14 DAY TRIAL // A group of researchers will demonstrate, later today, a method of hijacking an average home router using a plain web page infected with an undetectable object. Dan Kaminsky is a specialist in security that researched on the browser-specific flaws that allow attackers to get behind the users' firewalls.
According to the security group, the browsers' interaction with the Domain Name System (DNS) affect a range of common routers, such as the units manufactured by Cisco's Linksys division and D-Link. The hijacking technique is called a DNS rebinding attack, and affects a wide range of consumer electronics, including printers, that work with a default administrator password.
Kaminsky, director of penetration testing with IOActive, claims that the attack can be performed when the victim visits a malicious Web page running a malicious JavaScript code.
The tiny script implemented in the webpage forces the browser to perform changes on the router's web-based interface. The changes include altering the remote administration policies, or even re-flashing the router's firmware to send it back into the default state.
DNS rebinding attacks are extremely complex, and maybe that is why there are few skilled hackers to take over the users' networks. However, the main flaw is in the way the browser handles the DNS protocol.
The attack is not new at all, but today's demonstration is intended to prove that it can be reproduced in a real-world environment. Moreover, Kaminsky wants to draw users' attention that lack of cautiousness can lead to unfortunate side-effects. "I'm always a fan of when something that's theoretical gets made real, because it makes people act," said David Ulevitch, CEO of DNS service provider OpenDNS.
Beyond hardware and software flaws, the key factor in a successful attack is users' lack of concern towards security. Many of the currently deployed routers are still "protected" with the default admin password, despite the manufacturers' advising the users to change it immediately.
For instance, Linksys routers force users to change the password as part of the initial setup. "One of the first things that our setup software does is change that default name," said Trevor Bratton, a spokesman for Linksys. "So anyone who does as we ask with the initial setup will be prompted to change that."