Friday, February 16, 2007

drive-by pharming

If you have not set a hard-to-guess password on your broadband router, do it now. There's a way attackers can compromise your router from the inside using simple JavaScript.

The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.

The solution: make your router's admin password hard to guess.

I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.

Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)

Read More:
(Zully's Blog Post)
(Tech Report)

Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
( -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)

Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.

My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!

Update (16-Feb-07 10:30am ET): Slashdot picked it up.


Anonymous said...

Hey, congrats, that's pretty cool. I was just about to send you the /. link. Also sent your posting around to some network geeks I know. ;)

On that note, on my home network, I have a relatively obscure password and the router is on a non-standard IP, so it's a bit safer...

Anonymous said...

Congratulations! Bruce Schneier picked up your paper on his blog, too... I saw a presentation by Jeremiah Grossman of WhiteHat at RSA regarding browser zombies - we're probably gonna use BeEF for our social engineering tests at work. Good paper, loved seeing your name. :-)

- Mike Henderson (RHIT, 2002)

Anonymous said...

Ha .. I work in the IS dept of a local hospital and I find it funny (not really) how often I may need someone's password and I spend less than 2 minutes and find it somewhere within reach of their desk. Now this is their login password and not their patient data passwords so no worries there but I think if it's a password, it shouldn't be written down and placed around your computer.