Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

Drive-By Pharming Attack Could Hit Home Networks 185

Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.
This discussion has been archived. No new comments can be posted.

Drive-By Pharming Attack Could Hit Home Networks

Comments Filter:
  • by suso ( 153703 ) * on Friday February 16, 2007 @10:05AM (#18038224) Journal
    1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
    2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.

    The net needs to be more secure and there need to be more checks in place through authoritive sources.

    This pharming attack reminds me of when I first installed the doorbell on my house, every once in a while it would go off and nobody was at our door, it turned out that the people across the street had the same doorbell set to the default settings.
    • I'm sorry, I was thinking about from the wrong way. That wouldn't work. But perhaps something along those lines could be implemented.
      • by Anonymous Coward
        There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to
    • by mpe ( 36238 ) on Friday February 16, 2007 @10:15AM (#18038324)
      1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
      2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.


      A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
      • Re: (Score:3, Insightful)

        If you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

        I know, I know. The people who write the manuals don't actually use the products they talk about* so the manufacturer will have to make
        • f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"

          Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."
        • by MECC ( 8478 ) *
          Software is an amazing thing, really. These routers could just be programmed to, in the presence of default settings, not to route to the outside world and only pop up a web page that tells users that they have to set up a userid and password in order to use the router.

          Then all people need is a 3.5 postcard(s) in the box telling them to plug their computer into the router and go to http://192.168.1.1/ [192.168.1.1] and follow the instruction.

          I know, its not perfect, but its better - way better - than what's there
          • If that was set up they wouldn't even need the postcards. Any free wireless hot spot at hotels or your local Starbucks has it set up to route any request to a sign on/EULA/etc. page before you can do anything. All it would take is setting this same thing up on the router and you are good to go. The trick there would be phishing tricks that might copy that page layout to get a username/password for the router, but there isn't a whole lot that can be done to stop that (as evidenced by the incessant barrage of
          • The latest Linksys routers come with a CD with a configuration program on it. You insert the CD, run the program (or it autoruns) and it goes through a setup dialog which forces you to set the various settings. Then it finds your router and uploads the settings and such.

            Of course, you can still use the router without the installation, and it still has the web interface, so users who know what they're doing toss the CD and just configure it themselves, but I thought it was an interesting solution.

            Non-knowled
      • Re: (Score:3, Funny)

        by paeanblack ( 191171 )
        A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

        Dude, ATM machines don't even have futuristic features like that. Come back to reality.

        http://it.slashdot.org/article.pl?sid=06/09/21/181 9242 [slashdot.org]
      • A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.

        Cars ship with seatbelts and big fat warning signs in the glove box and the top side of the sun visors that tell you to use them, but an alarming number of people don't.

        Yet, if your car failed to start if you weren't buckled up, p

        • by paeanblack ( 191171 ) on Friday February 16, 2007 @02:15PM (#18042334)
          Yet, if your car failed to start if you weren't buckled up, people would go ballistic.

          If they aren't buckled up, they are going ballistic anyways...it's just a matter of time.
      • Simpler solution: Only allow admin access with the default password for 1 minute after powerup.
    • Re: (Score:1, Funny)

      by Anonymous Coward
      I don't know which I'm more appalled at:

      A. You bought a *wireless* doorbell.

      B. You refer to double-stick taping it to your wall as "installing".

      C. You left it at the default settings...

  • by Who235 ( 959706 ) <secretagentx9&cia,com> on Friday February 16, 2007 @10:06AM (#18038238)
    Last time I checked, it's stupid to leave anything with a default password.

    If you had all your personal papers in a safe, would you leave it set to the factory combination?
    • Re: (Score:2, Funny)

      Exactly. The first thing I did on my router was change the password. A few months later, my forgotten password now locks me out. Does anyone have a safety pin?

      • Re: (Score:2, Interesting)

        If you really can't remember, there is nothing wrong with taping the password to the bottom of your router. If the attacker can gain physical access to your router you have a much bigger problem that wireless security.

        You shouldn't do this at your workplace, but at home it is acceptable...

        I don't do this, I know the (strong) password of my Access Point

    • Re: (Score:3, Insightful)

      by gstoddart ( 321705 )

      Last time I checked, it's stupid to leave anything with a default password.

