=Paper=
{{Paper
|id=Vol-190/paper-11
|storemode=property
|title=Phishing with Consumer Electronics - Malicious Home Routers
|pdfUrl=https://ceur-ws.org/Vol-190/paper11.pdf
|volume=Vol-190
|authors=Alex Tsow
}}
==Phishing with Consumer Electronics - Malicious Home Routers==
https://ceur-ws.org/Vol-190/paper11.pdf
Phishing with Consumer Electronics – Malicious Home
Routers
Alex Tsow
School of Informatics
Indiana University
atsow@indiana.edu
ABSTRACT these systems eludes scan by malware detectors, and remains
This short paper describes an attack that exploits the on- unrecognized by the consumer public as a potential host for
line marketplace’s susceptibility to covert fraud, opaqueness malicious behavior.
of embedded software, and social engineering to hijack ac- Bugs due to time-to-market pressure, evolving data stan-
count access and ultimately steal money. The attacker in- dards, and security fixes demand field upgradability for em-
troduces a fatal security flaw into a trusted embedded sys- bedded software. Moreover, there are several consumer em-
tem (e.g. computer motherboard, network interface card, bedded systems for which there are open source firmware
network router, cell phone), distributes it through the on- distributions: home network appliances (routers, storage,
line marketplace at a plausible bargain, and then exploits print servers), cell phones (Motorola), computer mother-
the security flaw to steal information. Unlike conventional boards (the Linux BIOS project, slimline Open Firmware),
fraud, consumer risk far exceeds the price of the good. and digital music players (iPodLinux, RockBox). Admit-
As proof of concept, the firmware on a wireless home tedly some of these projects lag behind the current mar-
router is replaced by an open source embedded operating ket, but several new cell phones and network appliances are
system. Once installed, its DNS server is reconfigured to presently supported. While open source firmware is not a
selectively spoof domain resolution. This instance of ma- requirement for compromising embedded systems, it confers
licious embedded software is discussed in depth, including the attacker with an expedient platform for experimentation
implementation details, attack extensions, and countermea- and development.
sures. Eliminating open source projects does not eliminate the
attack. Insiders can collude with an attacker providing ac-
cess to technical blueprints, passwords, signing keys, and
1. INTRODUCTION proprietary interfaces. In some ways this makes the attack
Phishing attacks combine technology and social engineer- more effective, because the technical secrecy will be pro-
ing to gain access to restricted information. The most com- moted as grounds for trust.
mon phishing attacks today send mass email directing the This paper demonstrates an instance of the hardware “spoof-
victim to a web site of some perceived authority. These ing” by maliciously reconfiguring a wireless home router.
web sites typically spoof online banks, government agencies, The router implements a pharming attack in which DNS
electronic payment firms, and virtual marketplaces. The lookups are selectively misdirected to malicious web sites.
fraudulent web page collects information from the victim Opportune targets for pharming attacks include the usual
under the guise of “authentication,” “security,” or “account phishing subjects: online banks, software update services,
update.” Some of these compromised hosts simply down- electronic payment services, etc.
load malware onto clients rather than collect information Besides stealing online authentication credentials, a spoofed
directly. server has access to data stored as cookies for a particular
In the generalized view of phishing, the delivery mecha- domain. Cookies regularly contain innocuous data, however
nism need not be email, the veil of legitimacy need not come a visit to one poorly coded (yet legitimate) web site could
from an online host, and the bait need not be credential store clear text personal information in cookies. Less sensi-
confirmation. This paper identifies a phishing variant that tive private information like internet searches, names, email
distributes attractively priced “fake” hardware through the and IP addresses commonly show up in cookie repositories.
online marketplace. The “fake” hardware is a communica- Target web sites use SSL (via https) in conjunction with
tions device in which its embedded software has been mali- certified public keys to authenticate themselves to their clients.
ciously modified; e.g. a cell phone that discloses its current In principle this should prevent successful pharming attacks,
GPS coordinates at the behest of the attacker. however the requisite human computer interaction technol-
Demand for security has lead to the integration of cryp- ogy for effective use of this cryptographic protocol is not
tography in many communications systems. The resulting well understood, let alone widely deployed. Users frequently
systems are based on powerful microcomputers that, when overlook browser frame padlocks indicating an https ses-
co-opted, can execute sophisticated resource-expensive at- sion [7, 16]. Other times a padlock in the browser display
tacks. The embedded software, or firmware, that controls area suffices to convince users of a secure connection. In
Copyright is held by the author/owner(s).
some contexts people “click through” warning after warning
WWW2006, May 22–26, 2006, Edinburgh, UK. to proceed with a browsing session.
