With the configuration password and IP address, the attacker can easily change which domain-name server the victim uses as an Internet directory. "It's like the attacker has replaced your phone book with a new one," Ramzan says. "So now you're getting addresses from the attacker's phone book."
The next time the victim goes to his or her bank's website, for example, the Web browser might be redirected to an imitation site. This fake site, run by the attacker, is used to capture the victim's log-in and password information.
Ramzan insists that this wouldn't take a lot of skill. "This particular attack is very powerful in that regard. The attacker doesn't have to be that technically sophisticated to mount it."
Fortunately, fixing the problem is also simple. "The easiest way to defend against this kind of attack is to change your [router's configuration] password," says Ramzan. Unfortunately, router manufacturers don't require users to establish new passwords because they want their software to be easy to use.
"They wanted to simplify the process, so they made it so that people weren't really prompted or encouraged to change the password," Ramzan says. "My feeling is that it's a pretty easy change [for the router companies] to make."
Another easy fix: make the default password unique. The password could, for example, be set initially to the product's serial number. While the attacker could still attempt to guess at the serial number, each failed log-in attempt would alert the user with an error message.
But Ramzan says the root of the problem isn't the configuration password. The real issue is that a Web page can be used to reconfigure a router's settings at all. That, he says, is what security experts will need to address going forward.
The router researchers say that they haven't yet seen anyone actually launch such an attack, and they hope their work will raise awareness so that people change their passwords before it becomes a real issue.
"It's an interesting discovery," says Jeff Gennari, an Internet security analyst with CERT, a computer-security coordination center established by various U.S. federal agencies, including the U.S. Department of Defense, and run by Carnegie Mellon University's Software Engineering Institute. "Uncovering these types of configuration problems brings to light how complicated security can be."
E-mail
Audio »
Print
Favorite
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Download
Massachusetts Institute of Technology
Tags
hacker security viruses wireless