The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Feb
19
JavaScript Home Router Attacks Happening for Real
Filed Under Computers & Tech, Security on February 19, 2007 at 2:18 pm
In my rather long post on JavaScript security on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory issued on the 16th by US CERT:
In an announcement made yesterday, security researchers at
Symantec and Indiana University School of Informatics revealed
that they had uncovered a serious new security threat targeting
home broadband routers. The attack, dubbed Drive-By Pharming,
allows an attacker to change the configuration of a home router
when a user unknowingly visits a malicious website. The website
employs malicious JavaScript code that allows an attacker to log
into many types of home routers if the default password has not
been changed. Once logged in, the attacker is able to change the
configuration of the home router, including the Domain Name
Server (DNS) server settings.This type of attack is particularly concerning for a few reasons:
- Simply viewing the malicious webpage is all that is required
for a user to fall victim to this attack.- Many home users fail to change the default password on their
broadband routers. The Symantec report indicates that 50% of
all users could fall into this category.- Changing the Domain Name Server (DNS) server settings allow
an attacker to redirect the home user to a DNS server of
their choice. This includes a malicious server set up by the
attacker to direct users to other malicious websites, where
information such as financial account numbers, passwords,
and other sensitive data can be stolen.Symantec notes that the best defense against this type of attack
is for home users to change their default password. The
following links provide support resources for three of the more
common home router vendors:US-CERT cautions users to avoid clicking on links sent in
unsolicited emails. Users should also remain cautious when
browsing the web and avoid visiting untrusted sites. More
information can be found in Securing Your Web Browser document.To learn more, or to view a flash-animation of the attack, visit
Security Response Weblog.
This is pretty much exactly the scenario I warned about and it’s happening for real in the wild, NOW! If you have a broadband router make sure you change it’s password and give serious consideration to only enabling JS on sites that need it and not just surfing with JS on all the time. The threat is no longer hypothetical!
Bart – this is so VERY depressing! I know you’ll think less of me, but I will keep Javascript on. I listen to people like Leo and Steve say things like “don’t open attachments in email. don’t click on links in email. don’t go to websites you don’t know” and now “don’t run with javascript on”. Ok, so that means I can’t see photos of my friends they send in email, I can’t even click on links to photos if they send them that way, I can’t click on links to cool new software apps people send me because I don’t know the site, and now I lose all the cool AJAX functionality that makes me SO SO SO happy.
why have a computer at all if I can’t have any fun?
sigh.
Allison, there is, thankfully, a half-way-house if you use FireFox, the No Script plugin (https://addons.mozilla.org/firefox/722/). This lets you white-list the sites you want to get JS functionality on. So if you’re reviewing a tool just white-list it!
It really sucks that this level of security is now really needed to be safe, even on a Mac, but that’s the nature or our modern world 🙁
Allison, I wouldn’t get too carried away worrying about this kind of thing. I have Javascript switched on, always have, and never had a problem, on any OS. Long as you don’t surf dodgy sites very often (ie porn, warez, that kinda thing), chances of trouble are low enough.
For instance, from a user point of view, the issue posted above has a lot less to do with the dangers of Javascript than it does with the dangers of leaving a default password unchanged on a router. That’s a bad idea for a lot more reasons than JS vulnerabilites, and has been for a long time.
[…] Sure, this is a worst-case scenario, but far from an impossible one. The attacker may choose to simply install some key logging software on your computer instead, that way he can steal your bank details and other personal information. He may also decide to subscribe your computer to a botnet to have it send out spam or to launch DDOS attacks on other systems. What’s worse is that these JavaScript based attacks on broadband routers are not just theoretical, they are really happening. […]