.
� Furthermore, many trustworthy web sites (news organi- 3. PHISHING WITH MALICIOUS HARD-
zations, search engines) do not use SSL since they do not WARE
collect personal data. Semantic attacks, a more subtle ma-
nipulation, employ disinformation through reputable chan-
nels. For example, one attack uses multiple trusted news
3.1 Adversarial Model
sources to report “election postponed” based on the client’s We make four assumptions about an attacker, A, who
browsing habits. compromises firmware in an embedded system: A has un-
A router serving the home, small office, or local hotspot restricted physical access to the target device for a short
environment mediates all communications between its clients period of time. A can control all messages that the device
and the internet. Anyone connecting to the internet through receives and intercept all messages that the device sends. A
this router is a potential victim, regardless of platform. In has in-depth knowledge of the device’s hardware/software
home and small office settings, victims are limited in num- architecture. A knows access passcodes necessary to change
ber, however the storefront hotspot presents a gold mine of the device’s firmware.
activity – potentially yielding hundreds of victims per week. This model gives rise to multiple contexts along each of the
four attack requirements. Each property could be generally
attainable or available to insiders only. The following table
2. RELATED WORKS classifies example scenarios according to this decomposition:
One of the first mass attacks on embedded software was Insider access General access
performed by the Chernobyl virus in 1999 [5]. The goal Physical Device at work Device at home
of this malware is purely destruction. It attempts to erase I/O Proprietary inter- Ethernet/USB
the hard disk and overwrite the BIOS at specified dates. faces
Cell phones have also become targets for worms [4] with the Technical
first reports in the wild in 2004. The same author in 2003 closed source open source
Blueprints
predicted infectious malware for the Linksys line of home Passcodes requires OEM Signed arbitrary firmware
routers, switches and wireless access points [3]. firmware
Arbaugh, Farber, and Smith [2] implement a cryptographic For instance, A may have insider access to cell phones through
access control system, AEGIS, to ensure that only sanc- a coatchecking job. The target cell phones run on open
tioned bootstrapping firmware can be installed on the host source firmware, but require a proprietary wire to upload
platform. software. In this instance, the phone’s owner has not locked
This paper explores a variant of email based phishing [9], the phone with a password. This illustrates an insider /
where distribution occurs through online market places and insider / public / public case of the firmware attack.
hardware is “spoofed” by maliciously compromising its em-
bedded software. While much work has been done to detect 3.2 Spoofing honest electronics
web site spoofing and to create secure authentication pro-
Embedded software is an effective place to hide malicious
tocols, their effective interaction with human agents is a
behavior. It is outside the domain of conventional malware
subject of ongoing research:
detection. Spyware, virus, and worm detection typically
Wu, Miller, and Garfinkel [16] present a user study show-
take place on client file systems and RAM. New malware
ing that people regularly disregard toolbar warnings when
detection efforts analyze internet traffic to stop its spread.
the content of the page is good enough. Another user study
Neither of these methods detect malicious embedded soft-
by Dhamija, Tygar, and Hearst [7] shows that https and
ware. The first model simply doesn’t (or can’t) scan the
browser frame padlock icons (among other indicators) fre-
EEPROM of a cell phone, a network router, or other em-
quently escape consideration in user assessments of web page
bedded systems. The second model reduces the spread of
authenticity. In other work, they propose and implement dy-
infectious malware, but does not diagnose infected systems.
namic security skins [6] which uses a combination of visual
Many embedded systems targeted at the consumer market
hashing and photographic images to create an evident and
have an appliance-like status. They are expected to function
trusted path between the user and login window.
correctly out of the box with a minimum of setup. Firmware
Stamm and Jakobsson [14] conduct an experiment that
may be upgraded at service centers or by savvy owners, how-
distributes a link to a clever video clip through a social net-
ever consumer products must be able to work well enough
work. The link require users to accept self signed Java policy
for the technically disinterested user. Because of these pre-
certificate1 for the full viewing experience; 50% of those vis-
vailing consumer attitudes, malicious appliances are beyond
iting the site accepted it. Browser warnings do not indicate
the scope of conceivability for many, and therefore endowed
the resulting scope of access and mislead users about the
with a level of trust absent from personal computers.
authenticity of the certificate.
