Drive-By Pharming Attack Could Hit Home Networks

← Back to Stories (view on slashdot.org)

Drive-By Pharming Attack Could Hit Home Networks

Posted by Zonk on Friday February 16, 2007 @03:03AM from the dive-behind-the-router dept.

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.

36 of 185 comments (clear)

Min score:

Reason:

Sort:

Simple solution for this by suso · 2007-02-16 03:05 · Score: 2, Interesting

1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

The net needs to be more secure and there need to be more checks in place through authoritive sources.

This pharming attack reminds me of when I first installed the doorbell on my house, every once in a while it would go off and nobody was at our door, it turned out that the people across the street had the same doorbell set to the default settings.
1. Re:Simple solution for this by mpe · 2007-02-16 03:15 · Score: 4, Insightful
  
  1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
  2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.
  
  A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
2. Re:Simple solution for this by rolfc · 2007-02-16 03:32 · Score: 2, Funny
  
  Who are you? A Doorbell Administrator? A Doorbell Security consultant?
3. Re:Simple solution for this by smooth+wombat · 2007-02-16 03:35 · Score: 2, Insightful
  
  If you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"
  
  I know, I know. The people who write the manuals don't actually use the products they talk about* so the manufacturer will have to make a concerted effort to put this notice on the three pieces of paper that come with products nowadays.
  
  *In helping my parents configure their new tv a few years back, the manufacturer left an important part in how to save your settings when blocking out unused channels. If you followed the directions, blocking channels would not have worked. The crucial step of selecting the channel in question was left out of the instructions. It was only because of having used similar menu arrangements on other devices that I knew to not follow the directions as written.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
4. Re:Simple solution for this by paeanblack · 2007-02-16 03:50 · Score: 2, Funny
  
  A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
  
  Dude, ATM machines don't even have futuristic features like that. Come back to reality.
  
  http://it.slashdot.org/article.pl?sid=06/09/21/181 9242
5. Re:Simple solution for this by paeanblack · 2007-02-16 07:15 · Score: 4, Funny
  
  Yet, if your car failed to start if you weren't buckled up, people would go ballistic.
  
  If they aren't buckled up, they are going ballistic anyways...it's just a matter of time.
Last time I checked. . . by Who235 · 2007-02-16 03:06 · Score: 4, Insightful

Last time I checked, it's stupid to leave anything with a default password.

If you had all your personal papers in a safe, would you leave it set to the factory combination?
1. Re:Last time I checked. . . by loafing_oaf · 2007-02-16 03:20 · Score: 2, Funny
  
  Exactly. The first thing I did on my router was change the password. A few months later, my forgotten password now locks me out. Does anyone have a safety pin?
  
  --
  Always someone has power over you. The thing to consider is this: Is the power good, or bad?
2. Re:Last time I checked. . . by Corporate+Troll · 2007-02-16 03:29 · Score: 2, Interesting
  
  If you really can't remember, there is nothing wrong with taping the password to the bottom of your router. If the attacker can gain physical access to your router you have a much bigger problem that wireless security.
  
  You shouldn't do this at your workplace, but at home it is acceptable...
  
  I don't do this, I know the (strong) password of my Access Point
3. Re:Last time I checked. . . by gstoddart · 2007-02-16 03:30 · Score: 2, Insightful
  
  Last time I checked, it's stupid to leave anything with a default password.
  
  If you had all your personal papers in a safe, would you leave it set to the factory combination?
  
  You're right of course. But, part of the problem is simply consumer education.
  
  It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about these things. They can walk into a box store, buy a wireless router, plug it in and go. They simply don't have a clue about securing their machines.
  
  It's a commodity mindset -- "I go, I buy the product, I plug it in like a TV, and I never think about how it operates". Consumers haven't yet fully understood that they might need to take steps to secure such things, or that it poses a risk. All they know is they click the right button and they download the internet. :-P
  
  Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.
  
  Cheers
  
  --
  Lost at C:>. Found at C.
4. Re:Last time I checked. . . by 955301 · 2007-02-16 03:44 · Score: 2, Insightful
  
  Wouldn't it be great if the router hijacked the few http requests passing through it and gave the user a dynamically created password with instructions to print it and tape it to the router? There could be a snazzy checkbox letting them skip future redirects after they have the password.
  
  Then hitting the reset on the router just caused this to happen again with a newly created password.
  
  Viola, no more default passwords.
  