      If you had all your personal papers in a safe, would you leave it set to the factory combination?

      You're right of course. But, part of the problem is simply consumer education.

      It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about

      • Re: (Score:3, Informative)

        by ptbarnett ( 159784 )
        Unfortunately, I don't se an easy solution/resolution to this problem -- if manufacturers changed their defaults to make the routers more locked down, the average consumer is going to completely fail to use the product. They won't know how to configure their networking settings manually. It will be some strange voodoo they need to hire Nerds on Site or something.

        When I switched from DSL to Verizon's FIOS, I got an Actiontec MI424WR [actiontec.com] router. By default, it was configured with a randomly generated SSID and

      • by ajs318 ( 655362 )

        It used to be that only people who knew a fair amount about computers used them. They were a self educating populace. The adoption of computers and home networks by a lot of people has actually happened faster than the corresponding education of people about these things. They can walk into a box store, buy a wireless router, plug it in and go. They simply don't have a clue about securing their machines.

        Give that person a cigar!

        The moment ease-of-use trumped security was the moment the rot set in. Some t

      • by kabocox ( 199019 )
        It's a commodity mindset -- "I go, I buy the product, I plug it in like a TV, and I never think about how it operates". Consumers haven't yet fully understood that they might need to take steps to secure such things, or that it poses a risk. All they know is they click the right button and they download the internet. :-P

        Um, why should they? Um, they don't worry about securing their TV, radio, cable box, cell phone, oven, toastor, land line phone, or lamps. How why should they have to actually think and do e
        • by pnutjam ( 523990 )
          There are actually ways to take over people's phones and place long distance calls on their dime. Usually these are associated with PBX type systems.
      • by VENONA ( 902751 )
        I've only seen education be even somewhat effective a few times. And that was in corporate settings. I don't see things as any better in government settings. For general consumers I've no hope at all. I see little or no evidence that most consumers *want* to be educated. Though they might, after the first time they're phished. :) They want to Do Stuff, not Learn Stuff.

        The consumer solution probably lies with the manufacturer, possibly via generating a random password as the last step before packaging the de
    • Re: (Score:3, Insightful)

      by 955301 ( 209856 )
      Wouldn't it be great if the router hijacked the few http requests passing through it and gave the user a dynamically created password with instructions to print it and tape it to the router? There could be a snazzy checkbox letting them skip future redirects after they have the password.

      Then hitting the reset on the router just caused this to happen again with a newly created password.

      Viola, no more default passwords.

      • Or more simply, these devices could have a button on the router in lieu of a default password. You would connect to the router and the web page would say "Press the big red button".

        Whenever pressed, the button would allow the MAC Addr that had most recently displayed the web page to set a new password (Possibly could allow full access with just the button, forgoing passwords altogether, but that has some security holes if an attacker happened to be on your wireless at the same time--so does the password th
    • Last time I checked, it's stupid to leave anything with a default password.

      If you had all your personal papers in a safe, would you leave it set to the factory combination?

      Yes, people do. Ever read Feynman's memoirs? He got a reputation in Los Alamos for
      being a master safecracker simply because he knew the default combinations the
      safes used there shipped with...and nobody ever changed them. In the middle of
      the Manhattan Project, nobody ever changed the combinations on their safes.

      Chris Mattern

  • Legal issues (Score:5, Informative)

    by Reverse Gear ( 891207 ) * on Friday February 16, 2007 @10:07AM (#18038242) Homepage
    My sister is a lawyer, I imagine she is not the only one that has dealt with something related to this.

    Right now she has a client that is being sued for quite an amount of money by the music industry for downloading lots of music through P2P services. He claims he never did this, that he never listens to music on his computer.

    It turns out that he lives in an apartment block, knows very little about computers in general, but thought that this things with wireless network was really fancy. I think you can figure out the rest of that story, my sister has quite a few troubles convincing the music industry what is obvious, I don't know what the outcome of this case is and if it has been taken to court yet.

    According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.

