Hack Lets Intruders Sneak into Home Routers

By Rappy
in Back Page News

 Share

Recommended Posts

Grand Master

Rappy Veteran

Posted
  • Veteran
Posted
If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said. "You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."

After a router's DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet. DNS functions like the phonebook of the Internet, mapping text-based addresses such as www.news.com to actual numeric Internet Protocol addresses of a Web site.

The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.

"One of the issues is that the set-up steps in the router don't prompt you to change the password," Ramzan said. As a result, many people never properly configure their networking gear, he said.

In crafting their proof-of-concept attack code, Ramzan and researchers at Indiana University built upon earlier research that showed how JavaScript could be used for malicious purposes. Jeremiah Grossman, chief technology officer at WhiteHat Security, demonstrated how JavaScript let outside attackers target internal corporate networks.

Grossman is impressed by the Symantec and Indiana University work. "This is very dangerous stuff and could be highly effective if used in the wild," he said.

Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said.

On its Web site, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states.

Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.

link_go.pngSOURCE

Grand Master

h3xis

Posted
Posted

People have known this for years and it's just now making headway. Go figure. I've been beta testing dd-wrt v24 firmware for the La Fonera router for a while now and everytime I receive one to test I have to use a form to inject a script action into the router to get it to enable ssh so that I can have full access to it, since this is disabled by the manufacturer.

Grand Master

+Tantawi Subscriber²

Posted
  • Subscriber²
Posted

I enjoy getting into routers with default passwords :D, and the beautiful thing is that most routers will show the model name in the login prompt, put that in Google and you get the default password :D I don't make any change though :)

Another good tip is to change the web interface of your router to any other port, if it supports that feature, to anything instead of the default 80 or 8080.

Mentor

+mrbester MVC

Posted
  • MVC
Posted
Is that not the first thing you do

Change the encryption to WPA2 and set the password too your own.

Leaving anything at default is bad.

No, the first thing you do is turn off the WLAN as you should be connecting using the supplied cable. Then you change the password and reenable WLAN (with elevated security) if needed.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
No, the first thing you do is turn off the WLAN as you should be connecting using the supplied cable. Then you change the password and reenable WLAN (with elevated security) if needed.

first thing you do is disable wan and just connect via eithernet

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
why would you have not changed your default user password

everyone is "admin"

now I can see why you would want to change the password, but some people might think just disable wireless or have wireless but disable being able to remote access the router over the wifi then they would think the admin password would just be used to access the router internally. Obviously this hack says otherwise. Or wait, what if you have remote access disabled, then it would be safe from this problem wouldn't it?

Collaborator

Rytis

Posted
Posted

I was once sitting with my laptop nearby out city council. I tried to find a hotspot to use the net, and well, there was only one, at was named "saviv" (which is short for "city council" in Lithuanian. It of course was unsecured, so I was able to get in right away. I didn't do any damage except that I changed the default password :)

Mentor

+mrbester MVC

Posted
  • MVC
Posted
now I can see why you would want to change the password, but some people might think just disable wireless or have wireless but disable being able to remote access the router over the wifi then they would think the admin password would just be used to access the router internally. Obviously this hack says otherwise. Or wait, what if you have remote access disabled, then it would be safe from this problem wouldn't it?

No, because the hack is run on a system inside the network. Remote access doesn't apply; in pretty much every config I've seen it is not on by default (as that's too insecure even for the router firmware suppliers to consider a Good Thing For Clueless Users To Have Automatically Enabled[tm]).

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • [NEWS] Over 105000 games are available to play on Linux.

      By Circaflex · Posted

      Or anything online that requires an anti-cheat
    • Here is the new Surface Laptop Ultra wallpaper in high resolution

      By FunkyMike · Posted

      Gf needed a new Surface and was looking at a Surface Laptop because of the Snapdragon. Seeing as it was a two year old chip she just decided to get a Lenovo Yoga 2 in 1 instead. Personally this Surface Ultra Cassis reminds me a bit of Razor. It would be interesting if it could handle proper gaming and be 17 inch.
    • [NEWS] Over 105000 games are available to play on Linux.

      By Case_f · Posted

      No idea, frankly, I'm not into minimum requirements gaming, but it would be an interesting test to find out. Also, I just have to point out that it wasn't my intention to downplay the performance of DXVK on Linux or Linux gaming in general (despite my own experience being a bit of a mixed bag). I just thought it would be good to point out that DXVK is not Linux exclusive and that you can benefit from using it even in Windows.
    • Fastfetch 2.64 released bringing new logos and other improvements

      By David Uzondu · Posted

      Fastfetch 2.64 released bringing new logos and other improvements by David Uzondu Fastfetch, the popular command-line system information tool that developers created as a fast alternative to the classic Neofetch utility, has updated its codebase to version 2.64, bringing experimental scripting power, streamlined compilation options, a smarter logo renderer, and Codec module support. As noted earlier, Fastfetch can now detect hardware-accelerated video codecs across Windows, macOS, Linux, and Android through this new Codec module. On Linux and BSD, the utility uses VA-API by default, with a fallback to VDPAU on Nvidia hardware if compiled with libva and libvdpau. Windows users get D3D12VA on Windows 11 or D3D11VA with Media Foundation Transforms on older systems, while macOS relies on VideoToolbox and Android utilizes AMediaCodec. You can manually toggle Vulkan Video via the config file, and the program will report both encoders and decoders unless configured otherwise. Logo support for Quasar, Origami, Origami_small, NixOS2, and BerserkArch also landed in this release. BerserkArch, if you have never heard of it, is a specialized Arch Linux derivative that targets security researchers and power users. This distro comes with an offensive security tool manager, simply called berserk, which allows users to install complex hacking toolkits with single terminal commands. Moving on, Fastfetch now has experimental scripting options for custom formats using Lua or QuickJS. The Lua integration supports versions 5.3 through 5.5, sharing a single interpreter instance across all modules so you can store variables globally. T Alternatively, if you prefer JavaScript, you can use QuickJS-ng version 0.15.0 or newer to evaluate your custom formats with the qjs: prefix. Other changes that version 2.64 brings include native CMake compilation flags to disable specific modules to shrink the final binary size. Users can delete unwanted ASCII logo files directly from the source directory before building to save additional space. The format engine now boasts ANSI-escape awareness, meaning you can center text with the new vertical bar specifier without breaking colored outputs. Haiku users receive preliminary support for boot manager, window manager theme, screen brightness, and other basic properties. Finally, the Linux edition now extracts desktop wallpaper and theme details from the modern COSMIC desktop environment.
    • [NEWS] Over 105000 games are available to play on Linux.

      By Xenon · Posted

      That's a good number until the game you want to play is not in that list. 

  • Recent Achievements

    • Apprentice
      fernan99 went up a rank
      Apprentice
    • One Month Later
      nothanks earned a badge
      One Month Later
    • One Month Later
      B2Proxy earned a badge
      One Month Later
    • One Year In
      MadMung0 earned a badge
      One Year In
    • Week One Done
      jefred earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      474
    2. 2
      PsYcHoKiLLa
      246
    3. 3
      Skyfrog
      79
    4. 4
      FloatingFatMan
      78
    5. 5
      Michael Scrip
      59
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!