Computer Routers face Hijack Risk

Researchers at the University of Indiana and Symantec are warning that about half of internet users with a home router are vulnerable to having the hardware hijacked. The researchers found that home router users are susceptible to attackers who could change settings on the devices and begin phishing attacks. The attack appears to work on all major consumer versions of routers (including Linksys, Belkin, Netgear and D-Link) but can only be successful if the user visits a specially crafted web page. "A malicious web page has the disastrous ability to manipulate its visitors' home routers, changing its settings to enable spread of malware, target phishing attacks, or starve the visitor from critical security updates," the researchers wrote in their paper, Drive-By Pharming.

The attack is unique as it does not rely on vulnerabilities in a web browser or other software, but instead allows malicious attacks at the network level. The researchers cited surveys that showed half of home router users use the default password or no password on the device, and 95% allow their web browsers to use JavaScript code. "This means 47.5 per cent of all home users ... are effectively leaving themselves open to another attack — allowing attackers to circumvent all known anti-phishing countermeasures," the researchers wrote. They recommend that people change their passwords on their routers and be selective about which Java applets, or programs, they allow to run on their computers. The study, authored by Sid Stamm and Markus Jakobsson of Indiana University and Zulfikar Ramzan of Symantec, was published in December 2006 and is now being publicized by Symantec.

Link: Forum Discussion (Thanks Rappy)
News source: CBC News

Report a problem with article
Previous Story

Yahoo! Stanford Alumnus donates $75 million

Next Story

Sony to Offer Movie, Music Download Services for PS3

26 Comments

Commenting is disabled on this article.

u know wat, manufactures should just create random passwords on the router.. for every router shipped, there is a random 10 char/int password that is randomly generated and stuck in the box..

Problem solved for the home user..

The process should be very easy.. I ordered a free fon router couple of days ago and it uses WPA encypting and the password is router's serial.

If you don't change your password you deserve to have a 50% wireless firmware upgrade done to your router, lol

I once did a search around our town for open wifi networks and I found about 85% were just left with the default password and username. However, they almost ALL had unique network SSID's, which is strange.

Anyways, custom firmware + strong password = win.

Lexcyn said,
I once did a search around our town for open wifi networks and I found about 85% were just left with the default password and username. However, they almost ALL had unique network SSID's, which is strange.

Anyways, custom firmware + strong password = win.

What custom firmware are you referring too?
HyperWRT Thibor?
If so,
Mine fell into odd catagory:"WRT54G v1-v4 CDFB "

Current version firmware downloads can be found here:

model serial no. prefix upgrade from stock firmware upgrade from HyperWRT
WRT54G v1-v4 CDF0-CDF9,CDFA HyperWRT G Thibor15c HyperWRT G Thibor15c
WRT54G v5-v7 CDFB not compatible not compatible
WRT54GL v1-v1.1 CL7A,CL7B HyperWRT G Thibor15c HyperWRT G Thibor15c
WRT54GS v1-v3 CGN0-CGN5 HyperWRT GSv3 Thibor15c HyperWRT GSv3 Thibor15c
WRT54GS v4 CGN6 HyperWRT GSv4 Thibor15c HyperWRT GSv4 Thibor15c
WRT54GS v5-v6 CGN7 not compatible not compatible
WRTSL54GS v1-v1.1 CJK0, CJK1 HyperWRT SL Thibor17rc3 HyperWRT SL Thibor17rc3

Any tips?
Thanks
my password is not admin,
nor do I broadcast,
Wep & Wpa encryption require key,
acceptable wireless mac table
Lan host is outside range of DHCP
cloned mac address,
connections set to 5
non-standard subnetmask 255.255.255.xxx
starting ip 192.168.1.100
hardset port forwarding tcp, no-udp

I bet symantech wants us to rid them of black box firewalls!

LoL, I laughed so easily when I loaded up my wireless network machine at home found 7 networks, and the 6 that didnt belong to me had either no password or the password was admin.

95% allow their web browsers to use JavaScript code

Oh noes! JavaScript is the EVUL!!
FFS. 95% of home users allow their web browsers to "use JavaScript code" becuase otherwise they wouldn't see a damn thing when browsing the Web.
Seeing as every home router available has a "quick setup" sheet with it that clearly states "this is the default username and password, change it as soon as possible" on it then anybody who doesn't deserves everything they get. If you can't be bothered to read, don't come crying to me when your connection gets pwned.

I don't bother changing my neighbors routers passwords, in case I need access due to mine being a problem. lol

second thougt that'd be cool.

Heh, you know with neighbors around where I live I could brick their router (only about 2 out of the 10) because they didn't set a password. When you log into their network lets say like when my internet went out, you can figure out a lot about a router when you try logging into the admin page. "Welcome to Linksys blablabla". Read the manual and get the password!

So it's pretty much just saying

IF router_password == admin
router_password = pwned;
ENDIF

I'm pretty sure anyone who knows about Neowin doesn't use a default password anyway. The word needs to be spread to the mainstream level. Maybe add a few notices to the boxes or have Best Buy employees warn the customers as they buy the router.

Xtreme $niper said,
So it's pretty much just saying

IF router_password == admin
router_password = pwned;
ENDIF

Actually, it's javascript so it would be:

var pwned = "Change your password, stupid-head!";

if ( router_password == "admin" )
{
alert(pwned);
}

Glen said,

Actually, it's javascript so it would be:

var pwned = "Change your password, stupid-head!";

if ( router_password == "admin" )
{
alert(pwned);
}

Hah yeahh I figured I should have done it that way, but I've been doing a lot of AS/400 programming lately for an assignment due, so I kinda mixed pseudo code with CL and scripting. I'm weird.

Y'all talking about default passwords, but they do mention specially crafted pages that can be used to gain control of your router, which according to them works on many home routers. *That's* a router problem, not user stupidity.

no, default passwords ARE the issue here.

From what I can gather, the page uses Java(Script) to access the router's config page and because it looks like it's coming from within the network, the router allows it access. The script then auths with the default username/password et voila it's in and causes havoc.

dandin1 said,
Y'all talking about default passwords, but they do mention specially crafted pages that can be used to gain control of your router, which according to them works on many home routers. *That's* a router problem, not user stupidity.

Spcially crafted pages that use the default password. Which works on many routers because many do not change their password. If *that's* not user stupidity, then what is?

i would agree with that router comment about how most users dont bother to change there passwords.... as all they look at it is ... "i hook this device up to my internet and i can then use multiple computers on same internet connection" ... and thats pretty much it. they dont bother to setup a decent password to the router and turn OFF remote administration of the router etc etc.