[clug] Drive-By Pharming Attack Could Hit Home Networks

[Alex Satrapa]

On 22/02/2007, at 23:43 , David Collett wrote:

> I think many routers already do this (no admin on wireless interface
> and/or wireless disabled out of the box). It doesn't stop *this*  
> attack
> though, thats the whole reason this one is more interesting, it works
> from *your* computer over your *wired* connection.

For those who didn't read TFA, here is how the attack works:
1) Victim visits website that contains malicous Javascript
2) Malicious Javascript causes browser to redirect to the admin page  
on the router which sets up malicious DNS addresses
3) Further web browsing will cause DNS lookups to go through  
malicious DNS, which will probably redirect all web requests through  
the attacker's proxy/man-in-the-middle server

If you set an administrative password that is not the default for the  
device, this attack will not work. We've derailed the discussion with  
talk about wireless routers (probably because a lot of us associate  
"drive by" with "war driving", when this version of "drive by" really  
means "click through"). I don't think David's assertion that the idea  
of disabling the primary feature of a router product until an  
administrative password is entered will fail to address the  
vulnerability.

The same configuration requirement could apply to wired-only routers  
or any other network connected device: don't allow (activation of  
primary feature of network connected product) until a password has  
been set for the (sensitive functions on the network connected  
product). Don't want drive-by activation of your network-connected  
espresso machine? Then set the password to something other than  
default settings.

Have a look at the way an Apple AirPort is set up: the very first  
thing it asks you for is an administrative password. Yes yes, it's a  
wireless router too so I'm further contributing to the  
misrepresentation of the vulnerability as affecting wireless routers  
only…

Alex