Hack Lets Intruders Sneak into Home Routers

By Rappy
in Back Page News

 Share

Recommended Posts

Grand Master

Rappy Veteran

Posted
  • Veteran
Posted
If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said. "You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."

After a router's DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet. DNS functions like the phonebook of the Internet, mapping text-based addresses such as www.news.com to actual numeric Internet Protocol addresses of a Web site.

The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.

"One of the issues is that the set-up steps in the router don't prompt you to change the password," Ramzan said. As a result, many people never properly configure their networking gear, he said.

In crafting their proof-of-concept attack code, Ramzan and researchers at Indiana University built upon earlier research that showed how JavaScript could be used for malicious purposes. Jeremiah Grossman, chief technology officer at WhiteHat Security, demonstrated how JavaScript let outside attackers target internal corporate networks.

Grossman is impressed by the Symantec and Indiana University work. "This is very dangerous stuff and could be highly effective if used in the wild," he said.

Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said.

On its Web site, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states.

Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.

link_go.pngSOURCE

Grand Master

h3xis

Posted
Posted

People have known this for years and it's just now making headway. Go figure. I've been beta testing dd-wrt v24 firmware for the La Fonera router for a while now and everytime I receive one to test I have to use a form to inject a script action into the router to get it to enable ssh so that I can have full access to it, since this is disabled by the manufacturer.

Grand Master

+Tantawi Subscriber²

Posted
  • Subscriber²
Posted

I enjoy getting into routers with default passwords :D, and the beautiful thing is that most routers will show the model name in the login prompt, put that in Google and you get the default password :D I don't make any change though :)

Another good tip is to change the web interface of your router to any other port, if it supports that feature, to anything instead of the default 80 or 8080.

Mentor

+mrbester MVC

Posted
  • MVC
Posted
Is that not the first thing you do

Change the encryption to WPA2 and set the password too your own.

Leaving anything at default is bad.

No, the first thing you do is turn off the WLAN as you should be connecting using the supplied cable. Then you change the password and reenable WLAN (with elevated security) if needed.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
No, the first thing you do is turn off the WLAN as you should be connecting using the supplied cable. Then you change the password and reenable WLAN (with elevated security) if needed.

first thing you do is disable wan and just connect via eithernet

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
why would you have not changed your default user password

everyone is "admin"

now I can see why you would want to change the password, but some people might think just disable wireless or have wireless but disable being able to remote access the router over the wifi then they would think the admin password would just be used to access the router internally. Obviously this hack says otherwise. Or wait, what if you have remote access disabled, then it would be safe from this problem wouldn't it?

Collaborator

Rytis

Posted
Posted

I was once sitting with my laptop nearby out city council. I tried to find a hotspot to use the net, and well, there was only one, at was named "saviv" (which is short for "city council" in Lithuanian. It of course was unsecured, so I was able to get in right away. I didn't do any damage except that I changed the default password :)

Mentor

+mrbester MVC

Posted
  • MVC
Posted
now I can see why you would want to change the password, but some people might think just disable wireless or have wireless but disable being able to remote access the router over the wifi then they would think the admin password would just be used to access the router internally. Obviously this hack says otherwise. Or wait, what if you have remote access disabled, then it would be safe from this problem wouldn't it?

No, because the hack is run on a system inside the network. Remote access doesn't apply; in pretty much every config I've seen it is not on by default (as that's too insecure even for the router firmware suppliers to consider a Good Thing For Clueless Users To Have Automatically Enabled[tm]).

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Politically funny images of the World

      By PsYcHoKiLLa · Posted

    • Until Dawn 2 revealed featuring new cast, new story, and new developer

      By leonsk29 · Posted

      Nobody is buying a PS5 only for playing Until Dawn 2. Their loss.
    • Microsoft introduces Web IQ, a Bing-powered search system built for AI agents

      By Legend20 · Posted

      If you actually used it instead of responding like a petulant child you might be surprised. I switched from Google some time ago and have been very satisfied.
    • [NEWS] Over 105000 games are available to play on Linux.

