Your router can be hijacked. Easily

How many of us have computers connected to the Internet through routers? The number of dial-up connections is dramatically decreasing each year. Now most people use cable, DSL and other broadband connections, most of which require a router. Even wireless goes through it.

Today, routers are quite cheap and functional. You can connect your desktop computer, a laptop and even an Xbox to one single router. Furthermore, routers provide additional security. Some of them come with integrated firewalls and packet filtering. In some cases this means that you don’t need any software firewall at all as long as you are connected through a router.

But does this mean routers are unbreakable? Of course not. What’s even worse is that informal statistics show that about 50 percent of routers were never reconfigured after purchase.

When you buy a router, all its settings are factory defaults. This usually means no encryption of wireless connections, reduced security settings and always default weak password that is used to login to the router’s control interface from a web browser. For instance, D-Link routers have no password at all – just type in “admin” as a user name and press enter – you’re inside. For Linksys default password is “admin”. Something similar is for other popular hardware.

Needless to say that leaving default settings is a bad practice. Anyone who has access to your network can reconfigure the connection. Even if you trust your family, your neighbors or even people you don’t know at all can connect to your network through the wireless that sometimes is turned on by default.

Sounds scary? But things get even worse when attackers from outside reconfigure your router. This might look impossible, but actually it’s easy thanks to the latest attack techniques.

Security experts call it drive-by pharming. You unknowingly visit malicious web page that hosts an exploit – harmful JavaScript code. If JavaScript support is enabled in your browser (in most browsers it is on), code is executed automatically. You won’t notice anything at all. This malicious code uses a technique known as “Cross Site Request Forgery”, which can be used to access your router’s login page. The latter is protected with password, but an exploit has a list of default passwords, which it uses to login. If your router was never reconfigured, it will be hijacked.

What can attackers do with your router? Disconnect you from the Internet or try breaking in one of your computers? Forget it, they don’t need your files and of course they’re not kids to play such pranks. Attackers would use the code to change addresses of your default DNS servers that ISP gives you to addresses of their own servers.

Benefits? Lots of them. Cyber criminals run own DNS servers that redirect your router and eventually your computer to phishing or malware sites. Let’s suppose that the bank web site’s domain name is associated with the IP address xx.xx.xx.xx. Malicious DNS servers have a modified record for that site. The same domain name is associated with yy.yy.yy.yy. When you visit from a computer on your network, you actually visit a fake site and not the legitimate one.

In other words, by using drive-by pharming attackers can steal your bank account details, credit card numbers, various logins and passwords, i.e. your money and identity, and all this without having to install specific malware to your system. You stay clean and unaware, but your sensitive information is stolen.

Same technique can be used to install any parasites to victim computers. Malicious DNS servers can have modified records for popular security-related sites, news portals, software download pages, etc. You never know until it’s too late.

Drive-by pharming is an emerging threat. Security experts didn’t see much of attacks yet, but considering they can be highly effective and relatively easy to perform, we might see a lot of drive-by pharming in the near feature.

Unfortunately, no one is protected from a new type of attacks. Security software doesn’t help much, as even a victim’s platform (Microsoft Windows, Linux, Apple MacOS) doesn’t matter anymore. Attackers don’t need to install any malware to your system and router hijacks can go unnoticed.

Nevertheless, it’s quite easy to protect yourself from drive-by pharming. All you need to do is to login to your router and reconfigure it. Change the administrator’s password, turn off wireless if you do not use it and enable advanced security features.

You can go even further and disable JavaScript support in your web browser. But it’s not recommended. Although this will prevent exploits from running, it will also block you from popular web sites. Furthermore, attackers can find another way to run the code.

For further reading:
Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. “Drive-By Pharming”

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions