The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Jan
24
Broadband Router Passwords – Why They are a Must
Filed Under Computers & Tech, Security on January 24, 2008 at 11:26 pm
In my recent article on securing your home broadband connection I mentioned the importance of setting a password on your router. In that article I mentioned hypothetical web-based attacks on your router, now we have a real-world example to really drive the point home. The attack happened in Mexico and involved users visiting a web page which contained some very simple HTML code which re-programmed people’s broadband router behind their backs to change the DNS settings. The effect this change had was to return correct IP addresses for all domains on the internet except one, that for a major Mexican bank (more details on that specific attack in this NetworkWorld article).
[tags]broadband, router, Eircom, phishing[/tags]
This is quite devious because it means people won’t suspect that something is up. If you reprogram the DNS so all requests go to spam or phishing sites people soon realise something is very wrong, but if you let all requests go through normally apart from one carefully chosen target then people won’t be suspicious and your chances of success go up.
To give you an idea of how this attack works and how easy it is to fall victim to it I’ll walk you through it. It stars when you receive an email with a web link in it. It’s just an ordinary link, perhaps it came disguised as a link to an interesting article or something. It’s not an attachment and it’s not a spam email trying to sell you something so you’re not suspicious and you click on the link. It opens in your browser, you read the article and carry on with what ever you were doing. You have no idea that something very nasty just happened. That web page just reprogrammed your router because you hadn’t set a password on it. You have a fully up-to-date virus scanner and a fully up-to-date firewall and neither bated an eyelid. After all, the web page just called a few URLs. A totally normal thing for a web page to do. the thing is, the URLs it called were to the web interface on your router, and their effect was to change your DNS settings so all DNS requests from all machines on your home network now go to the attacker’s own DNS server.
You are totally unaware that anything has gone wrong. You surf away happily for a few days and everything appears perfectly normal. Then you remember that you need to pay the electricity bill and you decide to do it through your internet banking service. You punch in the URL and get presented with a page that looks exactly like your bank’s site. The URL is correct and the page looks right. You enter your details. The site responds as normal and you log in and do your work. You do this a few more times over the next few days and weeks and are totally un-aware that you weren’t communicating directly with your bank. Because your DNS settings have been compromised you have actually been talking to the attacker’s server which has been acting as a middle-man in your conversations with the bank and has been recording all your passwords and PINS as well as the answers to your security questions.
A few days later you go shopping and try to pay with your debit card. The card is refused. You get very embarrassed and get the clerk to try again. “I’m sorry but your card has been declined”. You ring your bank, you’re quite angry. You ask them why your card is being refused and they inform you that your account is empty. This is the first indication you get that the attacker has just run off with all your money.
This is not make-believe. This kind of thing is now happening for real. That’s why it’s vital that you set a password on your router so that it’s not possible for any web page or other program to re-program your router without your password.
Could this happen here in Ireland? Absolutely. In fact, we are wide open to attack because of the continued lack of security savvy on the part of our largest home ISP, Eircom. The router administration page of a standard Eircom router installed following Eircom’s instructions is wide open. No password is needed to reconfigure it. There are literally thousand of identical Eircom-branded Netopia routers out there without administrator passwords set on them. Each and every one of these routers is open to this form of attack. Of course, it’s not just Eircom customers that need to check their settings today, everyone who has a broadband router of any kind needs to ensure that it can’t be administered without entering a password.
First thing I did when I got my router was set up a password, WPA encryption and turn off the SSID broadcast.
Couple of days later I had a friend over, and he was half surprised I turned off the SSID broadcast, and completely surprised that I didn’t just leave an open access point. Mainly since I live just outside the middle of nowhere.
“A little paranoia is healthy”