In my rather long post on JavaScript security on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory issued on the 16th by US CERT:

In an announcement made yesterday, security researchers at Symantec and Indiana University School of Informatics revealed that they had uncovered a serious new security threat targeting home broadband routers. The attack, dubbed Drive-By Pharming, allows an attacker to change the configuration of a home router when a user unknowingly visits a malicious website. The website employs malicious JavaScript code that allows an attacker to log into many types of home routers if the default password has not been changed. Once logged in, the attacker is able to change the configuration of the home router, including the Domain Name Server (DNS) server settings.

This type of attack is particularly concerning for a few reasons:

  • Simply viewing the malicious webpage is all that is required for a user to fall victim to this attack.
  • Many home users fail to change the default password on their broadband routers. The Symantec report indicates that 50% of all users could fall into this category.
  • Changing the Domain Name Server (DNS) server settings allow an attacker to redirect the home user to a DNS server of their choice. This includes a malicious server set up by the attacker to direct users to other malicious websites, where information such as financial account numbers, passwords, and other sensitive data can be stolen.

Symantec notes that the best defense against this type of attack is for home users to change their default password. The following links provide support resources for three of the more common home router vendors:

US-CERT cautions users to avoid clicking on links sent in unsolicited emails. Users should also remain cautious when browsing the web and avoid visiting untrusted sites. More information can be found in Securing Your Web Browser document.

To learn more, or to view a flash-animation of the attack, visit Security Response Weblog.

This is pretty much exactly the scenario I warned about and it’s happening for real in the wild, NOW! If you have a broadband router make sure you change it’s password and give serious consideration to only enabling JS on sites that need it and not just surfing with JS on all the time. The threat is no longer hypothetical!