{"id":380,"date":"2007-02-19T14:18:11","date_gmt":"2007-02-19T14:18:11","guid":{"rendered":"http:\/\/www.bartbusschots.ie\/blog\/?p=380"},"modified":"2014-08-04T15:44:45","modified_gmt":"2014-08-04T15:44:45","slug":"javascript-home-router-attacks-happening-for-real","status":"publish","type":"post","link":"https:\/\/www.bartbusschots.ie\/s\/2007\/02\/19\/javascript-home-router-attacks-happening-for-real\/","title":{"rendered":"JavaScript Home Router Attacks Happening for Real"},"content":{"rendered":"<p>In my rather long post on <a href=\"http:\/\/www.bartbusschots.ie\/blog\/?p=324\" target=\"_blank\">JavaScript security<\/a> on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory issued on the 16th by <a href=\"http:\/\/www.us-cert.gov\/\" target=\"_blank\">US CERT<\/a>:<\/p>\n<blockquote>\n<p>In an <a href=\"http:\/\/www.symantec.com\/enterprise\/security_response\/weblog\/2007\/02\/driveby_pharming_how_clicking_1.html\" >announcement<\/a> made yesterday, security researchers at<br \/>\n\t\t\t\tSymantec and Indiana University School of Informatics revealed<br \/>\n\t\t\t\tthat they had uncovered a serious new security threat targeting<br \/>\n\t\t\t\thome broadband routers. The attack, dubbed Drive-By Pharming,<br \/>\n\t\t\t\tallows an attacker to change the configuration of a home router<br \/>\n\t\t\t\twhen a user unknowingly visits a malicious website. The website<br \/>\n\t\t\t\temploys malicious JavaScript code that allows an attacker to log<br \/>\n\t\t\t\tinto many types of home routers if the default password has not<br \/>\n\t\t\t\tbeen changed. Once logged in, the attacker is able to change the<br \/>\n\t\t\t\tconfiguration of the home router, including the Domain Name<br \/>\n\t\t\t\tServer (DNS) server settings. <\/p>\n<p>This type of attack is particularly concerning for a few reasons:<\/p>\n<ul>\n<li>Simply viewing the malicious webpage is all that is required<br \/>\n\t\t\t\t\tfor a user to fall victim to this attack.<\/li>\n<li>Many home users fail to change the default password on their<br \/>\n\t\t\t\t\tbroadband routers. The Symantec report indicates that 50% of<br \/>\n\t\t\t\t\tall users could fall into this category. <\/li>\n<li>Changing the Domain Name Server (DNS) server settings allow<br \/>\n\t\t\t\t\tan attacker to redirect the home user to a DNS server of<br \/>\n\t\t\t\t\ttheir choice. This includes a malicious server set up by the<br \/>\n\t\t\t\t\tattacker to direct users to other malicious websites, where<br \/>\n\t\t\t\t\tinformation such as financial account numbers, passwords,<br \/>\n\t\t\t\t\tand other sensitive data can be stolen. <\/li>\n<\/ul>\n<p>Symantec notes that the best defense against this type of attack<br \/>\n\t\t\t\tis for home users to change their default password. The<br \/>\n\t\t\t\tfollowing links provide support resources for three of the more<br \/>\n\t\t\t\tcommon home router vendors:<\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"http:\/\/support.dlink.com\/faq\/view.asp?prod_id=1997&amp;question=password+change\" >D-Link<\/a>\n\t\t\t\t<\/li>\n<li>\n\t\t\t\t\t<a href=\"http:\/\/linksys.custhelp.com\/cgi-bin\/linksys.cfg\/php\/enduser\/std_adp.php?p_faqid=3976\" >Linksys<\/a>\n\t\t\t\t<\/li>\n<li>\n\t\t\t\t\t<a href=\"http:\/\/kbserver.netgear.com\/inquira\/default.asp?ui_mode=answer&amp;prior_transaction_id=2584754&amp;action_code=5&amp;highlight_info=16777268,114,118&amp;turl=http:\/\/kbserver.netgear.com\/kb_web_files\/N101475.asp&amp;answer_id=65745448#__highlight\" >NETGEAR<\/a>\n\t\t\t\t<\/li>\n<\/ul>\n<p>US-CERT cautions users to avoid clicking on links sent in<br \/>\n\t\t\t\tunsolicited emails. Users should also remain cautious when<br \/>\n\t\t\t\tbrowsing the web and avoid visiting untrusted sites. More<br \/>\n\t\t\t\tinformation can be found in <a href=\"http:\/\/www.cert.org\/tech_tips\/securing_browser\/#Mozilla_Firefox\" >Securing Your Web Browser<\/a> document.<\/p>\n<p>To learn more, or to view a flash-animation of the attack, visit<br \/>\n\t\t\t\t\t<a href=\"http:\/\/www.symantec.com\/enterprise\/security_response\/weblog\/2007\/02\/driveby_pharming_how_clicking_1.html\" >Security Response Weblog<\/a>.<\/p>\n<\/blockquote>\n<p>This is pretty much exactly the scenario I warned about and it&#8217;s happening for real in the wild, NOW! If you have a broadband router make sure you change it&#8217;s password and give serious consideration to only enabling JS on sites that need it and not just surfing with JS on all the time. The threat is no longer hypothetical!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my rather long post on JavaScript security on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[12,17],"tags":[447,420,437],"series":[],"class_list":["post-380","post","type-post","status-publish","format-standard","hentry","category-computers-tech","category-security","tag-home-routers","tag-javascript","tag-vulnerability"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7t9xK-68","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":1,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"predecessor-version":[{"id":7458,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/380\/revisions\/7458"}],"wp:attachment":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/tags?post=380"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/series?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}