Drive-by pharming is a vulnerability exploit in which the attacker takes advantage of an inadequately protected broadband router to gain access to user data. Symantec developed the technique, in conjunction with Indiana University, as a proof-of-concept exploit that could result in identity theft or other unwanted results, such as denial of service (DoS) or malware infection. Routers that are susceptible to a drive-by pharming attack include products from Cisco, D-Link, Linksys and Netgear. Cisco released an advisory stating that 77 percent of their routers were at risk.Content Continues Below
The vulnerability stems from the fact that most routers ship with default passwords and internal IP address ranges and have Web-based interfaces for configuration. In a December 2006 paper, researchers Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson released "Technical Report TR641: Drive-By Pharming." Although there had been, at that point, no reports of drive-by pharming in the wild, the researchers illustrated how easy it would be to exploit the natural browsing habits of users who had not changed default passwords for their routers.
To guard against drive-by pharming, users should change the passwords for their routers at installation. According to the results of a study by Indiana University, 50 percent of users currently fail to do so. To create a safer online environment overall, router manufacturers should create set-up procedures that ensure default settings are changed during installation and configuration.