Drive-By Pharming Attack Could Hit Home Networks

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.

Simple solution for this

1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

The net needs to be more secure and there need to be more checks in place through authoritive sources.

This pharming attack reminds me of when I first installed the doorbell on my house, every once in a while it would go off and nobody was at our door, it turned out that the people across the street had the same doorbell set to the default settings.

Re:Simple solution for this

1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

You haven't dealt with end-users much, have you?

f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."

Re:Simple solution for this

Yet, if your car failed to start if you weren't buckled up, people would go ballistic.

If they aren't buckled up, they are going ballistic anyways...it's just a matter of time.

Last time I checked. . .

Last time I checked, it's stupid to leave anything with a default password.

If you had all your personal papers in a safe, would you leave it set to the factory combination?

Legal issues

My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

I think there are many interesting legal issues in this.

Show your sister this article!

RIAA Will Drop Cases If You Point Out That An IP Address Isn't A Person [techdirt.com]

Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do.

not with my 2wire router

it came from the factory with a random 10 digit wep password and with wireless disabled by default. if 2wire can do this, so can everyone else.

Comcast

making your network completely invulnerable is a simple case of setting a strong router password

try setting a strong password on a Comcast router...

So, how do you tell your clueless neighbors?

This raises a question: if you are using your wireless card and notice that your neighbor has a wide-open access point, how do you educate them without being seen as a suspect or nosy? I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me, and taping the tutorial to their door. But, it's not worth the trouble to me, but it could be a big deal to them one day. In this litigious day, that's why I'm posting as AC.

Like this....

[YOU] "Do you have a [brand] router?'

[NEIGHBOR] "Yes, I do."

[YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

[NEIGHBOR] "What's that?"

[YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
                if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.

The sequel

(Later)

[NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

[NEIGHBOR] An idiot is me.

[COP] Yes. Yes, an idiot is you.

The Ah-nold response

"You want to be a Pharmer? Here, I give you a couple of achers!"

Ah, now if we could only invent a way of delivering a swift kick through the internet.

So let's set good passwords

We'll chase off the Pharmers with our phlaming torches and pitchphorks!

A big part of the problem is poor documentation

I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

Best security software in the world won't do much good if you don't tell the user what it is and how to use it.

how nice of symantech to develop this

not, of course, that there is anything wrong with virus companies and universities developing hacks and cracks, but

)80qws()8FAWEJ

SPAM
SPAM
SPAM
SPAM
SPAM

here's the link to the paper

click [indiana.edu]
(NO, it's not one of those malicious URL, it explains how do they work, really!)

This isn't about wireless access!

There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.

The exploit is a single line of JavaScript...

Still accepting candy from the strangers? [noscript.net]

Default permit is the dumbest idea in security [ranum.com] (well, default passwords can't even qualify as "ideas" ;) )

--
There's a browser safer than Firefox, it is Firefox, with NoScript [noscript.net].

DNS

If you do not have your router set as your computer's DNS source, this would not effect you would it?

So like, if you had a Linksys, you'd have to have your computer set to use 192.168.1.1 (by default) as your DNS server right?

What the Phudge?

Why do all these things need to start with "Ph" instead of "F"? Someone explain it to me.

defaults passwords

I wonder why companys dont generate a random pw and put a sticker with it in the manual of each electronics that are connected to the internet. Thats so easy and would solve a lot of problems. And its not a big deal to support, they just need to store a serial number/password table in the support computers.

Enough with the goofy terms for this crap

I'm so sick of phishing, vishing, pharming, pheering, etc.

The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.

Seen this and it's scary

It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here [slashdot.org] for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.

Moo

Don't most routers--also by default--require a physical link from the inside to administer in it?

Re:Moo

They can be configured that way, but usually by default, they are not. I know that Linksys has the option, but Wireless management of the router is not disabled by default.

Beside that, the title was a bit misleading with the term "drive-by". This exploit has nothing at all to do with a wireless LAN.

