Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Drive-By Pharming Attack Could Hit Home Networks

Posted by Zonk on Fri Feb 16, 2007 10:03 AM
from the dive-behind-the-router dept.
Security The Internet
Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Drive-By Pharming Attack Could Hit Home Networks 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Simple solution for this (Score:3, Interesting)

    by suso (153703) * on Friday February 16 2007, @10:05AM (#18038224) Homepage Journal
    1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
    2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

    The net needs to be more secure and there need to be more checks in place through authoritive sources.

    This pharming attack reminds me of when I first installed the doorbell on my house, every once in a while it would go off and nobody was at our door, it turned out that the people across the street had the same doorbell set to the default settings.
    • I'm sorry, I was thinking about from the wrong way. That wouldn't work. But perhaps something along those lines could be implemented.

    • Re:Simple solution for this (Score:5, Insightful)

      by mpe (36238) on Friday February 16 2007, @10:15AM (#18038324)
      1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
      2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

      A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
      • If you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

        I know, I know. The people who write the manuals don't actually use the products they talk about* so the manufacturer will have to make
        • f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

          Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."
        • Software is an amazing thing, really. These routers could just be programmed to, in the presence of default settings, not to route to the outside world and only pop up a web page that tells users that they have to set up a userid and password in order to use the router.

          Then all people need is a 3.5 postcard(s) in the box telling them to plug their computer into the router and go to http://192.168.1.1/ [192.168.1.1] and follow the instruction.

          I know, its not perfect, but its better - way better - than what's there
      • A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

        Dude, ATM machines don't even have futuristic features like that. Come back to reality.

        http://it.slashdot.org/article.pl?sid=06/09/21/181 9242 [slashdot.org]

      • A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

        Cars ship with seatbelts and big fat warning signs in the glove box and the top side of the sun visors that tell you to use them, but an alarming number of people don't.

        Yet, if your car failed to start if you weren't buckled up, p

  • Last time I checked. . . (Score:5, Insightful)

    by Who235 (959706) <{secretagentx9} {at} {cia.com}> on Friday February 16 2007, @10:06AM (#18038238)
    Last time I checked, it's stupid to leave anything with a default password.

    If you had all your personal papers in a safe, would you leave it set to the factory combination?

    • Exactly. The first thing I did on my router was change the password. A few months later, my forgotten password now locks me out. Does anyone have a safety pin?

      • If you really can't remember, there is nothing wrong with taping the password to the bottom of your router. If the attacker can gain physical access to your router you have a much bigger problem that wireless security.

        You shouldn't do this at your workplace, but at home it is acceptable...

        I don't do this, I know the (strong) password of my Access Point

    • Re: (Score:3, Insightful)

      by gstoddart (321705)

      Last time I checked, it's stupid to leave anything with a default password.

      If you had all your personal papers in a safe, would you leave it set to the factory combination?

      You're right of course. But, part of the problem is simply consumer education.

      It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about

      • Re: (Score:3, Informative)

        by ptbarnett (159784)
        Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.

        When I switched from DSL to Verizon's FIOS, I got an Actiontec MI424WR [actiontec.com] router. By default, it was configured with a randomly generated SSID and

    • Re: (Score:3, Insightful)

      by 955301 (209856)
      Wouldn't it be great if the router hijacked the few http requests passing through it and gave the user a dynamically created password with instructions to print it and tape it to the router? There could be a snazzy checkbox letting them skip future redirects after they have the password.

      Then hitting the reset on the router just caused this to happen again with a newly created password.

      Viola, no more default passwords.

      • Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

        President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?

        Dark Helmet: 1 2 3 4 5.

        President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

        Dark Helmet: Yes, sir!

        President Skroob: And change

  • Legal issues (Score:5, Informative)

    by Reverse Gear (891207) * on Friday February 16 2007, @10:07AM (#18038242) Homepage
    My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

    Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

    It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

    According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

    I think there are many interesting legal issues in this.
    • i know a guy that does this(unfortunately) he had downloaded whole movies sitting in an apartment complex parking lot. network stumbler and idiots= free bandwidth. definately need to change that factory password

    • According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.
      Presumption of innocence, anyone?

