Security mavens have uncovered a design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed.

"This is a huge problem," Adrian Pastor, of the prolific hacking organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to most routers used for home networks so machines running games, instant messaging programs and other applications will work seamlessly with the devices. By exposing an end user to a malicious Flash file lurking on a website, attackers can use UPnP, as the technology is usually called, to make significant modifications to the router.

The most serious change that's possible is changing the the server PCs connected to the router use to access websites. That might cause a victim trying to access eBay or Bank of America to see spoofed pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim's router. That would be useful in turning a router into what would amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and URLRequest object specified in Flash, isn't a security flaw within Flash, the researches say. Rather they are design flaws in UPnP, which doesn't use authentication. PCs using virtually any platform and browser will change router settings, as long as they run version 8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices.

The vulnerability, which was also discovered by Petko D. Petkov, is explained further here (http://www.gnucitizen.org/blog/hacking-the-interwebs). A FAQ is here (http://www.gnucitizen.org/blog/flash-upnp-attack-faq). ®

Related stories

Attack code in the wild targets new (sort of) Adobe Flash vuln (27 May 2008)
http://www.channelregister.co.uk/2008/05/27/new_adobe_flash_vuln/
Networks left open to SNMP scans (5 March 2008)
http://www.channelregister.co.uk/2008/03/05/snmp_vuln_scan/
Drive-by download menace spreading fast (23 January 2008)
http://www.channelregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/
Spotted in the wild: Home router attack serves up counterfeit pages (23 January 2008)
http://www.channelregister.co.uk/2008/01/23/pharming_attack_in_the_wild/
BEA portal product springs a leak (29 November 2007)
http://www.channelregister.co.uk/2007/11/29/bea_portal_vuln/
Miscreants subvert search results to punt malware (28 November 2007)
http://www.channelregister.co.uk/2007/11/28/botnets_use_search_to_build_zombies/
Firefox broken Jar vuln. menaces Gmail (12 November 2007)
http://www.channelregister.co.uk/2007/11/12/jar_vuln/
BT launches Home Hub backdoor investigation (9 October 2007)
http://www.theregister.co.uk/2007/10/09/bt_home_hub_hole_response/
BT home router wide open to hijackers (9 October 2007)
http://www.channelregister.co.uk/2007/10/09/bt_home_hub_vuln/
New cracks in Google mail (26 September 2007)
http://www.channelregister.co.uk/2007/09/26/gmail_backdoor_vulnerability/
Security maven: QuickTime flaw threatens PCs, Macs (12 September 2007)
http://www.theregister.co.uk/2007/09/12/quicktime_vulnerability_attacks_firefox/