Cisco Warns That 77 Routers Are Vulnerable To New Drive-By Pharming Attack

Researchers at security company Symantec first warned users about the new type of attack last week, calling for all users -- both home and commercial -- to change the default user name and password on their routers if they hadn't already done so. Running the routers with the out-of-the-box password leaves users open to attack.

Symantec's Zulfikar Ramzan posted an online warning that hackers are lacing phony Web sites with malicious code that actually will log into and mess with broadband routers. He's coined a term for it: Drive-By Pharming.

"I believe this attack has serious widespread implications and affects many millions of users worldwide," wrote Ramzan, senior principal researcher in the Advanced Threat Research Group at Symantec, on the company's Security Response Weblog. "Fortunately, this attack is easy to defend against, as well."

The defense simply is to change the default password.

Cisco posted a Security Response on its Web site, outlining which routers are vulnerable to the attack and offering advice on changing the password.

Mike Caudill, incident manager at Cisco, says he doesn't have an estimate on how many users change the default user name and password, but adds that it's probably a significant number. He notes that drive-by pharming mostly affects smaller routers used in homes and small- and medium-sized businesses, because the larger enterprise-level routers come with a configuration tool that automatically calls for the default user name and password to be changed during set up.

Ramzan, and his fellow researchers, Sid Stamm and Markus Jakobsson of the Indiana University School of Informatics, say attackers build fraudulent Web pages that, simply when viewed, result in substantive configuration changes to unprotected broadband routers or wireless access points. Malicious JavaScript code on the page is downloaded to the computer.

"When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as 'Cross Site Request Forgery' and logs into your local home broadband router," says Ramzan. "Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router's settings. One simple, but devastating, change is to the user's DNS server settings."

Once the attackers get into the router, they have control over it, allowing them to direct users and their browser to whatever Web sites they choose. A user may want to visit www.informationweek.com, but instead will be directed to whatever site the attackers want to send him to.

Caudill explains that most router manufacturers use basic, and relatively unsecure, default user names and passwords to make the set-up process easier for the user. "It might be a simplified login mechanism with a known user name and password," he says. "If they put a different one on every single box, how would they possibly do technical support? If you have 100,000 boxes and have 100,000 user names and passwords, how would I ever be able to help people get set up?"