Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Pharming Attack Could Hit Home Networks

Posted by Zonk on from the dive-behind-the-router dept.

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.

4 of 185 comments (clear)

  1. Last time I checked. . . by Who235 · · Score: 4, Insightful

    Last time I checked, it's stupid to leave anything with a default password.

    If you had all your personal papers in a safe, would you leave it set to the factory combination?

  2. Re:Simple solution for this by mpe · · Score: 4, Insightful

    1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
    2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

    A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

  3. Like this.... by StressGuy · · Score: 4, Insightful


    [YOU] "Do you have a [brand] router?'

    [NEIGHBOR] "Yes, I do."

    [YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

    [NEIGHBOR] "What's that?"

    [YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
                    if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.

    --
    A goal is a dream with a deadline
  4. Seen this and it's scary by ajs318 · · Score: 4, Insightful

    It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

    In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

    The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.

    --
    Je fume. Tu fumes. Nous fûmes!