I read today on a security website that it is possible for a malicious script on a website to attempt to login in to your router and make changes, ie to the DNS settings. (Changing the router login from the default to a strong password will of course block this attack.) I've thought previously that this could only be done by someone logged in to the network, or by a hacker who breaks in by scanning for vulnerable IP addresses, but I've never heard of it being possible from a script on a website. Any truth to this? Thanks
I'm saying something to say something, but no I've never heard of "just a script" doing it, but for some reason it doesn't seem impossible that it could. If you hit a malicious site and it manages to exploit your browser or plugins, then obviously it can download its payload and then do whatever the payload wants. It'd have to rely on some browser exploit though I'd think.
Attacking home routers via JavaScript Some suggestions: 1. Log out of your router's admin interface when done using it. 2. Use a good password for the admin interface. 3. Perhaps change the IP address for your router to a non-default address. 4. [NoScript's] ABE Patrols the Routes to Your Routers.
As far as I know such an attack would involve two serious flaws/vulnerabilities, one in the way the router web interface is implemented and another in the way your browser (or NoScript in Firefox case) filters cross scripting attacks. Highly unlikely. As MrBrian says, don't access the router with other tabs opened. For example, launch Chrome in Incognito mode just for that and close it when you are done.
Thanks to all for the info and tips. BrBrian's link pretty much shows that it can be done. Surprising you don't hear about it happening more.
From Real-World CSRF attack hijacks DNS Server configuration of TP-Link routers: ---------- @vincenzo: you're welcome .
The articles mention routers, but this also applies to modems and modem/router combination units, including those supplied by ISPs. These can be especially problematic when the user doesn't have the credentials or authority to change the settings.
The most common attack via CSRF and DNS rebinding is against router so Noscript's ABE blocks them by default, but the attack are only possible when you open web interface of the router (and keep logging on or use default/weak password) while browsing so never do it and use strong password. I don't like fact that many router interface uses basic authentication, so if you can choose, use stronger authentication scheme. Also some router had vulnerability which enables attacker to e.g. overwrite firmware, change settings, and/or steal password so make sure your router is up-to-date and don't use no-more-supported router.
If I recall, it wasn't that long ago that routers were being exploited via UPnP using a flash exploit. I also seem to recall the article mentioning that flash wasn't necessary, that other vectors would work as well.
Yup, it is first thing when I get new router to disable UPnP, as it has plenty of vuln. Some are in implementation but others are in protocol itself.
IMO, UPnP is a security nightmare waiting to happen. I've stripped out its components from every PC I have. If I need a port forwarded, I'll do it manually.
I discovered that logging out of my router does nothing useful ! See HTTP Basic authentication discussion thread for more information on why.
Basic auth is terrible. In my case, I use IE (always InPrivate by -private flag) which is usually for sensitive activity to login to router, and I don't do anything other than changing rooter setting, never go any website, only change the settings and done. Still local sniffer will be able to see the transaction, but it's unavoidable for basic auth.