SECURITY ALERT
Router Hack Attack Could Expose Home Network Users

Home network users could be vulnerable to attacks from hackers who can alter the configuration of a broadband router or wireless access point. Symantec (Nasdaq: SYMC) released its "Drive-By Pharming" attacks report Thursday, roughly two months after security researchers at Symantec and Indiana University first published their conclusions in a white paper last December.

"I believe this attack has serious widespread implications and affects many millions of users worldwide," Zulfikar Ramzan, a senior principal researcher at Symantec, wrote on the company's Security Response blog. "Fortunately, this attack is easy to defend against as well."

Attack Strategy

The problem stems from inexpensive plug-and-play broadband routers, according to the researchers' proof-of-concept. These devices are shipped from the factory with a default password that most home users would never think to change. Hackers, however, are aware of the risk these unchanged passwords pose when combined with a Web site that includes malicious JavaScript code.

The attack is twofold. First, the hacker creates a phony Web page that includes the malignant JavaScript code. When a home user views the page, the code, running in the context of a Web browser, uses a technique known as Cross Site Request Forger and logs into the user's home broadband router, Ramzan explained. In general, these routers require a password to log into.

However, as most people do not change the default password, and detailed information on the factory set passwords is readily available online, criminals can successfully log into the router. Then, it is just a matter of allowing the JavaScript to go to work changing the router's settings.

Details in the DNS

"One simple, but devastating, change is to the user's DNS (Doman Name System) server settings," Ramzan said.

DNS is a combination of numbers such as "129.79.78.8." Known as an Internet Protocol (IP) address, the DNS is unique and identifies every computer that is directly accessible to the Internet.

To keep the Internet easy to use, however, surfers enter a Web address associated with the DNS rather than the numbers themselves. To access the site, the request is sent through a DNS server typically designated by the user's Internet Service Provider (ISP).

The security researchers found that an attacker can modify the settings on a home wireless router to "dictate which DNS server" it uses. Even worse, Ramzan said, hackers can designate a server they have created that could contain fraudulent records that will direct a computer to go to a fraudulent Web site that looks legitimate, such as a bank's Web site. Users would never know the difference and would have given the criminals access to their bank account information, said Ramzan.

Simple Fix

This type of attack poses a potentially serious threat because millions of consumers and small businesses use broadband routers, Victoria Fodale, an analyst at In-Stat, told TechNewsWorld. "According to In-Stat Broadband CPE market tracking research, in 2005 just over 24 million broadband routers shipped worldwide," she said. "In 2006, this number could top 28 million."

Correcting the problem is relatively simple. It all comes down to educating end users about the need to change their router passwords, Rob Ayoub, a security analyst at Frost & Sullivan, told TechNewsWorld.

"I don't really find the attack all that ingenious," he said. "It simply takes advantage of a typically insecure area of the home user's network."

The Javascript component of the attack can only work if the router's password has not been changed. However, Fodale estimates that some 50 percent of consumers and small businesses currently use the default password setting.

Dirty Little Secret

Router manufacturers such as Linksys, D-Link and Netgear are aware that this problem exists. Netgear, in its "Guide to Internet Security," urges its customers to "never leave a password at its default value." In the Linksys Web site's Learning Center, changing the default password is No. 1 on its list detailing "How to Secure Your Network."

The problem, however, is that most users are not even aware that their router has a password, Avivah Litan, an analyst at IDC, told TechNewsWorld. "The risk is very serious," she asserted. "No one knows what is in their router or how to log in and change the password. Most people have no idea what you're talking about," claimed Litan.

"And the best way to fight this is on the back end from the banks, credit cards and other companies that protect your money," she added. "They are the ones that really need to worry about this because you can't expect consumers to become technical gurus overnight. It is beyond their control to fix this and it's up to the infrastructure companies like the browser companies and DNS and certificate authorities."

Andrew Jaquith, security research program manager at Yankee Group, agreed that the solution needs to come from the router industry. The research shines a light on one of the consumer electronics industry's dirty little secrets -- poor default setting for home routers and wireless access points, he told TechNewsWorld.

"You would think that Cisco (Nasdaq: CSCO), a company with significant security assets, might do a better job helping consumers get and stay secure out of the box," he said.

Manufacturers could easily alleviate the problem, according to Jaquith. "There are very simple things that manufacturers could do, like personalizing the manufacturing process so that a unique factory password is generated and printed and put into the box," he suggested. "They do this with serial numbers, so why wouldn't creating a unique password be any different?"

Consumers should get used to hearing of these sorts of potential attacks to continue, Jaquith predicted. "Unless and until manufacturers like Linksys, D-Link, and Netgear get serious about giving consumers a secure out-of-the-box experience, these kinds of attack possibilities -- and at the moment that is all they are -- will keep popping up," he concluded.