An engineer from security firm Seismic claims he will soon release instructions on how to hack millions of wireless routers commonly used in residential Internet connections. The how-to hack instructions are part of what has become an annual chest-beating by speakers at the Black Hat security conference that hype their keynotes with end-of-PC-security-as-we-know-it promises.
Black Hat USA 2010 starts July 28 in Las Vegas, Nevada.
Ars Technica reports that the presentation, entitled "How to Hack Millions of Routers" (not mincing any words there, are they?), will be given at Black Hat by Senior Security Engineer for Seismic Craig Heffner. Heffner's presentation will include a live demonstration on how to "pop a remote root shell on Verizon FIOS routers" as well as a tool release that will automate the described attack.
Seismic has tested around 30 routers so far, and has found that approximately half of them are vulnerable to this attack. The list of vulnerable routers includes routers from Linksys, Belkin, ActionTec, ASUS, Thompson, and Dell.
The attack uses an old technique--"DNS rebinding"--in new packaging. DNS rebinding "subverts protections built into web browsers that are intended to restrict what scripts and HTML can do" and allows attackers to harness attackees' browsers and make requests of them. The hack is executed when the user accesses a web page controlled by the hacker. The web page uses code (Java) to trick the browser into thinking that the page has the same origin as the user's computer. The hacker can then control the router and access the machines on the user's network.
According to the Black Hat website, this particular DNS rebinding attack can bypass existing DNS rebinding protections because it does not require the attacker to know the router's configuration settings (make, model, internal IP address, host name) and it does not rely on any anti-DNS pinning techniques.
At the moment, according to Heffner, the best way to combat this potential attack is to--surprise, surprise--change your router's default password. But, until the router-manufacturers step up and update the firmware, that's about all you can do (or get a new router). Heffner believes that the companies have had plenty of time to fix this hole (and they haven't), and so the only way to nudge them into action is to give a presentation on how to hack a million routers.