Field upgradeable embedded systems generally exhibit no
Cookie theft is one of the more worrisome results of pharm-
physical evidence of modification after a firmware upgrade.
ing. Attackers can spoof users by presenting stolen cookies
There is no red light indicating that non OEM software con-
to a server; even worse, cookie sometimes directly store per-
trols the system. By all physical examination the compro-
sonal information. Attempts to provide user authentication,
mised hardware appears in new condition.
data integrity, and confidentiality within the existing cookie
paradigm are discussed in [13]. Unfortunately, the strong 3.3 Distribution
authentication methods depend on prior server knowledge
of a user’s public key. The online marketplace provides a powerful distribution
medium for maliciously compromised hardware. While more
1 expensive than email distribution, it is arguably more effec-
This allows embedded Java applets a level access on par
with the user’s, including writing and executing programs. tive. High percentages of phishing related email are effec-
�tively marked as spam due to header analysis, destroying core processor, 16 MB of RAM, 4 MB of flash memory,
their credibility. However, online advertisements are avail- 802.11g network interface, and a 4 port fast ethernet switch.
able to millions. Only interested users look at the posting. The factory embedded software is a version of Linux. Inde-
It is unnecessary to coerce attention since the victim ap- pendent review of the corresponding source code has spawned
proaches the seller. the OpenWRT project [12], an enthusiast developed Linux
Online marketplaces connect buyers with sellers. They do distribution for the Linksys WRT54G(S) series of routers.
not authenticate either party’s identity, product warranty or
quality. Consequently, the vast majority of auctions carry 4.2 Basic Pharming attack
a caveat emptor policy. Merchandise frequently sells “as Once installed, OpenWRT supports login via ssh. This
is” with minimal disclosure about its true condition. One shell provides a standard UNIX interface with file editing
could improve trust by offering a shill return policy: re- through vi. DNS spoofing is one of the most expedient
turns accepted within 14 days for a 15% restocking fee ($10 attacks to configure. OpenWRT uses the dnsmasq server
minimum, shipping non-refundable). If the victim uses the to manage domain name resolution and DHCP leases. The
product, the attacker potentially benefits from the stolen malicious configuration sets the
information, and gets to redeploy the system on another
victim. address=/victimdomain.com/X.X.X.X
Reputation systems in the online marketplace help buy-
ers and sellers gauge the trustworthiness in the caveat emp- option to resolve the victimdomain.com to the dotted quad
tor context. These systems principally measure transaction X.X.X.X. All subsequent requests for victimdomain.com re-
satisfaction: Did the buyer pay in a timely manner? Did solve to X.X.X.X. In addition to address, the option
the seller deliver in a timely manner? Was the item fun- alias=,[,]
damentally misrepresented? Phishing with malicious em-
bedded systems clearly violates this last criterion, however rewrites downstream DNS replies matching mod-
stealthy malware may never be known to the victim. Cou- ulo the mask as (replacing numbers for mask bits
pled with pressure to reciprocate positive feedback, the vic- only); this enables the router to hijack entire subnets.
