April 08, 2008, 8:07 AM — On Tuesday, researcher Dan Kaminsky will show how a Web-based attack could
be used to seize control of certain routers.
Kaminsky has spent the past year studying how design flaws in the way that
browsers work with the Internet's Domain Name System (DNS) can be abused in
order to get attackers behind the firewall. But at the RSA Conference in San
Francisco, he
will demonstrate how this attack would work on widely used routers, including
those made by Cisco's Linksys division and D-Link.
The technique, called a DNS rebinding attack, would work on virtually any device,
including printers, that uses a default password and a Web-based administration
interface, said Kaminsky, who is director of penetration testing with IOActive.
Here's how it would work. The victim would visit a malicious Web page that
would use JavaScript code to trick the browser into making changes on the Web-based
router configuration page. The JavaScript could tell the router to let the bad
guys remotely administer the device, or it could force the router to download
new firmware, again putting the router under the hacker's control.
Either way, the attacker would be able to control his victim's Internet communications.
The technical details of a DNS rebinding attack are complex, but essentially
the attacker is taking advantage of the way the browser uses the DNS system
to decide what parts of the network it can reach.
Although security researchers had known that this type of hack was theoretically
possible, Kaminsky's demo will show that it can work in the real world, said
David Ulevitch, CEO of DNS service provider OpenDNS. "I'm always a fan
of when something that's theoretical gets made real, because it makes people
act," he said.
On Tuesday, OpenDNS will offer users of its free service a way to prevent this
type of attack, and the company will also set up a Web
site that will use Kaminsky's techniques to give users a way to change the
passwords of vulnerable routers.
The attack "underscores the need for people to be able to have more intelligence
on the DNS," Ulevitch said.
Although this particular attack takes advantage of the fact that routers often
use default passwords that can be easily guessed by the hacker, there is no
bug in the routers themselves, Kaminsky said. Rather, the issue is a "core
browser bug," he said.
Router makers have known for some time how their default passwords can be misused
by attackers. Three months ago, hackers
showed how a similar attack could be launched, exploiting a flaw in the
way Universal Plug-and-Play works on PCs.
Cisco tries hard to discourage
Linksys customers from using routers with default passwords, said Trevor
Bratton, a company spokesman. "One of the first things that our setup software
does is change that default name," he said. "So anyone who does as
we ask with the initial setup will be prompted to change that."
The problem is that home users rarely follow this advice, Kaminsky said. "The
vast majority of home users have a device with a default password," he
said.
