Do you use a wireless network at home? How about at public hotspots, such as cafes, bookstores, and shopping malls? When using the internet through these wireless networks, you trust that they honestly direct your web browsing. It seems to work. Email, instant messaging, and web browsing all return plausible results. Yet how could you tell if you are talking to your real online bank? You typed it into the address bar yourself and the browser displays a familiar login screen. Visiting Associate Researcher, Alex Tsow, from Indiana University's School of Informatics shows how easily a wireless router like the ones found at home or at a local WiFi hotspot can be "doctored" to misdirect legitimate browser links to phoney and often harmful websites.
Computers on the internet reference each other with a four number address. When you type www.mybank.com into your browser's address bar and press "go", your computer asks another computer, called a domain name server or DNS, "What is the address of www.mybank.com?" The DNS responds with a number, say 192.168.2.68, and your web browser begins a session using this address. The current infrastructure does not have safeguards to prevent incorrect or malicious responses from DNS.
Pharming or DNS spoofing exploits this weakness. Your computer asks the DNS for www.mybank.com's address. The DNS returns the address of a spoofed www.mybank.com, where you eventually enter your username and password. You place trust in a DNS every time your computer accepts its lookup results. In the absence of manual intervention, your computer uses the DNS specified by the wireless access point -- commonly run by the wireless router itself.
The red arrows in the diagram above show how a wireless router misdirects the a request for www.mybank.com. The router directs you to a spoofed host that looks like www.mybank.com, but is actually controlled by a malicious agent. The attacker forwards all information between you and www.mybank.com to simulate correct feedback, while gaining access your secret information the process. The misdirection to the spoofed host is a result of pharming by the wireless router, while spoofed host's eavesdropping method that forwards communications between you and the bank host is called a man in the middle attack.
Although host spoofing sounds like a phishing scam, there is one critical difference. The link text in a pharming attack is 100% correct. Most anti-phishing toolbars trust the correctness of domain-to-address resolution and depend on it when evaluating website legitimacy. As a result, website spoofing paired with pharming evade most anti-phishing countermeasures.
The image below shows the browser window results of an incorrect lookup on the domain ebay.com; in this case, the DNS returns the address for the Anti Phishing Working Group. While this illustration shows an obviously incorrect name resolution, a real attack would direct the computer to a website that looks exactly like the genuine ebay.com with the hope of intercepting login credentials. Note that this attack is neither the work of eBay nor the Anti-Phishing Working Group, rather the local DNS server which is beyond the control of either institution.
The DNS on a wireless router is controlled by a small internal computer, called an embedded system, running specialized software or firmware. On some routers, it is possible to replace this software and to program arbitrary behavior. Misrouting DNS lookup is among the easiest ways to defy trust in a router. Worse, there is no physical evidence of these changes, and no virus scanners can detect these changes.
The prototype uses a Linksys WRT54GS wireless broadband router. The OpenWRT project is an open source firmware replacement for a many routers built around similar cores. The standard distribution ships with a lightweight DNS server, dnsmasq. DNS aliasing and logging are built in options. Executing a pharming attack is a simple matter of configuration.
Compromising a vulnerable router only takes a few minutes. There are a number of strategies for distributing these routers. Online auctions are an effective and reasonably anonymous way to sell routers, providing the seller with a choice of jurisdictions. Router could also be given away for free, say at a trade show or through a bogus promotion. This might cost about $100 per router. An attacker can reasonably count on at least 2-3 victims per router given that more than one client generally connects to a wireless network (e.g. small office use, home use, the occasional public hotspot).
Suppose a scammer, Bob, has $50,000 startup money. Bob can buy 500 routers and compromise them all over a weekend. The 2006 Identity Fraud Survey Report by the Javelin Strategy and Research shows that the average identity fraud amount is about $6300 per instance. Assuming Bob can commit identity fraud against 3 people per router at the average amount, his gross income from this seed money is about $9,450,000. At this rate, there is plenty incentive to distribute maliciously configured routers that steal private information.