Most home routers 'vulnerable to remote take-over'
By Dan Goodin in San Francisco →
15 Jan 2008 04:13
Universal plug and prey

Security mavens have uncovered a design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed.

"This is a huge problem," Adrian Pastor, of the prolific hacking organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to most routers used for home networks so machines running games, instant messaging programs and other applications will work seamlessly with the devices. By exposing an end user to a malicious Flash file lurking on a website, attackers can use UPnP, as the technology is usually called, to make significant modifications to the router.

The most serious change that's possible is changing the the server PCs connected to the router use to access websites. That might cause a victim trying to access eBay or Bank of America to see spoofed pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim's router. That would be useful in turning a router into what would amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and URLRequest object specified in Flash, isn't a security flaw within Flash, the researches say. Rather they are design flaws in UPnP, which doesn't use authentication. PCs using virtually any platform and browser will change router settings, as long as they run version 8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices.

The vulnerability, which was also discovered by Petko D. Petkov, is explained further here. A FAQ is here. ®