Saturday, March 3, 2007

Home routers can be dangerous. VERY dangerous.

Most home users with a broadband connection have a router that sits between the cable or DSL modem and their computer(s). If that is you, read this carefully.

On second thought (thanks Leo) everyone should read this posting because the simple question of whether there is a router in your home/office sitting between you and the Internet is not the trivial question it used to be. Way back, broadband modems (cable and DSL) were separate pieces of hardware from routers. No more. So even if there is a single box between your computer(s) and the outside world, it may very well be both the modem and the router.

NOTE: This problem does not affect you if you have a single computer directly connected to a broadband modem that is only a modem and not also a router. Good luck figuring this out. It also does not effect dial-up users. It is very likely to apply to small businesses (large businesses probably have qualified techies configuring their routers). Both wired and wireless WiFi connections are equally vulnerable.


Just by looking at a web page, you can lose your life savings.

Let me explain. A malicious computer program can live inside a web page and run automatically when the page is viewed. This new type of malicious software will modify configuration settings in your router such that when you type in the name of your bank to go to its website, you will instead end up at the website of a bad guy imitating your bank. You enter the userid/password for your bank and the next day there is no money in your accounts.

Nothing is more dangerous than this on the Internet.

Every router has a website built into it that is used for configuring the dozens of options. To make configuration changes you log into this website with a userid/password (the router also has a default IP address that can be used to access its internal website) . For the malicious program to make changes to your router, it needs to know the userid/password. This is only possible if the default password was not changed when the router was installed. That is, if a good computer nerd installed the router you are safe. If your router is still using the default password, change it now!

How can the malicious program know the default userid/password for your router? How can it even know which router you have? It doesn't need to know your exact router model. There are only a handful of companies making the most popular routers. The default userid and password used by these companies is well known. All the program has to do is try them all. It's not a long list.

If you don't know the userid/password to log into your router, I can't stress how important it is to find out. In addition, you also need to know the internal IP address of the router so that you can access it with a web browser.

Let me re-state the problem to hopefully scare you into action. If you enter "www.citibank.com" into your web browser (or use a Favorite/Bookmark) then everyone knows you will go to Citibank's website. But, if you are the victim of this attack, it will not be true. You may end up at a website that looks exactly like Citibank's but is designed for the sole purpose of stealing your userid/password. Even worse, you may end up at the real bank website, but the bad guys could have set themselves up in between you and your bank. Thus, they see everything you enter and all seems perfectly normal because you are, in fact, actually dealing with your bank's website. Just not directly.
Not to pick on Citibank, they are just used as an example.

Computers on the Internet have a unique number assigned to them. They talk to each other using these numbers (us nerds call them IP addresses). Words and letters and names such as google.com or michaelhorowitz.com exist solely for the convenience of human beings. There is a huge system on the Internet called DNS that translates domain names into their corresponding numbers. Every time you ask for a website by name, your computer first contacts a DNS server machine to translate the name to the unique number. This happens so fast that you don't notice it.

The way this attack works is by changing the DNS server computers you use for translating names to numbers. Thus if www.citibank.com should translate to 1.2.3.4, the DNS computers of the bad guys would instead translate it to 88.55.11.99 (the numbers are just for illustration) which just so happens to be their identity theft website. Think of it as having a total stranger translating spoken languages. You can never be sure if the translation is accurate or not.

Adding to the danger of this attack is that it's undetectable. That is, anti-virus and anti-spyware software will not protect you. No files are put on your computer. In fact, no changes are made to your computer at all! Still worse, to review the settings in your router to see if anything has been changed, takes a computer nerd. Its too techie for normal people. As I said, this is as dangerous as dangerous gets.

Technically, this type of attack is known as pharming. Phishing refers to tricking a human being to go to the wrong website. Pharming involves tricking your computer to go to the wrong website.

The malicious program is written in a programming language called JavaScript. JavaScript programs live inside web pages and are executed by your web browser when you view a page. They are not executed by your operating system. This is not a Windows problem, it affects Macs and Linux too (any OS in fact).

You can disable JavaScript in your web browser, but it's not practical as so many web sites require it. You might however, consider using two web browsers and having JavaScript turned off in one of them and use this browser when visiting iffy websites. The Firefox browser has an optional NoScript extension that turns off JavaScript by default and then easily lets you enable it on a site by site basis. It's a very popular extension.

The following is a bit techie.

You can, and should, also protect your router by changing its IP address. This doesn't offer perfect protection, but does make it harder for the malicious software to find your router.

Another way to protect yourself is modifying the TCP/IP settings on your computer so that you don't get DNS services from your router. Let me explain:

Typically when your computer needs to translate a domain name to a number (IP address) it asks the router to do this and the router, in turn, talks to a dedicated DNS computer run by your ISP. A large organization may run their own DNS computers. The whole point here is that the bad guys can modify the router to talk to their DNS server.

