What happens when an attacker’s target isn’t a PC but rather the router protecting it? In such a case, the attacker would take control of the router and could possibly trick any connected device into doing a number of things. After spending the last year studying the Web’s Domain Name System, Researcher Dan Kaminsky claims this is possible in a real-world environment and will publicly demonstrate the hack on Tuesday.
A major component in the attack is that special Web-based configuration page, which many home routers and other devices — such as printers — utilize in order provide a pleasant GUI for managing the network. It’s this configuration page the malicious site would attack, giving the attacker control of your network’s security — scary. Kaminsky will demonstrate the attack during an RSA Conference on April 8, 2008.
He points out that there is no "bug" in routers that allows this attack. Instead the major problem rests in the way browsers work and that many default (and bad non-default passwords) for these configuration pages can be guessed.
Perhaps what’s scariest is that many users rely on the software installed on their machines to protect them. In the case of Mac users, OS X feels as safe its going to feel and Windows users tend to spend a decent effort on keeping their machines clean and safe, but none of that matters for an attack like this.