    I think there are many interesting legal issues in this.
    • Re: (Score:2, Informative)

      i know a guy that does this(unfortunately) he had downloaded whole movies sitting in an apartment complex parking lot. network stumbler and idiots= free bandwidth. definately need to change that factory password
    • According to Danish law he probably has some responsibility and will, even if my sister successfully proves that he did not do the illegal downloading, still somehow get punished for this.
      Presumption of innocence, anyone?
    • Why is your sister sharing information regarding an on-going case with you? Surely the client has some right to privacy in not having his case discussed with people outside of legal counsel.
      • by Wudbaer ( 48473 )
        Welcome to the real world. Besides that it is neither a problem nor illegal if it is told in a fashion that noone can figure out who the client is. Where do you think case studies both in law and medicine come from ? IANAL but I am a MD by training. Docs talk among each other, the nursing staff and their families and friends all the time about the amazing, troubling and bizarre things happening to them each day; I can imagine it's the same for a lawyer. You need to talk about things to stay sane. As long as
      • True. She is allowed to share general information that is available to anyone on this, she told me nothing more than what I could have learned from studying different kinds of public available information. Also I have no clue who her client is.
        The reason I don't know about the outcome of this case could be because it is somehow not public information, perhaps it will be at some point, I don't know.
    • by oni ( 41625 ) on Friday February 16, 2007 @11:17AM (#18039138) Homepage
      RIAA Will Drop Cases If You Point Out That An IP Address Isn't A Person [techdirt.com]

      Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do.
      • Thank you for this, I have forwarded the link to my sister.

        In Denmark we have something called anti-piratgruppen instead of RIAA, but they do the same thing as far as I know. This could very well prove useful if my sister has not already found it, even if US and Danish law is probably pretty different.
    • Being Danish, I'd love to hear more about this case.

      I have law-student friends who claim that there are no provisions in the law that can make someone responsible for what other people does with their (legal) stuff, no matter how it's done.

      Compare a bypasser grabbing a shovel from my driveway, smashing a kids face in with it. Am I responsible? Hardly.
  • by fishyfool ( 854019 ) on Friday February 16, 2007 @10:10AM (#18038282) Homepage Journal
    it came from the factory with a random 10 digit wep password and with wireless disabled by default. if 2wire can do this, so can everyone else.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      Read the article. This attack is not about wireless access. The attack uses a webbrowser that is already (and legitimately) on the internal network to reflect HTTP requests towards the router configuration interface. A simplified example: make a webpage with an image src=http://root:default@192.168.178.1/dnsconfig?d n s1=10.0.0.1&dns2=10.0.0.2&commit. Then make the webpage popular (put some silly video on it, post to digg), and watch as users with default-configured routers have their dns servers cha
    • Are you trying to kill linksys, the only international wireless ISP out there?

  • Comcast (Score:4, Insightful)

    by towsonu2003 ( 928663 ) on Friday February 16, 2007 @10:12AM (#18038294)

    making your network completely invulnerable is a simple case of setting a strong router password
    try setting a strong password on a Comcast router...
    • try setting a strong password on a Comcast router...

      Could some elaborate on this? My understanding was always that cable and DSL providers provide modems to their customers. Do cable ISPs now manufacture, sell, rebrand or distribute "routers", or is the poster talking about Linksys, Netgear et al. consumer NAT boxes purchased by the user?
      • Yup, Comcast rents out a router for the same price as a modem ($2). They also toss in a crappy USB wireless thing for free. The router is just 4 feet from my computer so I just took off the anntena rather than messing with wireless, I dont think there is an option for disabling wireless anyway on their braned routers.
      • Comcast rebrands a router+modem thingy with crippled features (such as being able set only a 6-character-or-so password, not being able to shut down wireless for good etc)... they charge you about $5 a month for those things and to be able to keep charging you, they make it hard for you to set up your own (how: well, you can guess how a company can force their ways onto you... lack of support if using other hardware etc)...
    • And what's to stop you from putting another router/firewall behind the Comcrap router? (Hint: nothing)

      • And what's to stop you from putting another router/firewall behind the Comcrap router?

        Good point. The answer is: if my connection starts to not work anymore, they will not be able to tell me "hey, we don't support the OS you're using PLUS the router+modem you're using"... Another aspect is: router+cablemodems are not cheap and not guaranteed to work with "your ISP" (again, no support)... and, of course, Comcast has to do something so your new router+modem works (ie they should change the HWadress) and I'm

    • try setting a strong password on a Comcast router...

