Symantec and Indiana University have warned of a security weakness that could leave users open to attack through their routers if the devices are left on their default settings. Router manufacturers regularly include with their products materials informing buyers about the need to change their default passwords. How many consumers, though, are tech-savvy enough to heed the warnings?

Home network users could be vulnerable to attacks from hackers who can alter the configuration of a broadband router or wireless  access point. Symantec (Nasdaq: SYMC)  released its "Drive-By Pharming" attacks report Thursday, roughly two months after security  researchers at Symantec and Indiana University first published their conclusions in a white paper last December.

"I believe this attack has serious widespread implications and affects many millions of users worldwide," Zulfikar Ramzan, a senior principal researcher at Symantec, wrote on the company's Security Response blog. "Fortunately, this attack is easy to defend against as well."

Attack Strategy
The problem stems from inexpensive plug-and-play broadband routers, according to the researchers' proof-of-concept. These devices are shipped from the factory with a default password that most home users would never think to change. Hackers, however, are aware of the risk these unchanged passwords pose when combined with a Web site that includes malicious JavaScript code.

The attack is twofold. First, the hacker  creates a phony Web page that includes the malignant JavaScript code. When a home user views the page, the code, running in the context of a Web browser, uses a technique known as Cross Site Request Forger and logs into the user's home broadband router, Ramzan explained. In general, these routers require a password to log into.

However, as most people do not change the default password, and detailed information on the factory set passwords is readily available online, criminals can successfully log into the router. Then, it is just a matter of allowing the JavaScript to go to work changing the router's settings.

Details in the DNS
"One simple, but devastating, change is to the user's DNS (Doman Name System) server  settings," Ramzan said.

DNS is a combination of numbers such as "129.79.78.8." Known as an Internet  Protocol (IP) address, the DNS is unique and identifies every computer that is directly accessible to the Internet.

To keep the Internet easy to use, however, surfers enter a Web address associated with the DNS rather than the numbers themselves. To access the site, the request is sent through a DNS server typically designated by the user's Internet Service Provider (ISP).

The security researchers found that an attacker can modify the settings on a home wireless router to "dictate which DNS server" it uses. Even worse, Ramzan said, hackers can designate a server they have created that could contain fraudulent records that will direct a computer to go to a fraudulent Web site that looks legitimate, such as a bank's Web site. Users would never know the difference and would have given the criminals access to their bank account information, said Ramzan.

Simple Fix
This type of attack poses a potentially serious threat because millions of consumers and small businesses use broadband routers, Victoria Fodale, an analyst at In-Stat, told TechNewsWorld. "According to In-Stat Broadband CPE market tracking research, in 2005 just over 24 million broadband routers shipped worldwide," she said. "In 2006, this number could top 28 million."

Correcting the problem is relatively simple. It all comes down to educating end users about the need to change their router passwords, Rob Ayoub, a security analyst at Frost & Sullivan , told TechNewsWorld.

"I don't really find the attack all that ingenious," he said. "It simply takes advantage of a typically insecure area of the home user's network."

The Javascript component of the attack can only work if the router's password has not been changed. However, Fodale estimates that some 50 percent of consumers and small businesses currently use the default password setting.