[ISN] Hack lets intruders sneak into home routers

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 22:26:38 PST


By Joris Evers
Staff Writer, CNET News.com
February 15, 2007

If you haven't changed the default password on your home router, let 
this recent threat serve as a reminder.

Attackers could change the configuration of home routers using 
JavaScript code, security researchers at Indiana University and Symantec 
have discovered. The researchers first published their work in December, 
but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain 
Name System, settings of a router if the owner uses a connected PC to 
view a Web page with the JavaScript code. This DNS change lets the 
attacker divert all the Net traffic going through the router. For 
example, if the victim types in "www.mybank.com," the request could be 
sent to a similar-looking fake page created to steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear 
routers," Symantec researcher Zulfikar Ramzan said. "You can create one 
Web site that is able to attack all routers. My feeling is that it is 
just a matter of time before phishers start using this."

After a router's DNS setting is changed, all computers connected to the 
device will use the DNS server set up by the attacker to find their way 
on the Internet. DNS functions like the phonebook of the Internet, 
mapping text-based addresses such as www.news.com to actual numeric 
Internet Protocol addresses of a Web site.

The attack works on any type of home router, but only if the default 
router password hasn't been changed, Ramzan said. The malicious 
JavaScript code embedded on the attacker's Web page logs into the router 
using the default credentials--often as simple as "admin" and 
"password"--and changes the settings.

"One of the issues is that the set-up steps in the router don't prompt 
you to change the password," Ramzan said. As a result, many people never 
properly configure their networking gear, he said.

In crafting their proof-of-concept attack code, Ramzan and researchers 
at Indiana University built upon earlier research that showed how 
JavaScript could be used for malicious purposes. Jeremiah Grossman, 
chief technology officer at WhiteHat Security, demonstrated how 
JavaScript let outside attackers target internal corporate networks.

Grossman is impressed by the Symantec and Indiana University work. "This 
is very dangerous stuff and could be highly effective if used in the 
wild," he said.

Router makers already know of the problems with default passwords as 
well as other security concerns, they said. Linksys, for example, 
recommends that customers change the default password during the 
installation procedure, said Karen Sohl, a representative for the 
company, a division of Cisco Systems. "We are aware of this," she said.

On its Web site, Linksys warns users that miscreants are taking 
advantage of the default passwords. "Hackers know these defaults and 
will try them to access your wireless device and change your network 
settings. To thwart any unauthorized changes, customize the device's 
password so it will be hard to guess," the company states.

Still, although Linksys' software recommends the password change, 
consumers can either plug in their router without running the 
installation disk or bypass the change screen, keeping the defaults. The 
company offers detailed information on how to change the router password 
on its Web site. Netgear and D-Link also recommend password changes.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 22:33:27 PST