Basically:

1. You get a person to browse to a web page with the malicious code
2. The web browser downloads the malicious JavaScript and executes it.
3. The JavaScript connects to the router from the user's computer and changes the settings.
4. The router's DNS now point to the attacker's DNS.
5. Attacker can now point the user's browser in whatever direction he chooses.

Part 2 of this attack

Part 1 is using default passwords.

Part 2 is installing a trojan that systematically tries passwords, starting with obvious ones like the current hostname, the current username, or the decrypted or keylogger-captured login passwords. Or just wait for the user to log into the router and capture the password at that time.

Part 3 will be doing a firmware "update" so a back door will always be there and false entries don't show up in the configuration screen.

I want a router that has a hardware security switch so I can enable or disable modifications. If it's in the "locked down" position then everything becomes read-only. I also want a second "reset" switch that reloads the factory firmware. This second switch will also be a de-bricking switch in case of a bad or interrupted firmware upgrade.

BTW, the "factory firmware" the 2nd switch activates doesn't have to be the "original firmware" as seen by the customer, it can be a mini-firmware environment that does nothing but allow real firmware to be installed. It's whole purpose in life is to sterilize the machine of all non-factory-installed options.

I call Bull...

Most WiFi home routers don't allow configuration over WiFi by default - only over a wire. This may work with a small number of very old routers, of which the PCs behind them are probably already totally full of crapware, so any more won't make the slightest difference.

not me

The First thing I did when setting up my NetGear router was to change the password.
I don't know if I can change the login name (need to check that).
I also added blocks to certain web sites to keep the kids out of trouble.

Things like this make me want to build my own router with an old computer running Linux or
'BSD. Only problem would be getting Roaring Penguin to work with Bellsouth (AT&T!) dsl.
(G-D PPPOE)!) Except that the Netgear box uses SO much less power than an old computer.
Anybody know of a good and cheap low power platform to build a Linux router on?
(no soldering required!)

How about "Surf By" fixes?

So, the attack is a snippet of Javascript that uses Linksys/D-Link, and so forth's default passwords. Let's use those defaults for "good" instead of "evil". How about a site that documents the problem and has a "Click here to fix the problem" link that tries those exact same defaults, but CHANGES THE PASSWORD (with the user's help) rather than changing the DNS?

How about the big boys of Internet 2.0 each create a page (or series of pages) that non-nerds can visit that fix these kinds of things? Google's "Defend yourself" page sounds pretty good to me.

Sad But True

A good start of this attack would be start with a simple JS port scanner and run the default password check on all webservers ,routers etc connected in the LAN,WAN and then control the Network
A simple JavaScript port scanner is here :
http://www.spidynamics.com/assets/documents/JSport scan.pdf [spidynamics.com]
and default password list of most of the connected devices is here :
http://www.phenoelit.de/dpl/dpl.html [phenoelit.de]
Njoy

Drive-by pharming procedures

1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
7) Profit.

It's the router companies fault

The router companies need to stop selling products with default passwords that don't promt the user to set a password.

Oh noes

So, I have to be sufficiently un-dumb enough to have changed from the default password on my home router/gateway. Ok, done.

a stupid question

Why wouldn't router manufacturers just use the serial number of the device as a default password??? Yeah, the one which is printed on the case of the device.
Too complicated for the user? Too hard to implement? It's hard to believe that. Use larger font if you must.
You could also use the same password as a WPA key...

But Has Anyone Actually Verified this Claim? No

So far, there are 66 "Sources" in news.google.com that have "reported" this story. However, none of them have claimed to have actually tried to reproduce the exploit, themselves.

If someone had, they would have found that the Zone Elevation situation it creates (Internet -> Intranet) would be prohibited by most browsers, including IE since version 6.0. IE would have also balked at crafting a url with http://hostname/ [hostname] as suggested by the Symantec paper.

Parrotting a Press Release and calling it journalism is rather weak.

Change password alone is not enough

In order to be safe, 1. you should logout after changing the password or (if no logout is possible, such as with simple HTTP authentication) restart your browser before visiting any webpage. 2. Do not tick the "memorize password" box. If you do this, an intruder could manipulate the router without a password.