tim will very likely rate the transaction positively. Unlike Anti-phishing tools have limited utility in the presence
other fraudulent online sales, this attack’s stealthiness will of phoney domain name resolution. The three prevailing
ensure high trust ratings for the seller. Also unlike conven- approaches to detecting phoney web sites are server stored
tional fraud, the buyer’s risk far exceeds the purchase price reputation databases, locally constructed white lists, and in-
and delivery fees. The attacker recoups his loss on the “good formation oriented detection. The first two methods depend
deal” when exploiting the security hole to access private in- exclusively on domain name resolution for database lookup
formation. and white/black list lookup. Pharming renders these meth-
ods entirely ineffective because the pre-resolution links are
4. A HOME PHARMING APPLIANCE correct. The information or content based analysis also de-
This paper’s central example of hardware spoofing is a pend heavily on link analysis, but may recognize phishing
wireless home network router. Our prototype implements attacks in which login fields are presented in a non SSL con-
a basic pharming attack to selectively misresolve the client nection. However, document obfuscation could reduce the
domain name requests. It is an example where the four ad- effectiveness of automatic recognition of password requests.
versarial requirements are all publicly attainable. Physical The system runs a crond background daemon to process
access is achieved through purchase. All communications to scheduled tasks at particular times of day. For instance,
this device go through open standards: ethernet, WiFi, se- DNS spoofing could be scheduled to begin at 5pm and end
rial port, and JTAG (a factory diagnostic port). Technical 9am to avoid detection during normal business hours.
details are well documented through open source firmware
projects. Firmware upgrades are neither limited to company
4.3 Attack extensions
drivers, nor password protected when new.
Self signed certificates
4.1 The system context One variant is to get the victim to accept a self-signed cer-
In general, we assume that the attacker, A, has com- tificate. The router may offer a self signed SSL certificate to
plete control over the router’s incoming and outgoing net- anyone attempting to access its administrative pages. This
work traffic, but cannot decrypt encrypted data. While the certificate would later be used to start https sessions with
router can control the communications flow as the A desires, the login pages for the spoofed domains. Since web sites
it is computationally bound. Computationally intensive ex- change their security policies frequently, spoofed hosts could
tensions to the pharming attack need to carefully schedule make entry contingent on acceptance of SSL or even Java
processing to avoid implausible timing delays. A controls policy certificates. Once the victim accepts a Java policy
the appearance and actions of the web administration inter- certificate, an embedded Javascript or Java applet may place
face. Administrator access to the firmware update feature malware directly onto the victim’s file system. Router based
would simulate user feedback for the upgrade process and pharming greatly aids this kind of attack because it can mis-
then claim failure for some made up reason. Other function- direct any request to a malicious web site. Unlike standard
ality, such as WEP/WPA, firewalling, is left intact in both phishing attacks that bait the victim into clicking on a link,
function and appearance. the attacker exerts no influence on the victim’s desire to
As a proof of principle, we replace the firmware on a request the legitimate URL. We hypothesize that this psy-
Linksys WRT54GS version 4. The Linksys runs a 200Mhz chological difference results in higher self-signed certificate
Broadcom 5352 SoC that includes a MIPS instruction set acceptance rate.
�Spying tation, let $5 be a gross upper bound on per router sell-
An easy malicious behavior to configure in the default Open- ing costs through online marketplaces. To compute a pes-
WRT installation is DNS query logging; it is a simple config- simistic lower bound on the cost of reselling the malicious
uration flag in the dnsmasq server. SIGUSR1 signals cause routers, assume that routers sell for an average of $30. Then
dnsmasq to dump its cache to the system log, while SIG- it costs $50 ($75 new acquisition, plus $5 listing, less $30
INT signals cause the DNS cache to clear. This informa- selling price) per router to put into circulation. While this
tion approximates the aggregate browsing habits of network method is expensive, the online marketplace disseminates a
clients. The crond process could coordinate periodic DNS reliably high number of routers over a wide area.
cache dumps to the system log. The router then posts this Hit rate
data to the attacker during subsequent misdirection.
