February 15, 2007 3:33 PM PST

Hack lets intruders sneak into home routers

If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said. "You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."

After a router's DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet. DNS functions like the phonebook of the Internet, mapping text-based addresses such as www.news.com to actual numeric Internet Protocol addresses of a Web site.

The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.

"One of the issues is that the set-up steps in the router don't prompt you to change the password," Ramzan said. As a result, many people never properly configure their networking gear, he said.

In crafting their proof-of-concept attack code, Ramzan and researchers at Indiana University built upon earlier research that showed how JavaScript could be used for malicious purposes. Jeremiah Grossman, chief technology officer at WhiteHat Security, demonstrated how JavaScript let outside attackers target internal corporate networks.

Grossman is impressed by the Symantec and Indiana University work. "This is very dangerous stuff and could be highly effective if used in the wild," he said.

Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said.

On its Web site, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states.

Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.

See more CNET content tagged:
attacker, DNS, researcher, Cisco Systems Inc., Symantec Corp.

37 comments

Join the conversation!
Add your comment
This is caused by two problems.
First off, companies are marketing tech but skipping a step. It seems to go driect from engineering to market.

They should know that people are not engineers, and need a more friendly interface. Many more things should be automatic, rather than counting on manually configuring. Ever try to get NAT or VPN to work on a router? Almost have to be an engineer just to understand the settings. It's no wonder people have such a hard time.
Same goes for the password. The ability to leave it as default should not exist. During the installation process, the consumer should be prompted to enter a password. No ability to skip this step should be provided. Furthermore, if the consumer tried to use the product without entering a new password, the product should simply not work. Of course, this would lead to tech support phone calls, which cost money. Personally, I'd rather be known as the company who's instructions for using their product must be followed than as the company who's product is dangerious to use. (even worse, the company who's product helped thieves clean out someone's bank account).
The other problem is people who are just too damn lazy to read the instructions. I work in the electronic service field, and it's amazing how many people I deal with just because they couldn't be bothered to read the instructions. One customer who pulled up in a Limo, brought in an item he said was defective, and apon being informed there was nothing wrong with it and reading the owner's manual would have solved his problem promptly replied "I don't read owners manuals".
If people start getting ripped off by this method, the only ones I'll feel sorry for are the ones that couldn't figure out how to change the password.
Those that skipped the step, or simply couldn't be bothered will get what they deserve. Financial evolution in action.
Posted by Mergatroid Mania (8395 comments )
Reply Link Flag
Turn Java Off By Default
It is a bad idea in general to have Java enabled by default in your browser. I use the Noscript add-on for Firefox. Sites that I visit are only given script access if I expressly grant it. I can grant either on a temporary or permanent basis.
Posted by Stating (869 comments )
Reply Link Flag
Thats nice.
At least you know that you need to take precautions. Unfortunately, most computer users are absolutely clueless about setting passwords.

I service home computers regularly, and have yet to encounter any passwords being used on any software or device I have encountered. The first thing I do is set up "user" accounts to be used instead of the default "Administrator" accounts and teach people how to set passwords. It's amazing how most people don't even have a clue as how to set their password in Windows.

Consumer products cannot assume the user will configure anything. Most people will buy a router and plug it in using the pretty pictures as a reference and expect everything to work. In the case of most routers, they WILL work out of the box. The exception being those that need PPPoE, but PPPoE seems to be on the decline with ISPs in this region. SBC now ships DSL modems that do PPPoE for the client and any DHCP device will work behind them.

What router manufactures really should be doing is intercepting the first HTTP access and forcing a setup wizard when they are first installed.

Mergatroid Mania is correct, the software engineers should not be designing the interface for consumer routers. What to see a software engineer twitch, let them see how their software is actually being used by Joe Consumer.
Posted by lschweiss (9 comments )
Link Flag
I dunno.
I wouldn't have too much faith in NoScript if I were you. I used to use it until one day I noticed a flash object started playing for a few seconds until NoScript disabled it. If it had been a malicious script it would be too late.
Posted by drivel (2 comments )
Link Flag
note
Java is not and does not equal JavaScript.

Just thought I'd point that out, the two often get confused. The
issue here (as I've read it) is with JavaScript. Turning off Java will do
*NOTHING* to protect you from this!
Posted by Dalkorian (3000 comments )
Link Flag
turning JavaSCRIPT off turns off web apps
Another poster has already kindly pointed out the difference between Java and JavaScript.