      I knew better. When I finaly moved from dial-up to broadband, I specified modem only, no router. On dial-up, I already had a LAN and router including wireless. I was using an Actiontec Dual PC Modem as a narowband modem. I asked for self install, but since I didn't subscribe to TV already, they insisted they send out a guy to set it up. When he showed up, I simply said replace the narowband modem with the cable modem. He mentioned he needed to set up
    • Well, I'm using a D-Link WBR-2310 router, and I did have a new password for the admin account. Now, according to the article, I need to also change the "login name" for the Administrator account to something other than the default "admin".
      I've done that now, and also changed the password to the maximum allowed by the router.
      I am using Comcast, but the router is not their equipment. No problem with Comcast, really, and I am satisfied with their service.
      Once, during high winds (Katrina) my cable line was brou
  • by Anonymous Coward on Friday February 16, 2007 @10:13AM (#18038304)
    This raises a question: if you are using your wireless card and notice that your neighbor has a wide-open access point, how do you educate them without being seen as a suspect or nosy? I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless. I have also considered going full-stealth and printing up a quick wireless security tutorial on a printer not linkable to me, and taping the tutorial to their door. But, it's not worth the trouble to me, but it could be a big deal to them one day. In this litigious day, that's why I'm posting as AC.
    • Like this.... (Score:5, Insightful)

      by StressGuy ( 472374 ) on Friday February 16, 2007 @10:20AM (#18038382)

      [YOU] "Do you have a [brand] router?'

      [NEIGHBOR] "Yes, I do."

      [YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"

      [NEIGHBOR] "What's that?"

      [YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
                      if it's not secure, anyone within your routers range can log in....I can help you if you'd like" ...this shouldn't be that much different that telling someone they left thier window open or their door unlocked.
      • The sequel (Score:5, Funny)

        by kahei ( 466208 ) on Friday February 16, 2007 @11:16AM (#18039116) Homepage

        (Later)

        [NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

        [COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.

        [NEIGHBOR] An idiot is me.

        [COP] Yes. Yes, an idiot is you.
        • [COP] Did anyone other than you have access to your computer?

          [NEIGHBOR] Only the guy next door, and *he* says that he didn't see anyone tamper with it...I guess it's a mystery

          {COP immediately goes next door}

          I don't know about you, but I make an effort to get to know my neighbors, thus, the notion that I would actually suggest helping them with something is not automatically deemed a scam.

        • (Later)

          [NEIGHBOR] ...and then suddenly I found out all these payments had been made on my paypal account and a truckload of goat porn had been ordered on my credit card!

          [COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentia
    • I have one such neighbor, and I have considered logging into their wide-open AP and rebooting it or setting WEP keys or some such, but such measures would of course fail, since they are clueless.

      ... or put the MAC addresses of his own computers on his APs blacklist.

      Well, being clueless, they will ask their most computer-savvy neighbor for advice. That would be you. You come over and "fix" their AP, and in the course of fixing it "discover" that it is also insecure. Then you advise them on how to properly secure it.

    • Re: (Score:3, Insightful)

      by oni ( 41625 )
      printing up a quick wireless security tutorial on a printer not linkable to me

      you mean like for example *their* printer?

      I did that to some AF guys once. I printed a page with orders to call me in giant letters. They were pretty good natured about it and actually appreciated that I was helping them.
    • by ajs318 ( 655362 )
      One way is to ignore it, because it's not your problem.

      Another way is to point out gently that it's a problem. Except then, you have made it your problem; and you can expect to be treated like a free 24/7/52 helpdesk forever from then on. Or treated as though it was your fault that it wasn't secure.

      Yet another way is to set up your a router of your own, with broadly the same settings as theirs, but with a proxy configured to do something like this [ex-parrot.com]. But don't switch it on just yet. Then, while their
    • by Xenna ( 37238 )
      You don't. You use his connection when your ISP happens to be down and when your new laptop comes in you use it to ssh to your server so you can copy & paste your own 63 char WPA key so you don't have to type it all. It's really handy having such neighbours.

