Following up on my recent post about computer security (and my comment about phishing scams being cross-platform), Bruce Schneier has posted an entry about “Drive-By Pharming”. It has a stupid name, and it’s nothing to do with wireless access; there is also some doubt about how feasible the attack vector actually is. Still, it’s worth reading about, because the general principle is important.
Basically, if you leave your router configured with a default username/password, it is then possible for someone to connect to your router and reconfigure it. You normally can’t connect to a router from across the internet, so the person would have to be on your local network. In particular, if you run a program on your machine, you are connected to your network, so you could be fooled into reconfiguring your own router by accident! The example that Schneier gives (via Symantec) is that you could have malicious Javascript on a website; this would then (theoretically) apply to various platforms (e.g. Windows/Mac/Linux), unless you’ve got Javascript turned off (which most people don’t). While I recommend running as a limited user (rather than having full admin privileges over your local machine), that wouldn’t help here, since you’re connecting to a different machine and making changes on that.
As I say, this issue isn’t directly related to wireless networks, but something similar could apply there: if you don’t have a password on the network (preferably WPA/WPA2 rather than WEP), someone else could then get into your router without actually being in your house/office.
The risk here is that lots of routers act as DHCP servers, particularly on small networks. So, you plug your computer in, and it will get all the info that it needs to use the internet. This is basically a good thing, because it makes it easy to carry a laptop around to various different locations without having to manually reconfigure it every time. However, suppose that the router can be persuaded to give out the address of a rogue DNS server?
Sidebar for non-techies: When you go to a website, the website’s name (e.g. www.golgotha.org.uk) gets converted into an IP address (e.g. 217.10.142.172) behind the scenes. You then get sent to the website at that IP address. This translation of names to numbers gets handled by DNS servers, which are all supposed to work together, but it is possible to set up a rogue server that doesn’t play by the rules. If you ask that rogue server for the IP address of a website, it will give you the wrong information.
Anyway, the implication of this is that you decide to do some online banking, and type in your bank’s website address, e.g. “www.lloydstsb.com”. You then get sent to a website that looks exactly like the Lloyds TSB one, and it has the address you typed at the top of the screen, but it’s actually a fake “phishing” site; if you type in your real login details, that website will record them, and then use them to impersonate you at the real bank website, at which point they can steal all of your money.
Just to re-iterate this point: if you give your details to a fake website, it doesn’t matter what operating system you’re using; Macs/PCs/whatever are all equally at risk. Also, there’s an indirect vulnerability here; even if the Javascript attack doesn’t work, this same functionality could be built into a Windows virus. That means that if someone else uses an infected Windows laptop on your Mac network, they could mangle your router and leave you at risk. (And as I said above, if you don’t have proper security for a wireless network, you may not even know who’s connecting to your router.)
SSL certificates (with a padlock icon) can help here, but you need to understand how they work; I’ll cover them in more detail in a future post.
(Personally, the DNS issue doesn’t affect me, because I’m running my own local DNS servers at home/work, and they’re configured with their own forwarders, i.e. it doesn’t matter if the router gets the wrong info. I’ve also made sure that my routers have non-default passwords.)
One interesting aspect of this is that I’ve recently bought a SpeedTouch 536 router. I’ve been using a SpeedTouch 510 at home for the last few years, and I’m quite happy with it; the main difference is that the 536 supports ADSL2+ (i.e. higher speeds). Anyway, the 536 comes with a default user set up (username=”Administrator”, password=”blank”, auto login when you go to the configuration webpage). You can assign a password, but if you do then you can no longer connect to it via IE7. The proposed workaround is to disable digest authentication, but that has to be repeated each time you reboot the router; my advice is to use Firefox instead. (I run IE7 and Firefox 2 on my home/work PCs, and alternate between them as appropriate for different websites.) Curiously, the 510 is fine with IE7, so it’s only the newer models that have trouble.
I mention that here because I can imagine some people assigning a password, then finding that they can’t get back into the configuration website, and just giving up (hard reset to factory values) and leaving a blank password to avoid the problem. This would be bad!
So, to conclude: if you buy a new router, or if already have one at home, make sure that you change the password. I know it’s a hassle, but it really is worthwhile.