Symantec reports first active attack on a DSL router
Symantec has reported successful attacks against Mexican internet users' routers in its blog. The routers had their domain name resolution capability altered by a simple link embedded in an e-mail, claiming to be an e-card, which triggers a GET request. Attackers use the victim's mail client as a springboard to reconfigure the router.
Once the changes have been made, the router resolves the name of a well-known Mexican bank to the IP address of a phishing site. Apparently the phishers took advantage of the fact that there was no password required to reconfigure the router. It is not known how many users fell victim to the phishers.
Reports of security issues with routers are on the rise. Last week it was reported that there were vulnerabilities in certain routers, mainly in use in the UK. In that case, a cross-site scripting hole in the login dialogue can be used to reconfigure the router via its UPnP interface – and UPnP requires no authorisation. According to reports, UPnP attacks can even be launched against routers that do not contain XSS holes. Special flash Applets using ActionScript are supposedly capable of reconfiguring routers on which UPnP is active.
Previously, a vulnerability came to light in Linksys' WRT54GL router that underscored the session riding or cross site request forgery (CSRF) problem, which was discovered three years ago. However, in that case the owner of the router has to be logged onto the user interface while visiting a manipulated web site. In addition to shutting off the firewall, it is also conceivable that the attacker could deactivate WiFi encryption. According to a Bugtraq posting, the following URL works on the Alice Gate 2 Plus WiFi model with no authentication required:
The link can be hidden in an e-mail (as described above), a chat, or a web site.
Users who have a router with the UPnP function are advised deactivate it unless it is needed, and to change the pre-defined subnet (usually 192.168.1.0) to a different one (e.g. 192.168.23.0), to avoid standard attacks.
- Drive-by Pharming in the Wild!, Symantec blog entry
- Unwanted remote configuration for home routers , heise Security news report
- Crafted web site switches off router firewall , heise Security news report