RealTime IT News

Symantec Sounds Warning on Router Passwords

Security vendor Symantec  is warning broadband users of a potentially new threat able to reroute Internet traffic to fake Web sites. The hack could rewrite the internal address book of many home users' routers, which, for example, are used for setting up wireless networks.

"This attack has serious implications and affects many millions of users worldwide," claimed Zulfikar Ramzan, a Symantec researcher and one of the authors of proof-of-concept code about the vulnerability.

The threat, dubbed "Drive-by Pharming," relies on consumers to not change the default password once they set up their router with their broadband connection. Symantec said the practice could leave up to 50 percent of some 80 million broadband homes in the U.S. vulnerable.

Ramzan, a senior researcher with Symantec's Security Response group, told internetnews.com the vulnerability would take only one line of JavaScript code and works on every router. "The very infrastructure of the Internet is under threat."

The warning comes about two months after Ramzan, along with Indiana University researchers began researching details of the proof-of-concept.

Although pharming is old hat, this new version attacks the DNS server settings of all consumer routers, including D-Link, Cisco's Linksys and Netgear . Hackers create a web page including malicious JavaScript code able to log into your router using the device's default password.

Unlike previous pharming attempts, no links need be clicked or software downloaded. Victims need only visit a specially-designed Web site.

Once inside, hackers could effectively change the router's DNS settings, redirecting your bank's address to an identical site maintained by attackers. "However, you'll never realize that you were at a fake bank since you trusted the address," Ramzan wrote in a blog posting explaining a potential attack.

Consumers might think they are at their banking site, but they are actually at www.stealmyidentity.com, Gartner security analyst John Pescatore told internetnews.com.

Pescatore said consumer router manufacturers favor ease of use over security. Router makers offer consumers instructions on how to change the default passwords. Linksys, for example, warns consumers to change their passwords.

D-Link said it was aware of the threat. "We have redoubled our efforts to educate our customers on the importance of security in general, as well as the importance of changing the wireless router's default SSID and password, and enabling strong encryption," D-Link spokesman George Cravens told internetnews.com.

Netgear was not immediately available for comments on the router threat.

The lesson for router vendors: "Make security a standard part of the setup wizard, not a step at the end that says 'you should turn security on, and change defaults later, if you dare,'" advised Pescatore.