مرکز منطقه ای اطلاع رساني علوم و فناوري - Practice & prevention of home-router mid-stream injection attacks

Abstract :

The vulnerability of home routers has been widely discussed, but there has been significant skepticism in many quarters about the viability of using them to perform damaging attacks. Others have argued that traditional malware prevention technologies will function for routers. In this paper we show how easily and effectively a home router can be repurposed to perform a mid-stream script injection attack. This attack transparently and indiscriminately siphons off many cases of user entered form-data from arbitrary (non-encrypted) Web-sites, including usernames and passwords. Additionally, the attack can take place over a long period of time affecting the user at a large number of sites allowing a userpsilas information to be easily correlated by one attacker. The script injection attack is performed through malware placed on an insecure home router, between the client and server. We implemented the attack on a commonly deployed home router to demonstrate its realizability and potential. Next, we propose and implement efficient countermeasures to discourage or prevent both our attack and other Web targeted script injection attacks. The countermeasures are a form of short-term tamper-prevention based on obfuscation and cryptographic hashing. It takes advantage of the fact that Web scripts are both delivered and interpreted on demand. Rather than preventing the possibility of attack altogether, they simply raise the cost of the attack to make it non-profitable thus removing the incentive to attack in the first place. These countermeasures are robust and practically deployable: they permit caching, are deployed server-side, but push most of the computational effort to the client. Further, the countermeasures do not require the modification of browsers or Internet standards. Further, they do not require cryptographic certificates or frequent expensive cryptographic operations, a stumbling block for the proper deployment of SSL on many Web-servers run by small to medium-si- - zed businesses.

Keywords :

Internet; client-server systems; cryptography; home computing; invasive software; telecommunication network routing; telecommunication security; Internet standard; SSL; Web server; client-server system; cryptographic hashing; home router; malware prevention; medium-sized business; mid-stream injection attack prevention; short-term tamper-prevention; Costs; Cryptography; Home computing; Informatics; Internet; Java; Robustness; Security; Table lookup; Web pages;