In my rather long post on JavaScript security on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory issued on the 16th by US CERT:

In an announcement made yesterday, security researchers at
Symantec and Indiana University School of Informatics revealed
that they had uncovered a serious new security threat targeting
home broadband routers. The attack, dubbed Drive-By Pharming,
allows an attacker to change the configuration of a home router
when a user unknowingly visits a malicious website. The website
employs malicious JavaScript code that allows an attacker to log
into many types of home routers if the default password has not
been changed. Once logged in, the attacker is able to change the
configuration of the home router, including the Domain Name
Server (DNS) server settings.

This type of attack is particularly concerning for a few reasons:

  • Simply viewing the malicious webpage is all that is required
    for a user to fall victim to this attack.
  • Many home users fail to change the default password on their
    broadband routers. The Symantec report indicates that 50% of
    all users could fall into this category.
  • Changing the Domain Name Server (DNS) server settings allow
    an attacker to redirect the home user to a DNS server of
    their choice. This includes a malicious server set up by the
    attacker to direct users to other malicious websites, where
    information such as financial account numbers, passwords,
    and other sensitive data can be stolen.

Symantec notes that the best defense against this type of attack
is for home users to change their default password. The
following links provide support resources for three of the more
common home router vendors:

US-CERT cautions users to avoid clicking on links sent in
unsolicited emails. Users should also remain cautious when
browsing the web and avoid visiting untrusted sites. More
information can be found in Securing Your Web Browser document.

To learn more, or to view a flash-animation of the attack, visit
Security Response Weblog.

This is pretty much exactly the scenario I warned about and it’s happening for real in the wild, NOW! If you have a broadband router make sure you change it’s password and give serious consideration to only enabling JS on sites that need it and not just surfing with JS on all the time. The threat is no longer hypothetical!