The number of computing devices around us keeps growing as technology marches forward. Where once a household had a sole PC, today we find ourselves with multiple laptops, desktops, smartphones, and tablets. There is one other computing device in our home that is easy to forget about: the small office/home office (SOHO) router.
These devices have been growing more capable over time. Enthusiasts tend to buy their own routers, but most end users simply lease a unit from their ISP. A successful ISP can have thousands or more of identical routers distributed across a region or even a nation. Uniformity and mass market penetration are the hallmarks an attacker looks for to increase their chances of success.
Our story takes us to Brazil, where routers from UTStarcom and TP-Link were attacked as part of a pharming campaign. The attackers began e-mailing their victims using an e-mail format and name similar to Oi, the largest telecommunications company in Brazil. Oi distributes the aforementioned UTStarcom and TP-Link routers to their customers.
The malicious HTML used these routers' default usernames and passwords to access the router config and change the primary DNS entry to the address of a server the attackers controlled. The secondary DNS server was set to 188.8.131.52, Google's open DNS. Pointing the secondary DNS at Google ensured that, when the the attackers pulled down their own malicious DNS server, the end users would still be able to resolve addresses. The users would have no red flag to signal any problem.
The malicious DNS server had false records for major banking sites, and those records pointed the victims to web servers controlled by the attackers. The victims arrived at banking websites that looked much like their own, and the attackers then pharmed their personal information via a series of questions on the malicious sites.
Attacks on SOHO routers are becoming more common. You had the Misfortune Cookie exploit that is believed to have impacted as many as 12 million devices. The DDoS that hit PSN and Xbox Live during Christmas last year was carried out by an army of compromised routers. How about 250,000 routers in Spain with SSH enabled and identical public keys? All these Internet connected devices are readily discoverable via the search engine SHODAN. So what can you do? 1. Make sure you change your default password. 2. Ideally, your password should come from a tool like Keepass, Dashlane, or others. 3. Make sure you stay on top of your firmware updates. 4. Consider an open source routing firmware as those projects tend to receive better support.