      Actually I have 6 access points in my range (apart from my own 2) and all but one have encryption enabled, most of them WEP. The 'open' one's SSID is 'default', that was a bit of a giveaway. I guess I'm probably in a relatively smart neighbourhood.

      X.
  • "You want to be a Pharmer? Here, I give you a couple of achers!"

    Ah, now if we could only invent a way of delivering a swift kick through the internet.
  • by physicsboy500 ( 645835 ) on Friday February 16, 2007 @10:14AM (#18038310)
    We'll chase off the Pharmers with our phlaming torches and pitchphorks!
  • by StressGuy ( 472374 ) on Friday February 16, 2007 @10:14AM (#18038316)
    I got a wireless router not too long ago for the first time. It came with an automated installer and, after reading the instructions and following the prompts, I was set up and "good-to-go".....or was I?

    I also needed to get this router configured on my Linux box...this required that I read some "outside documentation" - where I would learn of such things as passwords, WEP, etc.

    Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

    I lived in a couple of neighborhoods since then and, when I fire up my laptop, there are usually one or two unsecured routers that get auto-detected.

    I can only assume there are scores of "average users" with no idea they are sharing their internet access with their neighbors or anyone who "drives by".

    Best security software in the world won't do much good if you don't tell the user what it is and how to use it.
    • Re: (Score:2, Informative)

      Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever. It was only after I read the HOWTO's on the internet that I was able to go back and secure my router for both Linux and Windows.

      I know it's always hip to bash Windows on slashdot, but to be fair: in Windows XP the applet that handles wireless connections says "unsecured wireless connection" right there in the dialog. The problem here is the software that comes with these access points: they are b

    • Re: (Score:3, Informative)

      by bcattwoo ( 737354 )
      As an AC points out further up, this vulnerability is not limited to open wireless routers. The exploit is accomplished when the victim visits a website containing some malicious code. The code causes the browser to make a HTTP request to a common default router IP using the default username and password to change the DNS server entries. I would guess that there are a number of people out there that are a lot less security conscious about their non-wireless routers.
    • Re: (Score:3, Interesting)

      by Lumpy ( 12016 )
      The fun part is when you set up your router with the Newest DD-WRT beta release. I have it broadcasting about 30 SSID's all of them with default router names and no WEP. then you set the nocatauth to redirect all traffic to a splash page that simply says " YOU ARE A MORON" then I leave it disconnected except for power in my attic with the power turned up and some nice high gain antennas.

      After 30 days the number of default confuguration routers in my neighborhood dropped significantly. I forced them all t
    • Forget documentation. Nobody reads it. They think of the computer -- and the router -- as an appliance that's simply switched on and that's the end of it.

      What home networking routers should do is, right out of the box, (a) have wireless off by default, and (b) when they plug their Ethernet cable in, all outgoing port 80 requests get redirected to an internal web server:

      Welcome to the RouteCo Pornblaster 2000 wireless router!
      Next >>

      then (c) gets them to set a password and finally (d) asks them if they want to activate the wireless. Oh, and throw in some legal d

    • "Anyway, it turns out the Windows auto-install script set this thing up with no protection what-so-ever."

      This sounds familiar. I just set up a "wireless gaming router" on my DSL router (outside the firewall and with appropriate filters to keep the wireless router from accessing the internal network) so that my neighbor would be able to check his email without going to the library, and during the installation process I found out that it can be configured over the wireless link, as I had forgotten to hook up
  • not, of course, that there is anything wrong with virus companies and universities developing hacks and cracks, but

    )80qws()8FAWEJ

    SPAM
    SPAM
    SPAM
    SPAM
    SPAM
    • by Marcion ( 876801 )
      It is like a Batman comic. Dr Evil unleashes a plague of killer wombats, while Dr Evil also has another life as the chief scientist of a drug company whose latest product is wombat prevention cream.
  • click [indiana.edu]
    (NO, it's not one of those malicious URL, it explains how do they work, really!)
  • by JackHoffman ( 1033824 ) on Friday February 16, 2007 @10:38AM (#18038590)
    There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.