The downside of turning off JavaScript is that virtually any interactive web application depends on JavaScript for all of it's niftiness, and they will either not work, or will fall back to being sluggish and forcing you to post a page back to do anything at all.

Want to use GMail the way it's meant to be used? The spiffy new beta of Yahoo Mail? Google Docs & Spreadsheets? Google Maps? Kiss all that goodbye if you turn off JavaScript.
Posted by wanorris (226 comments )
Link Flag
Very easy
In one reference design, which could be used by those companies, the router settings are changed by HTTP GET request. This means any website could change the settings, if the default password is used. Java Script is not even required.
Posted by alegr (1590 comments )
Reply Link Flag
Symantec has a lot of potential.
This shows the potential Symantec has. They are often at the forefront of security issues. Alas if only they used their power for good and created worthy software.
Posted by Renegade Knight (13748 comments )
Reply Link Flag
Not really
This was first mentioned at BlackHat 2006 by Jeremiah Grossman and RSnake:

<a class="jive-link-external" href="http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf" target="_newWindow">http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf</a>

There has been a lot of research lately into what can be done with Javascript. The results are astounding.

Also discussed here: <a class="jive-link-external" href="http://ha.ckers.org/blog/20070215/router-reconfiguration-xss/" target="_newWindow">http://ha.ckers.org/blog/20070215/router-reconfiguration-xss/</a>
Posted by kgrutz (2 comments )
Link Flag
is it really possible? don't you have to type IP address of your router
It's not some website on the web. You have to type your own IP router to get to the webpage that served up by the router. It's in the hardware. How can you do cross-site scripting with that?
Posted by tphm (17 comments )
Reply Link Flag
Let's see...
192.168.0.1 -or- 192.168.1.1. How hard was that?
Posted by mrjam32 (8 comments )
Link Flag
Let's see...
192.168.0.1 -or- 192.168.1.1. How hard was that?
Posted by mrjam32 (8 comments )
Link Flag
Use a Mac or Linux. Won't have this problem!
Microsoft's defaults and no security caused this to occur. When will people learn? How many hacks onto NON-Microsoft hardware will people allow before they finally realize it's their operating system causing all of it?
Posted by Anon-Y-mous (124 comments )
Reply Link Flag
Good Point
You're right. If you just use a Mac Airport Base Station or Mac Airport Express for your router you won't have this problem.
Posted by umcrouc0 (53 comments )
Link Flag
Not so sure..
I don?t know about Macs but not so sure about Linux!! JavaScript is a scripting language just like HTML. It executes from the web browser so as long as the browser is able to run JavaScript the hacker code should run no matter you are running on Linux or Windows. Unless you are using FireFox which you can disable JavaScript to run.
Posted by yeungj (26 comments )
Link Flag
Sorry, but no.
This hack uses Javascript, which, as far as I know, is cross-platform. Just because one uses Linux or Mac, one should not assume that this could not happen. I would advise that the default password on any wireless router be changed as soon as it is powered on the first time.
Posted by eBob1 (188 comments )
Link Flag
This hack has NOTHING to do with the OS
Congrats, you win the prize for dumbest post of the thread so far! Now, please go back and read again. Hopefully you'll understand that this hack works EXACTLY the same if you're using Windows, Mac, Linux or any other OS. As long as you have one of the router's in question and standard JavaScript installed, you're vulnerable.

Actually even JavaScript is not 100% necessary, it just makes things easier. Plain old HTML could probably be used to accomplish the exact same thing.
Posted by Hoser McMoose (182 comments )
Link Flag
I don't think you read the article.
How on Earth is this Microsoft's fault? Are they even mentioned in the article? The problem lies in the interface to the routers themselves. To my knowledge, Javascript is platform independent meaning it does not care if you are using Windows, Mac, or Linux. The code is the same, only the Java clients are different. Though, when this story is boiled down to its essence, this is an id10t error of users not taking the time to RTFM.
Posted by jcollett69 (6 comments )
Link Flag
Wrong, Wrong, Wrong.
If:

1. You have a computer (Linux, Mac or PC - doesn't matter)...

2. ...with JavaScript enabled on your browser (Opera, FireFox or IE - doesn't matter).