      • I'm not sure that's relevent. I can't speak for Danish law, but there are a lot of laws in Britain you can break with no ill-intent or action on your part. As a general rule, you are responsible for your Internet connection there and the laws are worded such that you're responsible on the basis of the end result and chain of responsibility, not bad faith actions on your part.

        I've heard of people (as in my mother is a lawyer and has assisted them, this is not friend-of-a-friend stuff) being arrested after

    • Show your sister this article! (Score:4, Interesting)

      by oni (41625) on Friday February 16 2007, @11:17AM (#18039138) Homepage
      RIAA Will Drop Cases If You Point Out That An IP Address Isn't A Person [techdirt.com]

      Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do.
      • Welcome to the real world. Besides that it is neither a problem nor illegal if it is told in a fashion that noone can figure out who the client is. Where do you think case studies both in law and medicine come from ? IANAL but I am a MD by training. Docs talk among each other, the nursing staff and their families and friends all the time about the amazing, troubling and bizarre things happening to them each day; I can imagine it's the same for a lawyer. You need to talk about things to stay sane. As long as
      • True. She is allowed to share general information that is available to anyone on this, she told me nothing more than what I could have learned from studying different kinds of public available information. Also I have no clue who her client is.
        The reason I don't know about the outcome of this case could be because it is somehow not public information, perhaps it will be at some point, I don't know.

  • not with my 2wire router (Score:5, Interesting)

    by fishyfool (854019) on Friday February 16 2007, @10:10AM (#18038282) Homepage Journal
    it came from the factory with a random 10 digit wep password and with wireless disabled by default. if 2wire can do this, so can everyone else.

  • Comcast (Score:4, Insightful)

    by towsonu2003 (928663) on Friday February 16 2007, @10:12AM (#18038294)

    making your network completely invulnerable is a simple case of setting a strong router password
    try setting a strong password on a Comcast router...
    • try setting a strong password on a Comcast router...

      Could some elaborate on this? My understanding was always that cable and DSL providers provide modems to their customers. Do cable ISPs now manufacture, sell, rebrand or distribute "routers", or is the poster talking about Linksys, Netgear et al. consumer NAT boxes purchased by the user?
      • Yup, Comcast rents out a router for the same price as a modem ($2). They also toss in a crappy USB wireless thing for free. The router is just 4 feet from my computer so I just took off the anntena rather than messing with wireless, I dont think there is an option for disabling wireless anyway on their braned routers.
    • And what's to stop you from putting another router/firewall behind the Comcrap router? (Hint: nothing)

  • So, how do you tell your clueless neighbors? (Score:3, Interesting)

    by Anonymous Coward on Friday February 16 2007, @10:13AM (#18038304)
    This raises a question: if you are using your wireless card and notice that your neighbor has a wide-open access point, how do you educate them without being seen as a suspect or nosy? I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me, and taping the tutorial to their door. But, it's not worth the trouble to me, but it could be a big deal to them one day. In this litigious day, that's why I'm posting as AC.

    • Like this.... (Score:5, Insightful)

      by StressGuy (472374) on Friday February 16 2007, @10:20AM (#18038382)

      [YOU] "Do you have a [brand] router?'

      [NEIGHBOR] "Yes, I do."

      [YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

      [NEIGHBOR] "What's that?"

      [YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
                      if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.

      • The sequel (Score:5, Funny)

        by kahei (466208) on Friday February 16 2007, @11:16AM (#18039116) Homepage

        (Later)

        [NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

        [COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

        [NEIGHBOR] An idiot is me.

        [COP] Yes. Yes, an idiot is you.

    • I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless.

      ... or put the MAC addresses of his own computers on his APs blacklist.

      Well, being clueless, they will ask their most computer-savvy neighbor for advice. That would be you. You come over and "fix" their AP, and in the course of fixing it "discover" that it is also insecure. Then you advise them on how to properly secure it.

    • Re: (Score:3, Insightful)

      by oni (41625)
      printing up a quick wireless security tutorial on a printer not linkable to me

      you mean like for example *their* printer?

      I did that to some AF guys once. I printed a page with orders to call me in giant letters. They were pretty good natured about it and actually appreciated that I was helping them.
  • "You want to be a Pharmer? Here, I give you a couple of achers!"

    Ah, now if we could only invent a way of delivering a swift kick through the internet.

