Security vendor Symantec is warning broadband users of a potentially new threat able to reroute Internet traffic to fake Web sites. The hack could rewrite the internal address book of many home users’ routers, which, for example, are used for setting up wireless networks.
“This attack has serious implications and affects many millions of users worldwide,” claimed Zulfikar Ramzan, a Symantec researcher and one of the authors of proof-of-concept code about the vulnerability.
The threat, dubbed “Drive-by Pharming,” relies on consumers to not change the default password once they set up their router with their broadband connection. Symantec said the practice could leave up to 50 percent of some 80 million broadband homes in the U.S. vulnerable.
Ramzan, a senior researcher with Symantec’s Security Response group, told internetnews.com the vulnerability would take only one line of JavaScript code and works on every router. “The very infrastructure of the Internet is under threat.”
The warning comes about two months after Ramzan,
along with Indiana University researchers began researching details of the proof-of-concept.
Although pharming is old hat, this new version attacks the DNS server settings of all consumer routers, including D-Link, Cisco’s Linksys and Netgear
. Hackers create a web page including malicious JavaScript code able to log
into your router using the device’s default password.
Unlike previous pharming attempts, no links need be clicked or software downloaded. Victims need only visit a specially-designed Web site.
Once inside, hackers could effectively change the router’s DNS settings, redirecting your bank’s address to an identical site maintained by attackers. “However, you’ll never realize that you were at a fake bank since you trusted the address,” Ramzan wrote in a blog posting
explaining a potential attack.
Consumers might think they are at their banking site, but they are
actually at www.stealmyidentity.com, Gartner security analyst John
Pescatore told internetnews.com.
Pescatore said consumer router manufacturers favor ease of use over
security. Router makers offer consumers instructions on how to change
the default passwords. Linksys, for example, warns consumers to change their passwords.
D-Link said it was aware of the threat. “We have redoubled our efforts to educate our customers on the importance of security in general, as well as the importance of
changing the wireless router’s default SSID and password, and enabling strong encryption,” D-Link spokesman George Cravens told internetnews.com.
Netgear was not immediately available for comments on the router
threat.
The lesson for router vendors: “Make security a standard part of the
setup wizard, not a step at the end that says ‘you should turn
security on, and change defaults later, if you dare,'” advised
Pescatore.