Hackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered.

The researchers first published their work in December, but Symantec made public the findings recently.

It was found that it is possible to change the DNS settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This changed DNS lets the attacker divert all the traffic going through the router. For example, if the victim types in "www.mynews.com," the request could be sent to a similar-looking fake page that can steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said.
"You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."

After a router's DNS setting is changed, all computers connected to the device will use the DNS server set up by the attacker to find their way on the Internet.

Hackers can attack any type of home router, but only if the default router password hasn't been changed, Ramzan said.
"One of the issues is that the set-up steps in the router don't prompt you to change the password.”

Router makers already know the problem with default passwords. Linksys, for example, recommends that customers change the default password during the installation procedure.

Although the recommendations, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. Netgear and D-Link also recommend password changes.

written by Cristian L.