Drive-by Web attack aimed at home routers:
That’s what researchers at Symantec Corp. and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code.For the attack to work, the bad guys would need a couple of things to go their way. First, the victim would have to visit a malicious Web site that served up the JavaScript. Second, the victim’s router would have to still use the default password that it’s pre-configured with it out of the box.
Okay, let me get this straight. The user would have to visit the malicious web site and their PC be infected with the JavaScript, then they would have to have an open wireless network with the admin password set to default, then the hacker would have to locate this person and drive by within range.
If only that was the worse we had to worry about!
The real problem is the user setting up an unprotected wireless network and leaving the admin password set to default! If that step doesn’t happen then this scenario is null and void.
Could Symantec Corp. be feeling the need to raise the public security fear factor since Microsoft Vista’s launch?¬ I’m sure they’re concerned about reduced user dependency on¬ Symantec software?
Update – 02/15/07:
Zulfikar Ramzan of Symantec left a comment further explaining this issue. I misunderstood this security flaw due to the use of terminology of “Drive by.” It appears to be a serious flaw that changes the routers DNS settings to point to an erroneous location. Please read the attached comment and be sure you are not still using the default admin password. Thanks.
Technorati Tags: security, symantec, wireless
Hi Earl,
Thanks for posting and helping to spread the word about some of the research I conducted along with Sid Stamm and Markus Jakobsson.
One thing I wanted to clarify is that the attack does not require the attacker to have any physical proximity to the victim.
Really, as soon as the victim visits the malicious web page, the DNS settings on his router will be modified (if the victim is using the default password on the router). The victim does not have to download or install any malicious software, or anything of the like.
Once the DNS settings are changed, the victim is in serious trouble. When the victim types in http://www.my-bank.com, the attacker can the victim to the attacker’s version of my-bank.com (and the victim will have difficulty telling the difference).
What makes this attack serious, in my mind, is that the victim simply has to *view* a web page in order to have his router infected. Nothing more.
Consider:
(1) how many people have broadband routers (note that this attack applies to any broadband router, whether or not it is wireless), and
(2) how many people fail to change the default password.
It becomes clear that the number of potentially susceptible victims to an attack of this sort is staggering.
Fortunately, there is a simple way to address the threat: change the password to something more difficult to guess.
There are some additional details available on my blog if that’s of interest:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
Thanks again,
Zulfikar Ramzan
Hi Zulfikar,
Thank you for taking the time to post a more complete description of the security issue. I agree this could be a serious issue.