Indiana University with Symantec have issued a security warning for users of broadband routers and wireless access points. Out of the box, most routers have default usernames and passwords that could allow a hacker, using a webpage and some malicious JavaScript, to access the router and change its settings.

To gain entry into your wireless access point, the hackers would set up a website that would run a certain JavaScript code. The users who visit the page would then be at risk of the code, using a technique known as Cross Site Request Forger, to gain entry into your router’s hardware-based settings.

The JavaScript uses this technique, through your Internet browser, to gain access to the router using the default username and password that was shipped with the wireless access point.

“I believe this attack has serious widespread implications and affects many millions of users worldwide,” Zulfikar Ramzan, a senior principal researcher at Symantec, “Fortunately, this attack is easy to defend against as well.”

Some router manufacturers will include information on how and why you should change your default username and password; however, mine did not. I use the widely accepted Linksys WRT54G router by Linksys/Cisco.

A few things concern me with this router; First, There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. The hack is easy, and only requires one website to talk to another through JavaScript.

“One of the issues is that the set-up steps in the router don’t prompt you to change the password,” Ramzan said, “as a result, many people never properly configure their networking gear.”

Many users who still use the default setting simply don’t know because they haven’t been told; and the manufacturers are doing little to nothing to improve this situation. Default usernames and passwords are easily obtainable; one could find a comprehensive list at www.phenoelit.de. My advice is to change this immediately, for it may save you some trouble down the road.

“I have been able to get this to work on Linksys, D-Link and Netgear routers,” said Ramzan, “You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this.”

Aside from these being accessed via the web, we’ve seen first hand that your router’s settings can be changed from outside your home.  If someone was able to compromise the security on your network, they could easily change your username and password, and lock you out of your own network. Sure, you could perform a hard reset on the router, but you’d have little luck without the Internet or any documentation to help.

Related:

Entry was posted on Saturday, February 17th, 2007 at 5:41 am under Security.

Read more entries by George Gardner.
Stumble It!