Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
Try It Free
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Product Tips & Reviews
Security & Privacy
Daily Downloads
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: Online SecuritySecurity

Flash Attack Could Take Over Your Router

Robert McMillan, IDG News Service

Tuesday, January 15, 2008 4:08 PM PST
Recommend this story?
Yes
No

Security researchers have released code showing how a pair of widely used technologies could be misused to take control of a victim's Web browsing experience.

The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems' Flash multimedia software.

By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar.

"The most malicious of all malicious things is to change the primary DNS server," the researchers wrote. "That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it."

Because so many routers support UPnP, the researchers believe that "ninety nine percent of home routers are vulnerable to this attack."

In fact, many other types of UPnP devices, such as printers, digital entertainment systems and cameras are also potentially at risk, they added in a Frequently Asked Questions Web page explaining their research.

Cross-Platform Attack

The attack is particularly worrisome because it is cross-platform -- any operating system that supports Flash is susceptible -- and because it is based on features of UPnP and Flash, not bugs that could be easily fixed by Adobe or the router vendors.

Users could avoid this attack by turning UPnP off on their routers, where it is normally enabled by default, but this would cause a variety of popular applications, such as IM (instant-message) software, games and Skype, to break and require manual configuration on the router.

Adobe could make changes to Flash to mitigate the problem, but attackers could most likely also launch this attack using another technique, known as DNS pinning, said Aviv Raff, a researcher who has also blogged about the attack.

"This is a critical issue," he said in an IM interview. "People should turn off UPnP in their devices, and vendors should put UPnP disabled by default in the devices they deliver."

Although this could make life difficult for nontechnical users, Raff believes it would be worth the effort. "It's better than having your traffic owned by malicious people," he said.

However, another security expert said that turning off UPnP would be overkill, considering that online criminals have not even begun using this attack. "Look... if you get hit by a meteor, it's devastating," said Roger Thompson, chief research officer with Grisoft, via IM. "But no one goes around building meteor shelters."


Recommend this story?
Yes
No
Related Searches: flash router attack plug and play dns server

Comments
Related Content
Tags at a Glance
HP Ink Center
Bring improved color and brilliance to your printed material. Visit the Resource Center for more info...
CDW Solution Center
Deliver speed and scalability in your storage systems. Find out how at the CDW Solution Center.
Asus Notebook Center
Ultra-fashionable thin and light notebooks with SmartLogon Face Recognition. Find out more at the Asus Resource Center.
Intel Processor Technology
Which Intel Processor is Right for You?
Which Intel Processor is Right for You?Centrino, Core 2 Duo, Core 2 Quad, Core 2 Extreme? Check out the Intel Technology Center for more info...
Are you a gamer?
Are you a gamer?Visit the Intel's Gaming section for the latest downloads, hottest gaming events and to learn about Intel & Gaming.
See what Intel can do for Vista...
See what Intel can do for Vista...Discover how Windows Vista technology work in the benchmarks with Intel Centrino processor technology.
VoIP Web Demo
Join Altigen for a Live Web Demo and learn how VoIP technology can improve your business communications.
The Future Sales Force - A Consultative Approach
This white paper discusses the challenges of selling complex products and services, and the new skill sets sales professionals must employ.
Latest News
ATM Glitch Hits Systems Integration at Major Japanese Bank
A software glitch that crept into a massive system integration project at Japan's Bank of Tokyo Mitsubishi UFJ left thousands... 12-May-2008
Apple to Take IPhone Nonexclusive in Australia and India
Apple's iPhone will be available from more than one mobile operator in Australia and India later this year, further signs that... 12-May-2008
Biq Quake Takes out Mobile Network in Chengdu
An earthquake registering 7.8 on the Richter Scale knocked out mobile phone service in the western Chinese city of Chengdu... 12-May-2008
AMD Refreshes Low-power Quad-Core Opterons Lineup
Advanced Micro Devices is shipping B3 versions of its low-power Quad-Core Opteron processors. 12-May-2008
MSI's Upcoming Wind Laptop Priced From $560
Taiwanese hardware maker Micro-Star International's upcoming Wind laptop can be preordered starting from US$560. 12-May-2008
Vertica Moves BI Database to Amazon's Cloud
Database maker Vertica Systems is moving its technology to Amazon's Elastic Compute Cloud infrastructure (EC2), hoping to... 11-May-2008
Powerset Unveils Test Version of Google-killer
The public will get its first chance Monday to test a search engine from start-up Powerset that eschews conventional keyword... 11-May-2008
RIM's BlackBerry Bold Beats Apple to the 3G Punch
Research in Motion's sleek new BlackBerry Bold 9000 will support 3G networks worldwide, as well as Wi-Fi and GPS. Will it be able to withstand a 3G iPhone challenge? 11-May-2008
Egypt's PM Urges Industry to Tackle Food Crisis
The ICT (information and communications technology) industry needs to do its part to help alleviate the current food crisis... 11-May-2008
Make Your Own Phone-call Getaways
A crafty site allows you to schedule a call to your own phone and get you out of bad meetings. 11-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)