RSA Session Features Live Linksys Router Hack

SAN FRANCISCO -- RSA 2008 Conference -- Researcher Dan Kaminsky here today will demonstrate a live hack of a Linksys home router to illustrate how easy it is to exploit an old browser and browser plug-in vulnerability he’s been researching and warning the security community about since last year. (See Old Flaw Threatens Web 2.0 and Hack Sneaks Past Firewall to Intranet.)

Kaminsky, who is also director of penetration testing for IOActive, says he decided to make the so-called DNS rebinding vulnerability more visual to get browser vendors to fix the flaw, which is not actually in DNS but in browsers and browser plug-in programs such as Java, Flash, and Adobe. He says although DNS rebinding is a difficult problem to correct, he hopes his demo during his “Black Ops of Web. 2.0: DNS Rebinding Attacks” session will get the attention of browser vendors.

“I’m a bit bothered that nobody realized that full router compromise is pretty much done and over with until the browsers get fixed. So I'm making it all visual,” Kaminsky says.

He says he will provide plenty of “prescriptive” guidance to device manufacturers as well as mitigation techniques and workarounds. DNS rebinding has worried researchers with the advent of Web 2.0-based sites because the more code and action occurring on the client, the more at risk it is to a DNS rebinding attack.

Kaminsky demonstrated a DNS binding attack at Black Hat USA last summer that made a victim’s browser a proxy server for an external attack to infiltrate the victim’s intranet.

DNS rebinding lets an attacker use DNS tricks to reach a different IP address than the one the browser is connected to -- the browser theoretically should block this by binding the host name to a particular IP address, but a flaw in many browsers and plug-ins lets an attacker interrupt that.

Meanwhile, OpenDNS today released a free tool called fixmylinksys.com that lets Linksys users easily change their default password to protect themselves from the type of hack Kaminsky will demo. “This will stop all the automated attacks that Dan is showing at the RSA conference today. It's easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. "In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.