Friday, February 16, 2007

The router/javascript bug - this feels big

This feels pretty serious to me. In retrospect, of course, the attack is obvious. I suspect many security people have known about this vulnerability.
Symantec Security Response Weblog: Drive-By Pharming: How Clicking on a Link Can Cost You Dearly

...The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings...
Since I'm a geek I have two inline routers from different vendors with different admin passwords (the password you use to connect to an encrypted WLAN is not relevant here) and, I think, usernames. There are probably two other people I know who do this. I'm not even sure I changed the un/pw on my mother's router -- nor would I necessarily know how! Her primary router, which is where her DNS information comes from, was installed by her cable company.

In the near term browser vendors will be scrambling to see if they can hack in some fix that breaks javascript for this purpose, while not disabling it for every purpose. I'm interested in what Schneier will say.

I don't believe my Airport Router has a web interface, so it's probably immune. Even if it weren't, Apple has a distribution mechanism that allows effective updating of their routers. There's something to be said for that ...

Most browsers, btw, will 'memorize' passwords. I presume that's not exploitable here.

PS. I assume it's obvious to my handful of geeky readers, but a robust WLAN password is of no help here. This is all about the router's admin pw.

Update 2/16/07: I underestimated myself. I did change my mother's router's admin pw.

Update 2/24/07: Schneier has an article. He agrees, it's impressive.

No comments: