Router passwords - John C. Kirk
Feb. 27th, 2007
06:09 pm - Router passwords
Following up on my recent post about computer security (and my comment about phishing scams being cross-platform), Bruce Schneier has posted an entry about "Drive-By Pharming". It has a stupid name, and it's nothing to do with wireless access; there is also some doubt about how feasible the attack vector actually is. Still, it's worth reading about, because the general principle is important.
As I say, this issue isn't directly related to wireless networks, but something similar could apply there: if you don't have a password on the network (preferably WPA/WPA2 rather than WEP), someone else could then get into your router without actually being in your house/office.
The risk here is that lots of routers act as DHCP servers, particularly on small networks. So, you plug your computer in, and it will get all the info that it needs to use the internet. This is basically a good thing, because it makes it easy to carry a laptop around to various different locations without having to manually reconfigure it every time. However, suppose that the router can be persuaded to give out the address of a rogue DNS server?
Sidebar for non-techies: When you go to a website, the website's name (e.g. www.golgotha.org.uk) gets converted into an IP address (e.g. 184.108.40.206) behind the scenes. You then get sent to the website at that IP address. This translation of names to numbers gets handled by DNS servers, which are all supposed to work together, but it is possible to set up a rogue server that doesn't play by the rules. If you ask that rogue server for the IP address of a website, it will give you the wrong information.
Anyway, the implication of this is that you decide to do some online banking, and type in your bank's website address, e.g. "www.lloydstsb.com". You then get sent to a website that looks exactly like the Lloyds TSB one, and it has the address you typed at the top of the screen, but it's actually a fake "phishing" site; if you type in your real login details, that website will record them, and then use them to impersonate you at the real bank website, at which point they can steal all of your money.
SSL certificates (with a padlock icon) can help here, but you need to understand how they work; I'll cover them in more detail in a future post.
(Personally, the DNS issue doesn't affect me, because I'm running my own local DNS servers at home/work, and they're configured with their own forwarders, i.e. it doesn't matter if the router gets the wrong info. I've also made sure that my routers have non-default passwords.)
One interesting aspect of this is that I've recently bought a SpeedTouch 536 router. I've been using a SpeedTouch 510 at home for the last few years, and I'm quite happy with it; the main difference is that the 536 supports ADSL2+ (i.e. higher speeds). Anyway, the 536 comes with a default user set up (username="Administrator", password="blank", auto login when you go to the configuration webpage). You can assign a password, but if you do then you can no longer connect to it via IE7, as described here. The proposed workaround is to disable digest authentication, but that has to be repeated each time you reboot the router; my advice is to use Firefox instead. (I run IE7 and Firefox 2 on my home/work PCs, and alternate between them as appropriate for different websites.) Curiously, the 510 is fine with IE7, so it's only the newer models that have trouble.
I mention that here because I can imagine some people assigning a password, then finding that they can't get back into the configuration website, and just giving up (hard reset to factory values) and leaving a blank password to avoid the problem. This would be bad!
So, to conclude: if you buy a new router, or if already have one at home, make sure that you change the password. I know it's a hassle, but it really is worthwhile.