Drive-By Pharming Attack Could Hit Home Networks

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.

Legal issues

[Reverse+Gear]

My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

I think there are many interesting legal issues in this.

Re:Legal issues

[maryjane+gonjasoft]

i know a guy that does this(unfortunately) he had downloaded whole movies sitting in an apartment complex parking lot. network stumbler and idiots= free bandwidth. definately need to change that factory password

A big part of the problem is poor documentation

[StressGuy]

I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

Best security software in the world won't do much good if you don't tell the user what it is and how to use it.

Re:A big part of the problem is poor documentation

[Corporate+Troll]

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I know it's always hip to bash Windows on slashdot, but to be fair: in Windows XP the applet that handles wireless connections says "unsecured wireless connection" right there in the dialog. The problem here is the software that comes with these access points: they are braindead. If you are using Windows XP, you do not need a CD to install your wireless access point. Never...

At max you need the CD to install the drivers of your wireless card, but that has nothing to do with your access point.

For some reason people think that you need to insert a CD whenever you buy new hardware. That's why so many people run Logitech Mouse drivers that work just fine without those drivers. (An example amongst many) In many cases, it's easier to configure hardware by ignoring all CDs.

Access point manufacturers should just make the CD autorun to http://192.168.0.254/login.html and then let them in with the default user/password combo. The first thing it should do after that is force the changing of the password. The second its forcing the choice of an SSID and then enable WPA-PSK... After that the wireless connection will break, Windows will detect the new SSID and want to login and you'll just have to type in the password you just defined.

That's all they need to do... It's that simple...

Re:A big part of the problem is poor documentation

[bcattwoo]

As an AC points out further up, this vulnerability is not limited to open wireless routers. The exploit is accomplished when the victim visits a website containing some malicious code. The code causes the browser to make a HTTP request to a common default router IP using the default username and password to change the DNS server entries. I would guess that there are a number of people out there that are a lot less security conscious about their non-wireless routers.

Re:not with my 2wire router

Read the article. This attack is not about wireless access. The attack uses a webbrowser that is already (and legitimately) on the internal network to reflect HTTP requests towards the router configuration interface. A simplified example: make a webpage with an image src=http://root:default@192.168.178.1/dnsconfig?dn s1=10.0.0.1&dns2=10.0.0.2&commit. Then make the webpage popular (put some silly video on it, post to digg), and watch as users with default-configured routers have their dns servers changed.

This isn't about wireless access!

[JackHoffman]

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.

Re:Last time I checked. . .

[ptbarnett]

Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.

When I switched from DSL to Verizon's FIOS, I got an Actiontec MI424WR router. By default, it was configured with a randomly generated SSID and WEP key. I've changed it to a WPA key, but if I do a hard-reset, it returns to the original values. Apparently, the boot ROM is 'tweaked' during the manufacturing process and a matching sticker is generated with the SSID, WEP key and MAC address -- which is attached to the bottom of the router.

The administration username and password were set to constant values. Unfortunately, you can login to the router as administrator via a wireless connection -- my older Linksys/Cisco router allows you to restrict administrative access to a wired port.

Re:Moo

[Radon360]

They can be configured that way, but usually by default, they are not. I know that Linksys has the option, but Wireless management of the router is not disabled by default.

Beside that, the title was a bit misleading with the term "drive-by". This exploit has nothing at all to do with a wireless LAN.

Basically:

1. You get a person to browse to a web page with the malicious code
2. The web browser downloads the malicious JavaScript and executes it.
3. The JavaScript connects to the router from the user's computer and changes the settings.
4. The router's DNS now point to the attacker's DNS.
5. Attacker can now point the user's browser in whatever direction he chooses.

This isn't about wireless!

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.