  --
  You are checking your backups, aren't you?
5. Re:Last time I checked. . . by ptbarnett · 2007-02-16 03:56 · Score: 2, Informative
  
  Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.
  When I switched from DSL to Verizon's FIOS, I got an Actiontec MI424WR router. By default, it was configured with a randomly generated SSID and WEP key. I've changed it to a WPA key, but if I do a hard-reset, it returns to the original values. Apparently, the boot ROM is 'tweaked' during the manufacturing process and a matching sticker is generated with the SSID, WEP key and MAC address -- which is attached to the bottom of the router.
  The administration username and password were set to constant values. Unfortunately, you can login to the router as administrator via a wireless connection -- my older Linksys/Cisco router allows you to restrict administrative access to a wired port.
Legal issues by Reverse+Gear · 2007-02-16 03:07 · Score: 5, Informative

My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

I think there are many interesting legal issues in this.
1. Re:Legal issues by maryjane+gonjasoft · 2007-02-16 03:15 · Score: 2, Informative
  
  i know a guy that does this(unfortunately) he had downloaded whole movies sitting in an apartment complex parking lot. network stumbler and idiots= free bandwidth. definately need to change that factory password
2. Re:Legal issues by squiggleslash · 2007-02-16 04:35 · Score: 2, Insightful
  
  I'm not sure that's relevent. I can't speak for Danish law, but there are a lot of laws in Britain you can break with no ill-intent or action on your part. As a general rule, you are responsible for your Internet connection there and the laws are worded such that you're responsible on the basis of the end result and chain of responsibility, not bad faith actions on your part.
  I've heard of people (as in my mother is a lawyer and has assisted them, this is not friend-of-a-friend stuff) being arrested after complaining to the police that someone has emailed them child pornography. They were, technically, bang to rights. The laws concerning the issue were not concerned with whether he solicited that content, merely whether he possessed it. Did he possess it? Yes, the content was on his computer, he admitted it, therefore as the law was written he was 100% guilty. Beyond a reasonable doubt.
  (FWIW, before anyone thinks a massive injustice was done, it was more a minor injustice - they dropped the charges. Britain's legal authorities tend to recognise that many of the laws they enforce are deliberately over the top to reduce the number of "loopholes" that a truly guilty person could wiggle out of; and as such tend, though not always, to use their discretion when enforcing them. That is, of course, a dangerous situation, and in many cases entirely innocent people do get caught up in draconian laws that should never have applied to them. Britain's judges also seem less willing as a matter of principle than American ones to refuse to find fault with someone who has caused no harm and didn't intend to in the first place, though there are occasional exceptions, some of which are hilarious.)
  Oh, and this situation gets worse when it comes to civil law.
  
  --
  You are not alone. This is not normal. None of this is normal.
Made a mistake, please don't publically flog me. by suso · 2007-02-16 03:08 · Score: 2, Insightful

I'm sorry, I was thinking about from the wrong way. That wouldn't work. But perhaps something along those lines could be implemented.
not with my 2wire router by fishyfool · 2007-02-16 03:10 · Score: 5, Interesting

it came from the factory with a random 10 digit wep password and with wireless disabled by default. if 2wire can do this, so can everyone else.

--
Enjoy Every Sandwich
Comcast by towsonu2003 · 2007-02-16 03:12 · Score: 3, Insightful

making your network completely invulnerable is a simple case of setting a strong router password
try setting a strong password on a Comcast router...
So, how do you tell your clueless neighbors? by Anonymous Coward · 2007-02-16 03:13 · Score: 3, Interesting

This raises a question: if you are using your wireless card and notice that your neighbor has a wide-open access point, how do you educate them without being seen as a suspect or nosy? I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me, and taping the tutorial to their door. But, it's not worth the trouble to me, but it could be a big deal to them one day. In this litigious day, that's why I'm posting as AC.
1. Re:So, how do you tell your clueless neighbors? by oni · 2007-02-16 04:15 · Score: 2, Insightful
  
  printing up a quick wireless security tutorial on a printer not linkable to me
  
  you mean like for example *their* printer?
  
  I did that to some AF guys once. I printed a page with orders to call me in giant letters. They were pretty good natured about it and actually appreciated that I was helping them.
So let's set good passwords by physicsboy500 · 2007-02-16 03:14 · Score: 5, Funny

We'll chase off the Pharmers with our phlaming torches and pitchphorks!

--
The original generic sig.
A big part of the problem is poor documentation by StressGuy · 2007-02-16 03:14 · Score: 4, Informative

I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

Best security software in the world won't do much good if you don't tell the user what it is and how to use it.

--
A goal is a dream with a deadline
1. Re:A big part of the problem is poor documentation by Corporate+Troll · 2007-02-16 03:40 · Score: 2, Informative
  
  Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.
  
