counting on manually configuring. Ever try to get NAT or VPN to work on a router? Almost have to be an engineer just to understand the settings. It's no wonder people have such a hard time.
Same goes for the password. The ability to leave it as default should not exist. During the installation process, the consumer should be prompted to enter a password. No ability to skip this step should be provided. Furthermore, if the consumer tried to use the product without entering a new password, the product should simply not work. Of course, this would lead to tech support phone calls, which cost money. Personally, I'd rather be known as the company who's instructions for using their product must be followed than as the company who's product is dangerious to use. (even worse, the company who's product helped thieves clean out someone's bank account).
The other problem is people who are just too damn lazy to read the instructions. I work in the electronic service field, and it's amazing how many people I deal with just because they couldn't be bothered to read the instructions. One customer who pulled up in a Limo, brought in an item he said was defective, and apon being informed there was nothing wrong with it and reading the owner's manual would have solved his problem promptly replied "I don't read owners manuals".
If people start getting ripped off by this method, the only ones I'll feel sorry for are the ones that couldn't figure out how to change the password.
Those that skipped the step, or simply couldn't be bothered will get what they deserve. Financial evolution in action.
Telecommuting is responsible for a growing part of the business world. I was reading an article from ezine http://ezinearticles.com/?Telecommuting-Safely-for-Better-Business&id=377038
Just going over how accidental loss effects companies. If people begin to do the "Drive by Pharming" then it can be terrible for business professionals who may not even be aware of their poor behavior online.
This is really a trivial hack. Actually I wouldn't even really call it a "hack" since that implies that there was some real thought and trickery involved here. Really it's just simply automating a procedure and making use of the fact that most users don't change default passwords.
It is somewhat ingenious in it's simplicity though. This should work on any OS that the routers are connected too and there would be no obvious sign. I take a much more paranoid approach to security then the average home user, but honestly I think it's been months since I last checked the DNS settings on my router (though I most certainly did change the default password!). And even if someone DID check their DNS address, would they recognize the IP address for the hacker's site vs. their own ISP's DNS server IP address?
Honestly if this were to happen to me, probably the only thing I would notice is that the malicious hacker's DNS server would probably be faster and more reliable than that of my ISP's!
- Read the article, Mac-ignoramus!!!
-
by v_noronha
February 17, 2007 7:07 AM PST
- The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!
-
Reply to this comment
-
-
See all 37 Comments >>