      By FateTrap · Posted

      I am one of the first people to use the DXVK technology. In the channel below you can see some videos that I have made using this technology, including Assassin's Creed Odyssey. https://www.youtube.com/@nahum7995/videos Assassin's Creed Odyssey experienced several bugs and technical issues during its first months after release. It launched with its own fair share of funny but frustrating glitches. I ran it on DXVK 9 days after its release and I played it for many hours but didn't see a single significant bug on Linux. Assassin's Creed Odyssey is widely celebrated for pushing the franchise in bold new directions and specifically for nailing several elements better than any other title in the AC series: Player Choice & Branching Narrative, The Mercenary & Cultist System, Mythological Integration, Overpowered Combat Abilities, Open World Exploration But what I'm trying to point out is that this game wasn't quite playable on most windows systems, until a few months after its release when most of the bugs were fixed. However, on Linux it ran completely flawless from day one, although DXVK had seen little development and refinement at the time. What do you think the situation will be in 2026 now that most bugs and glitches of DXVK have been completely eliminated? This is information from Google about these situations that I am quoting. In many cases, using DXVK (a translation layer that converts DirectX 9, 10, or 11 into Vulkan) can result in more stable frame times and higher performance than native Windows rendering. This happens primarily by bypassing driver overhead and multithreading draw calls that were previously restricted to a single CPU core. Older APIs (like DirectX 9 and 11) are largely single-threaded on the CPU side. DXVK translates these calls to Vulkan, which is highly multi-threaded. This reduces CPU-bound stuttering on weaker processors. In certain cases, GPU manufacturers (especially AMD) have significantly better and more modern Vulkan drivers than they do for legacy DirectX. Vulkan gives developers—and in this case, the translation layer—closer control over how resources are held in VRAM. This can prevent micro-stutters and sudden frame drops during chaotic gameplay. Yes, certain games, particularly older DirectX 9 to 11 titles, can run with fewer crashes on DXVK than on native Windows. By intercepting DirectX draw calls and translating them into the modern, highly efficient Vulkan API, DXVK bypasses the limitations and poor driver support that cause instability in aging game engines. PlayStation 1, PlayStation 2 and PlayStation 3 can be easily and perfectly emulated on Linux. In fact, modern Linux emulators offer high-performance upscaling, widescreen patches, and automatic controller mapping out of the box.                                                                                                                                                                                                                                                                                                                                 PlayStation 1/2/3 games look drastically better on Linux thanks to resolution upscaling. Furthermore, it is also a fact that you cannot play many fun games on Windows either, isn't it? - The Nintendo Switch has an extensive library of exclusive games. - PlayStation has an extensive library of exclusive games - Android has "mobile-exclusive" games, meaning they are exclusive to mobile devices (iOS and Android) and aren't available on PC or consoles. And finally, it is also the case that in the next five years there will be games that millions of people will say you absolutely must play and that they want to play this specific game that released a few days ago. However, the other side of this story is that currently, absolutely no one cares that they cannot play these upcoming games right now.
    • Flameshot 14.0 RC3

      By Copernic · Posted

      Flameshot 14.0 RC3 by Razvan Serea Flameshot is a free and open-source, cross-platform tool to take screenshots with many built-in features to save you time. Using Flameshot is as simple as launching, dragging the selection box to cover the area you want to capture, making annotations as needed in on-screen and saving the shot to your computer, all with a very simple and straightforward interface. Flameshot allows users to simply upload their screenshots directly to the cloud in order to easily share it with others. You can upload your image directly to Imgur with a single click and share the URL with others. In-app screenshot editing - You can choose to add an arrow mark, highlight text, blur a section (blur or pixelate an area), add a text, draw something, add a rectangular/circular shaped border, add an incrementing counter number, and add a solid color box with Flameshot's built-in editing tools. Command-line interface (CLI) - Flameshot has several commands you can use in the terminal without launching the GUI via a command line interface. The command line interface lets you script Flameshot and use it as the subject of key binds. Flameshot 14.0 RC3 changelog: Translations update from Hosted Weblate by @weblate in #4612 Translations update from Hosted Weblate by @weblate in #4619 Fix pin position on Windows for scaled screen by @ElTh0r0 in #4614 Cmake Analyzers by @ElTh0r0 in #4613 Translations update from Hosted Weblate by @weblate in #4632 fix(macos): prevent config tab content from rendering behind tab bar by @Mitnitsky in #4627 fix(macos): use CGRequestScreenCaptureAccess instead of grabWindow for permission request by @Mitnitsky in #4617 Fix KDE Plasma keyboard shortcut config file by @ElTh0r0 in #4637 fix(macos): fix clipboard copy failing from tray and GUI by @Mitnitsky in #4629 feature(macos): show dock icon when config window is open by @Mitnitsky in #4628 Option to disable tray icon on Windows by @ElTh0r0 in #4634 Translations update from Hosted Weblate by @weblate in #4642 fix(macos): make fullscreen capture overlay configurable by @Mitnitsky in #4622 Update GH actions using Node.js 24 by @ElTh0r0 in #4660 fix issue with screen selection in non interactive mode by @borgmanJeremy in #4667 Uniformize both spec files + ninja build openSUSE by @QuentiumYT in #4658 screengrabber: pass non-empty parent_window to xdg-desktop-portal by @artefaktor93 in #4664 Allow multiple flameshot GUI instances (fix for #3177) by @ElTh0r0 in #4680 Unify Linux ARM CI into Linux CI (also drop QEMU) by @theofficialgman in #4702 respect system proxy settings by @borgmanJeremy in #4674 Replace ifdef LINUX with UNIX to include BSD systems by @ElTh0r0 in #4700 Download: Flameshot 14.0 RC3 | 18.1 MB (Open Source) Download: Flameshot Portable | 53.0 MB Links: Flameshot Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • One Month Later
      nothanks earned a badge
      One Month Later
    • One Month Later
      B2Proxy earned a badge
      One Month Later
    • One Year In
      MadMung0 earned a badge
      One Year In
    • Week One Done
      jefred earned a badge
      Week One Done
    • Apprentice
      JoeyNeo went up a rank
      Apprentice

  • Popular Contributors

    1. 1
      +primortal
      490
    2. 2
      PsYcHoKiLLa
      233
    3. 3
      Skyfrog
      78
    4. 4
      FloatingFatMan
      68
    5. 5
      Michael Scrip
      58
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!