Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.
That was the takeaway from the "Blended Threats and JavaScript: A Plan For Permanent Network Compromise" session Thursday at the Black Hat conference in Las Vegas. Such an attack hinges on modern browsers' support for
HTML5, which allows developers to create complex JavaScript applications that run in the browser. How could an attacker "own" a router? First, the victim would have to be lured into visiting a malicious website, which would then push JavaScript with instructions to the browser to tell it about all locally connected devices. Second, after learning about the network and finding a device to target, the malicious website would need to launch a brute-force attack and divine login credentials for the device.
Read full story on InformationWeek