Cookies can be stolen either through pharming or packet A gross estimate of phishing success rate is derived from
sniffing. Clients fulfill cookie requests when the origin server’s the finding that 3% of the 8.9 million identity theft victims
hostname matches the cookie’s Domain attribute and the attribute the information loss to phishing [10]. This puts
cookie’s Secure attribute is clear. In this case, browser re- the total phishing victims in 2005 at 267,000, or roughly a
sponds to the cookie request sending values in clear text. 5135 people per week hit rate for the combined efforts of
These cookies are vulnerable to packet sniffing, and need all phishers. Fraud victims per week triples when expand-
not utilize pharming for theft. ing the cause from phishing to computer-related disclosures
If the Secure attribute is set, then the connection must (viruses, hacking, spyware, and phishing). This gives a plau-
meet a standard of trust as determined by the client. For sible upper bound on phishing’s effectiveness, since people
Mozilla Firefox, this standard is connection via https. The can not reliably distinguish the cause of information loss
combination of pushing self signed SSL certificates (to sat- given the lack of transparency in computer technology.
isfy the “secure connection” requirement) and pharming (to As noted above, the 131 of the wireless routers closely
satisfy the domain name requirement) results in cookie theft matching the description of this paper’s demonstration sold
through a man in the middle attack. in a week. Other brands use a similarly exploitable archi-
Other data is also vulnerable to packet sniffing. POP and tecture (although this is far from universal). Over the same
IMAP email clients frequently send passwords in the clear. period of time there were 872 auctions for routers matching
Search queries and link request logging (from the packet the the query “802.11g router.” This indicates high poten-
sniffing level instead of DNS lookup level) can help to build tial for circulating compromised routers in volume. While
a contextual dossier for subsequent social engineering. far more expensive pricewise, cost in time should be com-
pared to spam based phishing and context aware phishing
Delaying detection of fraudulent transactions since one hit (about $2,100 for account misuse) could cover
The 2006 Identity Theft Survey Consumer Report [10] shows the cost of circulating a week’s worth of routers.
that fraudulent transaction detection strongly influences con- Assume that each compromised router produces an av-
sumer cost. When the victim monitors account activity erage of 3 identity theft victims (the occasional hotspot,
through electronic records, the survey found that fraudu- multiple user households and small offices), and an individ-
lent activity was detected in an average of 10 days – 12 days ual sells 15 routers a week. Then the number of harvested
earlier than when account activity is monitored through pa- victims is 45, around .88% of the total number of victims at-
per records. Moreover, fraud amounts were 42% higher for tributed to phishing. Of course these are made up numbers,
those who monitored their transactions by paper instead of but illustrates the potential impact due to a single attacker.
electronically.
The malicious router in the home or small office setting
Financial Gain to Attacker
(as opposed to the hotspot setting) provides the primary Assume that the attacker is able to acquire 45 new victims a
internet access for some set of clients. When such a client week as stipulated above. In 2005, the average amount per
monitors account activity, either the network router or the identity fraud instance was $6383. This suggests a yearly
spoofed pharming server can delete fraudulent transactions gross of
from electronic records, forestalling detection. The result is
45 × 52 × $6, 383 = $14, 936, 220
a more profitable attack.
for a modestly sized operation. At 15 routers a week, the
4.4 Sustainability yearly expenditures for circulating the routers is $39,000,
based on the cost of $50 above.
Cost to Attacker Identity theft survey data [15] shows that on average fraud
The startup costs for malicious hardware phishing through amount due to new account & other fraud ($10,200) is roughly
the online marketplace are high compared to conventional five times higher than fraud amount due to misuse of exist-
email phishing. Retail price of the router used in this paper ing accounts ($2,100). A malicious router potentially col-
is $99, however it is commonly discounted 20-30%. Assume lects far more personal information than email based phish-
that bulk purchases can be made for a price of $75 per unit. ing due to its omnipresent eavesdropping. This extra infor-
A quick scan of completed auctions at one popular venue mation makes it easier to pursue the new account & other
between the dates 2/2/2006 and 2/9/06 shows 145 wireless fraud category than one bite phishing (e.g. email), thereby
routers matching the search phrase “linksys 802.11g router.” increasing the expected fraud amount per victim. More-
Of these, all but 14 sold. Thus there is a sufficiently large over, multiple accounts are subject to hijacking, and the
market for wireless routers to make the logistics of selling router may elude blame for the information disclosure for
them a full time job. quite some time given the opaqueness of computer technol-
Listing fees are insignificant. For the sake of compu- ogy, opening the victim to multiple frauds a year.
