My ISP issues 2Wire modem/router/WAP boxes now. I found it very
interesting to explore what (few) changes require a password and what
ones do not.
In particular, packet filter and port forwarding changes require no
password at all - so changing your password on the router wouldn't do
you any good against driveby changes to those settings. I'll have to
look when I get home whether DNS server changes would.
A bit OT, but there's also the fact that since these devices are
considered ISP equipment - they include the modem that connects to
telco lines - the ISP has one, global, password for all home routers
on their network, and can admin them from the 'outside' of your home
network. Given big telco security standards, not a very reassuring
thought.
Regards
Mark
On 2/15/07, Zulfikar Ramzan wrote:
> We discovered a new potential threat that we term "Drive-by Pharming". An
attacker can create a web page containing a simple piece of malicious JavaScript code. When
the page is viewed, the code makes a login attempt into the user's home broadband router and
attempts to change its DNS server settings (e.g., to point the user to an
attacker-controlled DNS server). Once the user's machine receives the updated DNS settings
from the router (e.g., after the machine is rebooted) future DNS request are made to and
resolved by the attacker's DNS server.
>
> The main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home routers
come with a default password that is uniform, well known, and often never
changed). Note that the attack does not require the user to download any
malicious software - simply viewing a web page with the malicious JavaScript code
is enough.
>
> We've written proof of concept code that can successfully carry out the steps
of the attack on Linksys, D-Link, and NETGEAR home routers. If users change their
home broadband router passwords to something difficult for an attacker to guess,
they are safe from this threat.
>
> Additional details on the attack can be found at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
>
> Thanks,
>
> Zulfikar Ramzan
>
>
> ________________________________________
>
> Zulfikar Ramzan
> Sr. Principal Security Researcher
> Advanced Threat Research
> Symantec Corporation
> www.symantec.com
> -----------------------------------------------------
> -----------------------------------------------------
> This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information that is
non-public, proprietary, privileged, confidential, and exempt from disclosure
under applicable law or may constitute as attorney work product. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If you have
received this communication in error, notify us immediately by telephone and (i)
destroy this message if a facsimile or (ii) delete this message immediately if
this is an electronic communication. Thank you.
>
>
>