Every ISP runs at least two dedicated DNS computers and they will be glad to provide their IP addresses (it's probably listed on the website of your ISP, this isn't a secret). My point here is to configure TCP/IP on your computer to talk directly to the DNS server of your ISP and avoid having the router acting as a middleman. Thus, even if the router is talking to a bad/compromised DNS server computer, you are not asking the router to do the DNS name-to-number translation.

11 comments:

Unknown said...

Michael, thanks for a timely notice with a lucid explanation that even I could understand. Nice to have you out there!

Ben

Anonymous said...

Hi Michael,
I have a router, but I am not yet banking online. HMMMMM.
Bernie Lipin

Prik said...

You make a point, Michael, but i have some remarks:

First: if you change your router's IP, that will not affect anything. The router's ip will be derived through the default gateway your machine is using. So this offers zero security. The default gateway (usually like 192.168.2.1 or something) will direct you to the router logon page.

Second: i think you alarm people a little too much in my opinion. Most banks require, next to a password and a username, something like a pin-code which changes regularily, or a registry key and maybe even finger prints. If a bank does not provide this kind of security, then change because then this bank doesn't care about your security! This kind of security will protect you (i can provide you with technical details: i'm writing a paper about that matter).

Don't forget, most internet frauds are people with low programming skills. They usually get caught even before they can even try to rob someone's money. The smart asses know how easily they can get caught and don't do it :D

Thanks for the advice, cheers

Michael Horowitz said...

Hello Pietje,

As for changing the routers default IP address, I said its not perfect protection but another hurdle to overcome.

The exploit in question was coded in JavaScript and I don't think that JavaScript has access to the TCP/IP configuration and thus can't determine the default gateway's IP address. So changing the default IP address of the router should protect you from JavaScript based malware. If the malware was Java or ActiveX then I would think it could determine the default gateway and thus changing the IP address would not offer protection.

As for alarming people too much, this is a matter of opinion and one where reasonable people can disagree. But no one can disagree with the fact that changing the router password makes you safer.

The standard userid and password offer no protection from a pharming attack like this. I'm not sure what you mean by a pin-code or a registry key.

Finger print security for a website is new to me. Do you know of any site using it?

david said...

Unfortunately, some ISPs (Charter, for example) have bad DNS practices such as IP hijacking.

I.e. if you query an IP or domain that is non-existant (like ajsiehjksodj.com), the DNS server will return a search result or some other material instead of the proper response.

I had to change the DNS servers I used once I noticed my ISP doing this. :(

Anonymous said...

Important post. There are some helpful precautions: one, use Mozilla Firefox (with NoScript, Cookie Safe, Web Developer. and KeyScrambler extensions. This last very important; it encrypts from keystrokes to webform.); two, password your router; and, three use Sandboxie and run your browsers sandboxed. Then use a good firewall, antivirus, and antispyware on your computer because if they cannot intervene between you and the banking site, they may decide simply to invade. I recommend Eset Smart Security, Sandboxie, and SpywareBlaster, along with ondemand apps like Trojan Remover, Panda AntiRootkit, ewido antispyware microscanner, and IceSword. The last has a steeper learning curve, but I, a poet, learned, so can almost anyone. The weakest app in any security array is the human, as leaving the router with default password indicates. As I type this I can see the text encrypted at the top of my browser. A hacker would have to put a keylogger in my brain or in the bank's computer to intercept this. "security through obscurity is just an illusion." -anonymous. But we can try, not just leave it to when because we don't lock the door.

Anonymous said...

Thanks saint saint saint, never heard of some of those apps but am downloading IceSword now to see what it does!

Michael Horowitz said...

to: saint satin stain
Thanks for your helpful posting. All in all, it's a pretty depressing state of affairs. In the long run, this may lead people to Linux or Macs.

Anonymous said...

Not to nickpick so much, but didn't you say "This is not a Windows problem, it affects Macs and Linux too (any OS in fact)."

So how would people switching to Linux or Mac solve some of the underlying problems?

One of the major problems I saw was that ISPs would hand out router boxes and make them user installable (including a "five steps to install" pamphlet). These boxes would be using default login, no security keys for anything and often with things like wireless networking turned on. So a user who just plugged this thing inbetween their computer and internet would be woefully unprotected.

They've gotten better with setting a WEP wireless key by default and putting it somewhere on the router's case (whether this was done by the ISPs or hardware manufacturers, I don't know). So now at least when they plug it in they don't have an unsecured wireless network turned on by default. Maybe eventually these boxes will not have the default login/password but like the WEP key be preset and shown on a label on the router (not a perfect solution if the bad guys have physical access to the router).

Michael Horowitz said...

EricS,

Yes, the problem exists for an desktop OS that the issue is the router not the OS. For solving it see my CNET blog posting

Defending your router, and your identity, with a password change
http://www.cnet.com/8301-13554_1-9889160-33.html

Anonymous said...
This comment has been removed by a blog administrator.