  • So let's set good passwords (Score:5, Funny)

    by physicsboy500 (645835) on Friday February 16 2007, @10:14AM (#18038310)
    We'll chase off the Pharmers with our phlaming torches and pitchphorks!

  • A big part of the problem is poor documentation (Score:5, Informative)

    by StressGuy (472374) on Friday February 16 2007, @10:14AM (#18038316)
    I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

    I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

    Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

    I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

    I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

    Best security software in the world won't do much good if you don't tell the user what it is and how to use it.

    • Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

      I know it's always hip to bash Windows on slashdot, but to be fair: in Windows XP the applet that handles wireless connections says "unsecured wireless connection" right there in the dialog. The problem here is the software that comes with these access points: they are b

    • Re: (Score:3, Informative)

      by bcattwoo (737354)
      As an AC points out further up, this vulnerability is not limited to open wireless routers. The exploit is accomplished when the victim visits a website containing some malicious code. The code causes the browser to make a HTTP request to a common default router IP using the default username and password to change the DNS server entries. I would guess that there are a number of people out there that are a lot less security conscious about their non-wireless routers.

    • Re: (Score:3, Interesting)

      by Lumpy (12016)
      The fun part is when you set up your router with the Newest DD-WRT beta release. I have it broadcasting about 30 SSID's all of them with default router names and no WEP. then you set the nocatauth to redirect all traffic to a splash page that simply says " YOU ARE A MORON" then I leave it disconnected except for power in my attic with the power turned up and some nice high gain antennas.

      After 30 days the number of default confuguration routers in my neighborhood dropped significantly. I forced them all t
  • not, of course, that there is anything wrong with virus companies and universities developing hacks and cracks, but

    )80qws()8FAWEJ

    SPAM
    SPAM
    SPAM
    SPAM
    SPAM
    • It is like a Batman comic. Dr Evil unleashes a plague of killer wombats, while Dr Evil also has another life as the chief scientist of a drug company whose latest product is wombat prevention cream.

  • This isn't about wireless access! (Score:5, Informative)

    by JackHoffman (1033824) on Friday February 16 2007, @10:38AM (#18038590)
    There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

    This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.
  • Why do all these things need to start with "Ph" instead of "F"? Someone explain it to me.
    • because of the cult of the dead cow, loftcrack, back orifice, port 31337, etc. etc.

      It's part of a culture that goes back to The Beginning.

      What's the saying from roots? If you don't know where you came from you wont know where you're going.
    • Back in the early days, using "ph" meant you were doing things to the telephone system. Like that scene in Hackers (yah yah, I know) where the kid used a tape recording of the tones a phone makes when you insert coins to fool the phone company into thinking that he'd inserted coins. Would have been "phreaking".

      These days, it's just idiot reporters who don't bother to actually do their research, coupled with idiot kids who think that misspelling words makes them sound cool. A Hacker is somebody who takes thi

  • Enough with the goofy terms for this crap (Score:4, Insightful)

    by duffbeer703 (177751) * on Friday February 16 2007, @10:51AM (#18038736)
    I'm so sick of phishing, vishing, pharming, pheering, etc.

    The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.

  • Seen this and it's scary (Score:5, Insightful)

    by ajs318 (655362) <sd_resp2@earthshod.c o . uk> on Friday February 16 2007, @11:07AM (#18038936)
    It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here [slashdot.org] for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

    In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

    The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.

    • Re:Moo (Score:4, Informative)

      by Radon360 (951529) on Friday February 16 2007, @11:28AM (#18039338)

      They can be configured that way, but usually by default, they are not. I know that Linksys has the option, but Wireless management of the router is not disabled by default.

      Beside that, the title was a bit misleading with the term "drive-by". This exploit has nothing at all to do with a wireless LAN.

      Basically:

      1. You get a person to browse to a web page with the malicious code
      2. The web browser downloads the malicious JavaScript and executes it.
      3. The JavaScript connects to the router from the user's computer and changes the settings.
      4. The router's DNS now point to the attacker's DNS.
      5. Attacker can now point the user's browser in whatever direction he chooses.

    • Re: (Score:3, Interesting)

      by QuantumRiff (120817)
      Could you imagine what would happen if masterlock created Padlocks that all had the same combo to start with, and required you to change them? I totally agree!+

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.