    This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.
  • Why do all these things need to start with "Ph" instead of "F"? Someone explain it to me.
    • by oni ( 41625 )
      because of the cult of the dead cow, loftcrack, back orifice, port 31337, etc. etc.

      It's part of a culture that goes back to The Beginning.

      What's the saying from roots? If you don't know where you came from you wont know where you're going.
    • Back in the early days, using "ph" meant you were doing things to the telephone system. Like that scene in Hackers (yah yah, I know) where the kid used a tape recording of the tones a phone makes when you insert coins to fool the phone company into thinking that he'd inserted coins. Would have been "phreaking".

      These days, it's just idiot reporters who don't bother to actually do their research, coupled with idiot kids who think that misspelling words makes them sound cool. A Hacker is somebody who takes thi
  • by duffbeer703 ( 177751 ) * on Friday February 16, 2007 @10:51AM (#18038736)
    I'm so sick of phishing, vishing, pharming, pheering, etc.

    The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.

    • Someone agrees with you about oh-so-precious neologisms like "pharming" being considered harmful [emergentchaos.com]. "Pharming", besides being cutesy, is uncommunicative: it doesn't convey any more about the nature of the attack than "blepping" would, and with more risk of confusion as everyone tries to figure out how DNS spoofing relates to agriculture.
      • by BluBrick ( 1924 )
        Funny, I saw it quite differently. My first thought was that it had something to do with drugs. Probably because I read it before I heard it.

        Hmmm, considering that these compromised routers will almost certainly end up somehow involved in promoting Ci/-\lis, v1@gRa, and so on, maybe I was right!

  • by ajs318 ( 655362 ) <{sd_resp2} {at} {earthshod.co.uk}> on Friday February 16, 2007 @11:07AM (#18038936)
    It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here [slashdot.org] for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.

    In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.

    The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.
    • All good points but its kind of futile with most people. My friend has used wireless internet access for over a year, shared by one of his neighbours. I had a 30 minute conversation with him that ended in no resolution. His question: How do you know that you (meaning me) or me (meaning him) are not running an open wireless ap?

      Imagine trying to convince someone that 1) to run wireless you have to BUY a router 2) even if I had a wireless router I would secure it properly 3) I know what I have in my own house.
    • Having control of DNS also allows you to introduce exploits in places that trust things they shouldn't. For example, software that autoupdates without good keychecking -- You subvert that request and send it whatever it wants.

      Plenty of other ways to inject exploits like that once you can hijack DNS, none of them remotely traceable if done right.
  • Most WiFi home routers don't allow configuration over WiFi by default - only over a wire. This may work with a small number of very old routers, of which the PCs behind them are probably already totally full of crapware, so any more won't make the slightest difference.
    • by really? ( 199452 )
      Actually, I have yet to find a router that won't let me admin it once I am connected to it; wireless or not. There could well be some/many, but all the ones I connected to wanted just the name/password to let me admin them.
  • The First thing I did when setting up my NetGear router was to change the password.
    I don't know if I can change the login name (need to check that).
    I also added blocks to certain web sites to keep the kids out of trouble.

    Things like this make me want to build my own router with an old computer running Linux or
    'BSD. Only problem would be getting Roaring Penguin to work with Bellsouth (AT&T!) dsl.
    (G-D PPPOE)!) Except that the Netgear box uses SO much less power than an old computer.
    Anybody know of a goo
    • by mutterc ( 828335 )

      Anybody know of a good and cheap low power platform to build a Linux router on?

      A Linksys WRT54GL, running OpenWRT [openwrt.org]. I'm in the midst of replacing my 486-based firewall and cheap 802.11 access point with it.

  • 1) Drive by pharm,
    2) Stop. Park.
    3) Milk cows.
    4) Feed chickens.
    5) Slop pigs.
    6) Stack hay.
    7) Profit.
  • So, I have to be sufficiently un-dumb enough to have changed from the default password on my home router/gateway. Ok, done.
    • My dad actually mentioned this story to me today. And I *don't* think he reads Slashdot.

      Meanwhile, I finally told him the router's password, which has been the same for the past 5 years. Suffice to say, any household without a tech-viable consultant is potentially vulnerable.

One small step for man, one giant stumble for mankind.

Working...