  I know it's always hip to bash Windows on slashdot, but to be fair: in Windows XP the applet that handles wireless connections says "unsecured wireless connection" right there in the dialog. The problem here is the software that comes with these access points: they are braindead. If you are using Windows XP, you do not need a CD to install your wireless access point. Never...
  
  At max you need the CD to install the drivers of your wireless card, but that has nothing to do with your access point.
  
  For some reason people think that you need to insert a CD whenever you buy new hardware. That's why so many people run Logitech Mouse drivers that work just fine without those drivers. (An example amongst many) In many cases, it's easier to configure hardware by ignoring all CDs.
  
  Access point manufacturers should just make the CD autorun to http://192.168.0.254/login.html and then let them in with the default user/password combo. The first thing it should do after that is force the changing of the password. The second its forcing the choice of an SSID and then enable WPA-PSK... After that the wireless connection will break, Windows will detect the new SSID and want to login and you'll just have to type in the password you just defined.
  
  That's all they need to do... It's that simple...
2. Re:A big part of the problem is poor documentation by bcattwoo · 2007-02-16 03:52 · Score: 2, Informative
  
  As an AC points out further up, this vulnerability is not limited to open wireless routers. The exploit is accomplished when the victim visits a website containing some malicious code. The code causes the browser to make a HTTP request to a common default router IP using the default username and password to change the DNS server entries. I would guess that there are a number of people out there that are a lot less security conscious about their non-wireless routers.
3. Re:A big part of the problem is poor documentation by Lumpy · 2007-02-16 04:03 · Score: 2, Interesting
  
  The fun part is when you set up your router with the Newest DD-WRT beta release. I have it broadcasting about 30 SSID's all of them with default router names and no WEP. then you set the nocatauth to redirect all traffic to a splash page that simply says " YOU ARE A MORON" then I leave it disconnected except for power in my attic with the power turned up and some nice high gain antennas.
  
  After 30 days the number of default confuguration routers in my neighborhood dropped significantly. I forced them all to reconfigure it to at least change the name so they can find theirs, many actually added WEP some added WPA.
  
  --
  Do not look at laser with remaining good eye.
Like this.... by StressGuy · 2007-02-16 03:20 · Score: 4, Insightful

[YOU] "Do you have a [brand] router?'

[NEIGHBOR] "Yes, I do."

[YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

[NEIGHBOR] "What's that?"

[YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.

--
A goal is a dream with a deadline
Re:Oblig... by ptbarnett · 2007-02-16 03:34 · Score: 2, Funny

Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet: 1 2 3 4 5.
President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet: Yes, sir!
President Skroob: And change the combination on my luggage!
This isn't about wireless access! by JackHoffman · 2007-02-16 03:38 · Score: 5, Informative

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.
Enough with the goofy terms for this crap by duffbeer703 · 2007-02-16 03:51 · Score: 3, Insightful

I'm so sick of phishing, vishing, pharming, pheering, etc.

The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.

--
Conformity is the jailer of freedom and enemy of growth. -JFK
You haven't dealt with end-users much, have you? by spun · 2007-02-16 03:56 · Score: 5, Funny

f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Seen this and it's scary by ajs318 · 2007-02-16 04:07 · Score: 4, Insightful

It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.

--
Je fume. Tu fumes. Nous fûmes!
The sequel by kahei · 2007-02-16 04:16 · Score: 5, Funny

(Later)

[NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

[NEIGHBOR] An idiot is me.

[COP] Yes. Yes, an idiot is you.

--
Whence? Hence. Whither? Thither.
Show your sister this article! by oni · 2007-02-16 04:17 · Score: 3, Interesting

RIAA Will Drop Cases If You Point Out That An IP Address Isn't A Person

Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do.
Re:Moo by Radon360 · 2007-02-16 04:28 · Score: 3, Informative
They can be configured that way, but usually by default, they are not. I know that Linksys has the option, but Wireless management of the router is not disabled by default.
Beside that, the title was a bit misleading with the term "drive-by". This exploit has nothing at all to do with a wireless LAN.
Basically:
1. You get a person to browse to a web page with the malicious code
2. The web browser downloads the malicious JavaScript and executes it.
3. The JavaScript connects to the router from the user's computer and changes the settings.
4. The router's DNS now point to the attacker's DNS.
5. Attacker can now point the user's browser in whatever direction he chooses.
Re:defaults passwords by QuantumRiff · 2007-02-16 04:49 · Score: 2, Interesting

Could you imagine what would happen if masterlock created Padlocks that all had the same combo to start with, and required you to change them? I totally agree!+

--

What are we going to do tonight Brain?
This isn't about wireless! by Anonymous Coward · 2007-02-16 06:55 · Score: 2, Informative

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.