3. Your computer talks through a router with the default password and username (Linksys, DLink or NetGear - doesn't matter).

4. You browse to a webpage with the evil Javascript in it, and the JavaScript reconfigures your router to load different web pages without you knowing.

5. You're hosed.
Posted by scottSEA (1 comment )
Link Flag
clueless
*** are you babbling about? not even a clue. not even a clue.
Posted by gggg sssss (2285 comments )
Link Flag
You haven't a clue!
That is total rubbish! Mac and Linux both use java in the same way and the password is a property of the router not the operating system!
Stop posting the same crap to every story you bigot!
Posted by allis0 (9 comments )
Link Flag
Read the story, Mac ignoramus
The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!
Posted by v_noronha (18 comments )
Link Flag
Read the story, Mac ignoramus
The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!
Posted by v_noronha (18 comments )
Link Flag
Telecomuting and Wireless
The factor that is probably the worst is people telecommuting from businesses and have unprotected home networks. The potential losses from these types of situations have the greatest impact on businesses.

Telecommuting is responsible for a growing part of the business world. I was reading an article from ezine <a class="jive-link-external" href="http://ezinearticles.com/?Telecommuting-Safely-for-Better-Business&#38;id=377038" target="_newWindow">http://ezinearticles.com/?Telecommuting-Safely-for-Better-Business&#38;id=377038</a>
Just going over how accidental loss effects companies. If people begin to do the "Drive by Pharming" then it can be terrible for business professionals who may not even be aware of their poor behavior online.
Posted by MD525 (22 comments )
Reply Link Flag
Agree
I like the article that you have posted. This is so true but a lot of people not realize. But I think this is more or less affects small to medium businesses. Larger businesses usually setup VPN for their employees. BUT only if the employees uses it. For me, I sort of don?t use it at home mainly because my company blocks MSN, Youtube, audio streaming, etc.
Posted by yeungj (26 comments )
Link Flag
Surprised this hasn't happened sooner!
Honestly I'm rather shocked that this hasn't happened sooner. Actually, scratch that, it HAS happened before, I'm fairly certain of it, it probably just hasn't been all that widely publicized. Other similar attacks could enable unencrypted wireless, enable port-forwarding to access potentially vulnerable ports or, in an extreme situation, even upload a new and compromised version of the router firmware.

This is really a trivial hack. Actually I wouldn't even really call it a "hack" since that implies that there was some real thought and trickery involved here. Really it's just simply automating a procedure and making use of the fact that most users don't change default passwords.

It is somewhat ingenious in it's simplicity though. This should work on any OS that the routers are connected too and there would be no obvious sign. I take a much more paranoid approach to security then the average home user, but honestly I think it's been months since I last checked the DNS settings on my router (though I most certainly did change the default password!). And even if someone DID check their DNS address, would they recognize the IP address for the hacker's site vs. their own ISP's DNS server IP address?

Honestly if this were to happen to me, probably the only thing I would notice is that the malicious hacker's DNS server would probably be faster and more reliable than that of my ISP's! :)
Posted by Hoser McMoose (182 comments )
Reply Link Flag
Me too, we used to do this years ago
Before the days of Gotomypc and other variants to connect to home PCs from the office, we used to do this exact same thing. 8 years or so ago we used to connect in the morning through dialup, open the javascript page which then reconfigures another webpage with the home pc address (which changed each day of course). Then later from the office you have the address of the home machine and can ssh to home and sync files etc. Not as complex as figuring out the brand of router and apropriately logging in and changing settings but same principle, and nearly a decade old.
Posted by lynxss (39 comments )
Link Flag
Me too, we used to do this years ago
Before the days of Gotomypc and other variants to connect to home PCs from the office, we used to do this exact same thing. 8 years or so ago we used to connect in the morning through dialup, open the javascript page which then reconfigures another webpage with the home pc address (which changed each day of course). Then later from the office you have the address of the home machine and can ssh to home and sync files etc. Not as complex as figuring out the brand of router and apropriately logging in and changing settings but same principle, and nearly a decade old.
Posted by lynxss (39 comments )
Link Flag
Read the article, Mac-ignoramus!!!
The article specifically addresses routers, and their manufacturers. But you seem to have a typically ignorant reaction, hence your comment, which shows that you have not read the article. It refers to router security, and Macs attached to them as well as Windows machines!!!
Posted by v_noronha (18 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.