� Consider a worst case estimate where: no victim is robbed nels should be evident to the consumer, and moreover should
more than once, the fraud amount is due to account mis- implement effective access control. These processors have
use ($2,100), and the distribution costs are high ($120 per sufficient power to check digital signatures. One solution
router, i.e. free to victim). The yearly gross is still $4,914,000, uses a hard-wired bootstrapping process to check digitally
with a distribution cost of $81,000. signed firmware against an onboard manufacturer public
In summary the startup costs are high for this attack, key, just as in [2]. This addition limits firmware changes
however the stream of regular victims and magnitude of cor- to those sanctioned by the manufacturer.
responding fraud dwarf the distribution costs. In the absence of tamper proof or tamper evident hard-
ware, a knowledgeable and determined attacker could re-
Management of non-monetary risks place the chips holding either the bootstrapping program or
The attacker may incur substantial non-monetary risks when the manufacturer’s public key (assuming that these are not
implementing this scheme. The primary concern is expo- integrated into the SoC silicon). Moreover, part of the ap-
sure. Purchasing routers in bulk could raise suspicion. The peal for many technologically savvy consumers is the ability
plan above entails a relatively modest number (15) of router to control the hardware in novel ways. One solution makes
purchases per week. A computer criminal need not sell the digital signature check bypassable using an circuit board
the routers through a single personal account. The dili- jumper, while using a tamper evident exterior. Third party
gent attacker will control many accounts, possibly reusing firmware is still installable, yet the hardware can no longer
the accounts of her victims to buy and sell small numbers be represented as within factory specification. This solution
of routers. also appeals to a meticulous customer who sees third party
Another concern is the relatively long attack lifetime. Phish- firmware as more trustworthy.
ing servers remain online for about 5 to 6 days before van-
ishing [1], yet the malicious firmware resides on the router 5.2 Pharming countermeasures
indefinitely. This does not imply that the malicious hosts In context of identity theft, the principal threat is accept-
referenced by the router’s pharming attack also stay online ing a self-signed SSL certificate. Once accepted, the spoofed
indefinitely. Although the pharming attack implemented in host’s login page can be an exact copy of the authentic page
the demonstration is static, compromised routers can com- over an SSL connection. The semi-weary user, while fooled
municate with agents of the attacker through ssh connec- by the certificate, observes the https link in the address bar
tions for dynamic updates to compromised host listings. The and the padlock icon in the browser frame and believes that
fraudulent hosts retain their short online lifetimes under this the transaction is legitimate. An immediate practical solu-
scheme. tion is to set the default policy on self signed certificates to
If the attacker has a large network of compromised routers, reject. A finer grained approach limits self signed certificate
then her apprehension by law enforcement should begin the rejection to a client side list of critical web sites.
reversion of compromised without revealing their IP ad- Many phishing toolbars check for an https session when a
dresses. She can use a botnet to implement a dead (wo)man’s login page is detected. This detection is not straightforward.
switch. In normal circumstances the botnet receives periodic HTML obfuscation techniques can hide the intended use of
“safety” messages. In the absence of these messages, the web pages by using graphics in place of text, changing the
botnet spams appropriately disguised “revert” commands to names of the form fields, and choosing perverse style sheets.
the IPv4 address space. The reversion to factory firmware This includes many of the same techniques that phishers use
need not be complete though. While manufacturer firmware to subvert content analysis filters on mass phishing email.
often has sufficient vulnerabilities, the reversion could con- The DNS protocol is very efficient at the cost of high vul-
figure the manufacturer firmware for straightforward rein- nerability. Every machine in the DNS hierarchy is trusted
fection (e.g., set firewall policy to accept remote adminis- to return correct results. Erroneous or malicious results are
tration through an unusual port). This has the advantage forwarded without scrutiny. Secure DNS, or DNSSEC [8,
of not disclosing the nature of the malware to investigators. 11], is a proposal where each level of reference and lookup is
It will simply appear vulnerable. digitally signed by trusted servers. The client starts out with
The biggest concern is actually executing the identity fraud. the public key of a DNS server it trusts. Server traversal pro-
Cash transfers out of existing accounts are quick, but tend ceeds as usual, but with the addition of digital signatures for
to be for lower dollar values than new account fraud as noted each delegation of name lookup. The lookup policy forces
earlier. New account fraud seems more promising for actu- servers to only report on names for which they have au-
ally purchasing goods since the attacker will be able to con- thority, eliminating cache poisoning. This method returns
trol the registered mailing address and avoid detection for a client checkable certificate of name resolution. If imple-
a longer period of time. For maximal impact, the fraudster mented as stated, the system will be very difficult to sub-
should empty the existing accounts last using cash transfers. vert. However, there is substantial overhead in all the sig-
nature checking. A real implementation will need to imple-
5. COUNTERMEASURES ment caching at some level for efficiency. What servers are
Malicious firmware poses some serious threats, however, trustable for lookups outside their authority? One should
we are not helpless to prevent them. This section examines not trust public or open wireless access points since they
some methods to counter the general problem, and then are controlled by unknown agents. Home routers which are
some methods that mitigate the malicious network router. under the physical control of the user should be trusted.
