Researchers at the University of Indiana and Symantec are warning that about half of internet users with a home router are vulnerable to having the hardware hijacked. The researchers found that home router users are susceptible to attackers who could change settings on the devices and begin phishing attacks. The attack appears to work on all major consumer versions of routers (including Linksys, Belkin, Netgear and D-Link) but can only be successful if the user visits a specially crafted web page. "A malicious web page has the disastrous ability to manipulate its visitors' home routers, changing its settings to enable spread of malware, target phishing attacks, or starve the visitor from critical security updates," the researchers wrote in their paper, Drive-By Pharming.
The attack is unique as it does not rely on vulnerabilities in a web browser or other software, but instead allows malicious attacks at the network level. The researchers cited surveys that showed half of home router users use the default password or no password on the device, and 95% allow their web browsers to use JavaScript code. "This means 47.5 per cent of all home users … are effectively leaving themselves open to another attack — allowing attackers to circumvent all known anti-phishing countermeasures," the researchers wrote. They recommend that people change their passwords on their routers and be selective about which Java applets, or programs, they allow to run on their computers. The study, authored by Sid Stamm and Markus Jakobsson of Indiana University and Zulfikar Ramzan of Symantec, was published in December 2006 and is now being publicized by Symantec.
Link: Forum Discussion (Thanks Rappy)
News source: CBC News
The attack is unique as it does not rely on vulnerabilities in a web browser or other software, but instead allows malicious attacks at the network level. The researchers cited surveys that showed half of home router users use the default password or no password on the device, and 95% allow their web browsers to use JavaScript code. "This means 47.5 per cent of all home users … are effectively leaving themselves open to another attack — allowing attackers to circumvent all known anti-phishing countermeasures," the researchers wrote. They recommend that people change their passwords on their routers and be selective about which Java applets, or programs, they allow to run on their computers. The study, authored by Sid Stamm and Markus Jakobsson of Indiana University and Zulfikar Ramzan of Symantec, was published in December 2006 and is now being publicized by Symantec.
Link: Forum Discussion (Thanks Rappy) News source: CBC News
From what I can gather, the page uses Java(Script) to access the router's config page and because it looks like it's coming from within the network, the router allows it access. The script then auths with the default username/password et voila it's in and causes havoc.
Spcially crafted pages that use the default password. Which works on many routers because many do not change their password. If *that's* not user stupidity, then what is?
IF router_password == admin
router_password = pwned;
ENDIF
I'm pretty sure anyone who knows about Neowin doesn't use a default password anyway. The word needs to be spread to the mainstream level. Maybe add a few notices to the boxes or have Best Buy employees warn the customers as they buy the router.
IF router_password == admin
router_password = pwned;
ENDIF
Actually, it's javascript so it would be:
var pwned = "Change your password, stupid-head!";
if ( router_password == "admin" )
{
alert(pwned);
}
IF router_password == admin
router_password = pwned;
ENDIF
Actually, it's javascript so it would be:
var pwned = "Change your password, stupid-head!";
if ( router_password == "admin" )
{
alert(pwned);
}
Hah yeahh I figured I should have done it that way, but I've been doing a lot of AS/400 programming lately for an assignment due, so I kinda mixed pseudo code with CL and scripting. I'm weird.
http://portforward.com/routers.htm
Scary if you do
second thougt that'd be cool.
Becasue, of course, Symantec firewalls NEVER get hacked. Ever. Never ever. Nope. Never happens.
Oh noes! JavaScript is the EVUL!!
FFS. 95% of home users allow their web browsers to "use JavaScript code" becuase otherwise they wouldn't see a damn thing when browsing the Web.
Seeing as every home router available has a "quick setup" sheet with it that clearly states "this is the default username and password, change it as soon as possible" on it then anybody who doesn't deserves everything they get. If you can't be bothered to read, don't come crying to me when your connection gets pwned.
Anyways, custom firmware + strong password = win.
Anyways, custom firmware + strong password = win.
What custom firmware are you referring too?
HyperWRT Thibor?
If so,
Mine fell into odd catagory:"WRT54G v1-v4 CDFB "
Current version firmware downloads can be found here:
model serial no. prefix upgrade from stock firmware upgrade from HyperWRT
WRT54G v1-v4 CDF0-CDF9,CDFA HyperWRT G Thibor15c HyperWRT G Thibor15c
WRT54G v5-v7 CDFB not compatible not compatible
WRT54GL v1-v1.1 CL7A,CL7B HyperWRT G Thibor15c HyperWRT G Thibor15c
WRT54GS v1-v3 CGN0-CGN5 HyperWRT GSv3 Thibor15c HyperWRT GSv3 Thibor15c
WRT54GS v4 CGN6 HyperWRT GSv4 Thibor15c HyperWRT GSv4 Thibor15c
WRT54GS v5-v6 CGN7 not compatible not compatible
WRTSL54GS v1-v1.1 CJK0, CJK1 HyperWRT SL Thibor17rc3 HyperWRT SL Thibor17rc3
Any tips?
Thanks
my password is not admin,
nor do I broadcast,
Wep & Wpa encryption require key,
acceptable wireless mac table
Lan host is outside range of DHCP
cloned mac address,
connections set to 5
non-standard subnetmask 255.255.255.xxx
starting ip 192.168.1.100
hardset port forwarding tcp, no-udp
I bet symantech wants us to rid them of black box firewalls!
Problem solved for the home user..
back to the topic. they should in fact list this with their statistics, otherwise this gives a false picture of people's security awareness. as stated here already, most of us who bought a router know exactly not to do this. but the majority of people have it installed by somebody else, e.g their ISP.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.