My ISP issues 2Wire modem/router/WAP boxes now. I found it
very
interesting to explore what (few) changes require a password and what
ones do not.
In particular, packet filter and port forwarding changes require no
password at all - so changing your password on the router wouldn't do
you any good against driveby changes to those settings. I'll have to
look when I get home whether DNS server changes would.
A bit OT, but there's also the fact that since these devices are
considered ISP equipment - they include the modem that connects to
telco lines - the ISP has one, global, password for all home routers
on their network, and can admin them from the 'outside' of your home
network. Given big telco security standards, not a very reassuring
thought.
Regards
Mark
On 2/15/07, Zulfikar Ramzan wrote:
> We discovered a new potential threat that we term "Drive-by
Pharming". An attacker can create a web page containing a simple piece of
malicious JavaScript code. When the page is viewed, the code makes a login
attempt into the user's home broadband router and attempts to change its DNS
server settings (e.g., to point the user to an attacker-controlled DNS server).
Once the user's machine receives the updated DNS settings from the router
(e.g., after the machine is rebooted) future DNS request are made to and
resolved by the attacker's DNS server.
>
> The main condition for the attack to be successful is that the attacker
can guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed). Note that the attack does not require the user to download any
malicious software - simply viewing a web page with the malicious JavaScript
code is enough.
>
> We've written proof of concept code that can successfully carry out the
steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.
>
> Additional details on the attack can be found at: http://www.symantec.com/enterprise/security_response/weblog/2007/02/driv
eby_pharming_how_clicking_1.html
>
> Thanks,
>
> Zulfikar Ramzan
>
>
> ________________________________________
>
> Zulfikar Ramzan
> Sr. Principal Security Researcher
> Advanced Threat Research
> Symantec Corporation
> www.symantec.com
Still using the default password that came with that nice broadband router
you installed at home? Time to get off your butt and change it: visiting the
wrong website is enough to have key settings changed on the most popular
models.
That could unleash all kinds of new phishing expeditions, Symantec says. For
example, the new DNS could route a request for bankofamerica.com or Microsoft's
update site to fraudulent sites that steal login details or install back doors.
A proof of concept works with popular models made by Linksys, D-Link and
Netgear, but only if they use the default password. Hence, the attack can be
thwarted by setting a new password that's not easy to guess.
As with
many of the
recently discovered
browser-related vulnerabilities, attacks also require JavaScript to be enabled.
Running a program such as the
NoScript
extension to Firefox is also a safeguard in these cases
