A presentation due to be shown at the Black Hat security conference at the end of the month will show that many of the routers used for residential internet connections are vulnerable to attack by hackers. The attacks would allow traffic to be redirected and intercepted, in addition to giving hackers access to victims' local networks.

The title of the presentation, "How to Hack Millions of Routers," gives a clear indication of the scale of the potential issues. Popular router models from Netgear, Linksys, and Belkin were found to be vulnerable, including models used for Verizon's FIOS and DSL services, as were widely-used third-party firmwares such as DD-WRT and OpenWrt. About half the routers tested did not appear to be vulnerable.

A list of tested routers can be found here; every router with a "YES" in the last column was successfully attacked.

The research was done by Maryland-based security consultancy Seismic. Craig Heffner, a researcher with the company, will both present the research at Black Hat and release a proof-of-concept tool to demonstrate the problem in practice. Heffner believes this is the best way to get router manufacturers to release firmware updates to fix the issue.

The attack uses a technique called DNS rebinding to subvert protections built into web browsers that are intended to restrict what scripts and HTML can do. DNS is the system that maps from human-friendly names—such as "www.arstechnica.com"—to computer-friendly IP addresses. DNS allows one name to be mapped to multiple IP addresses, which is an important technique to provide load balancing and fault tolerance, as it allows the load to be spread among several different machines. In a DNS rebinding attack, the attacker controls both a website and the DNS server used to send traffic to the site. Each time a victim visits the website, the DNS server is updated to include the visitor's IP address as one of the IP addresses used for the site.

This is useful because it allows a browser protection called the "same origin policy" to be undermined. Normally, a web browser restricts JavaScript access such that a script can only manipulate pages that originate from the same domain. This means that, for example, a page from foo.example.com cannot manipulate a page from bar.example.com—the two have a different domain and, hence, a different origin. 

With DNS rebinding, however, the attacker can make the browser think that any computer he chooses has the same origin as his own malicious page—he just has to create a DNS entry pointing to that computer that matches the DNS name for his malicious site. So, by creating DNS entries for computers in the victim's LAN, the attacker can trick the victim's web browser into accessing machines on the victim's own network.

Most computers on a home LAN won't be running a web server, so on the face of it, this might not seem especially useful. However, one kind of machine typically does run a web server: the router. SOHO routers generally have administrative front-ends for configuration and monitoring. Though these front-ends are normally password-protected, most people don't bother changing the default passwords. And, even when they do change the password, security flaws within the front-end may allow the password to be bypassed anyway. With access to the router, the attacker could reconfigure it to (for example) route all DNS lookups through a malicious server, which would allow traffic to be monitored and intercepted.

DNS rebinding attacks are not new; in one form or another they have been around for nearly 15 years. Some environments such as Java and Flash have taken measures to reduce the possibility of exploitation—they cache DNS lookups to ensure that traffic destined for the same name always targets the same IP address. This prevents access to the local network.

Browsers, too, attempt to protect against such attacks. However, Heffner says that his variation of the attack bypasses the browser-based protection, allowing DNS rebinding to occur successfully. He also says that the bypasses have been known of for a long time; his attack is more the bringing together a set of known techniques rather than something novel per se. 

This is, in part, his motivation for releasing a tool to perform such attacks—he says that browser writers and router vendors have had "ample time" to fix the problem, but haven't done so. Demonstrating and distributing an effective exploit is, he believes, the best way to prod them into action.

In the meantime, the best defense is probably to ensure that your router does not use the default password. Though this can't guard against exploitation of actual flaws in the router's software, it will at least prevent trivial attacks from being made. Changing the router's IP address away from its typical default might also serve as some protection; though the attack could be used to target any IP address on a local network, a little obscurity tends to work well against widely targeted attacks.