Their compromise exposes clients worse vulnerabilities than
5.1 General countermeasures just pharming (e.g. packet sniffing, mutation, rerouting,
Accessibility to firmware is obscure, but not secure. These eavesdropping). While widespread DNSSEC deployment
properties discourage trust. The firmware upgradability chan- coupled with the correct trust policies (i.e. no errant or
�malicious servers are trusted) will eliminate pharming, the [16] Min Wu, Robert Miller, and Simson Garfinkel. Do
compromised router achieve the same effect by rerouting un- security toolbars actually prevent phishing attacks? In
encrypted http traffic to a man-in-the-middle host. CHI, 2006.
6. CONCLUSION
This paper serves as a call to action. Maliciously compro-
mised embedded systems are implementable today (e.g. our
demonstration). They are dangerous because of the damage
they can inflict and because of misplaced consumer trust.
Their distribution through online auctions is a plausibly sus-
tainable enterprise.
7. ACKNOWLEDGEMENTS
I would like to thank Markus Jakobsson for recommend-
ing a project on malicious embedded firmware. My conver-
sations with Bhanu Nagendra Pisupati resulted in choosing
wireless routers as a promising target. I have Jean Camp’s
influence to thank for framing the feasibility in economic
terms.
8. REFERENCES
[1] APWG. Phishing activity trends report. Technical
report, Anti-Phishing Working Group, December 2005.
[2] W. A. Arbaugh, D. J. Farber, and J. M. Smith. A
secure and reliable bootstrap architecture. In SP ’97:
Proceedings of the 1997 IEEE Symposium on Security
and Privacy, pages 65–71, Washington, DC, USA,
1997. IEEE Computer Society.
[3] Ivan Arce. The rise of the gadgets. IEEE Security &
Privacy, September/October 2003.
[4] Ivan Arce. The shellcode generation. IEEE Security &
Privacy, September/October 2004.
[5] CERT. Incident note IN-99-03.
http://www.cert.org/incident notes/IN-99-03.html,
April 1999.
[6] Rachna Dhamija and J. D. Tygar. The battle against
phishing: Dynamic security skins. In SOUPS ’05:
Proceedings of the 2005 symposium on Usable privacy
and security, pages 77–88, New York, NY, USA, 2005.
ACM Press.
[7] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why
phishing works. http://www.sims.berkeley.edu/
∼rachna/papers/why phishing works.pdf.
[8] D. Eastlake. Domain name security extensions. RFC
2535, March 1999.
[9] Markus Jakobsson and Steve Myers. Phishing and
Counter-measures: Understanding the Increaseing
Problem of Electronic Identity Theft. Wiley, 2006.
[10] Javelin Strategy & Research. Identity theft survey
report (consumer version), 2006.
[11] Trevor Jim. Sd3: A trust management system with
certified evaluation. In IEEE Symposium on Security
and Privacy, pages 106–115, 2001.
[12] Openwrt. http://www.openwrt.org.
[13] Joon S. Park and Ravi Sandhu. Secure cookies on the
web. IEEE Internet Computing, 4(4):36–44, 2000.
[14] Sid Stamm and Markus Jakobsson. Case study:
Signed applets. In Phishing and ... [9].
[15] Synovate. Federal trade commission identity theft
survey report, 2003.
