Original URL: http://www.channelregister.co.uk/2007/02/15/router_vuln/
Broadband routers welcome drive-by hackers
JavaScript-enabled DNS chicanery
Posted in Software & Security, 15th February 2007 20:27 GMT
Free whitepaper – Straight Talk with Dell: Sending out an SaaS
Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it: visiting the wrong website is enough to have key settings changed on the most popular models.
Symantec warns (http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html) attackers can employ a simple piece of JavaScript to modify a router's domain name server settings. Once the router is rebooted, a rogue DNS will send the victim to spoofed websites with malicious intent.
That could unleash all kinds of new phishing expeditions, Symantec says. For example, the new DNS could route a request for bankofamerica.com or Microsoft's update site to fraudulent sites that steal login details or install back doors.
A proof of concept works with popular models made by Linksys, D-Link and Netgear, but only if they use the default password. Hence, the attack can be thwarted by setting a new password that's not easy to guess.
As with many (http://www.theregister.com/2007/02/15/firefox_vuln/) of the recently discovered (http://www.theregister.com/2007/02/13/browser_vulns/) browser-related vulnerabilities, attacks also require JavaScript to be enabled. Running a program such as the NoScript (http://noscript.net/) extension to Firefox is also a safeguard in these cases. ®