18 February 2007, 14:59

Home routers in danger

In a blog entry, security specialist Symantec has issued a warning about attacks on routers with default passwords. Attackers may be able to reconfigure the DNS server entry to reroute a victim's Internet traffic over a malicious server. In this procedure, called "pharming", attackers might be able to get access to the user's sensitive data or inject malicious software onto home PCs. The antivirus vendor bases its conclusions on a scientific study entitled "Drive-by Pharming" and published last December by Sid Stamm and Markus Jakobsson from the University of Indiana and Symantec's Zulfikar Ramzan.

The researchers describe how a malicious website can use a combination of Java applets and JavaScript to find a home network's internal router and possibly even identify the model. A number of them can be reconfigured easily, such as by means of default passwords and HTTP access to the web interface. For instance, in a D-Link router the website could embed the following code:

<script src="http://192.168.0.1/h_wan_dhcp.cgi?dns1=69.6.6.6">

which enters the IP address 69.6.6.6 as the DNS server, which is in turn transmitted via DHCP to all clients in the local network. The clients then call DNS server 69.6.6.6 for the IP address for, for example, www.heise-security.co.uk, in which case they might then receive an answer like 217.111.81.80.

In addition to the obvious remedy of changing the router's default password, the researchers also recommend some general steps that can be taken to protect yourself against browser attacks from the internal network and against pharming. First, they recommend switching to digitally signed Java applets whenever possible and imposing strict restrictions on unsigned, "untrusted" applets for access to the network. In addition, they say that Internet providers can also help prevent pharming attacks by permitting DNS traffic only to their own name servers.