Any wireless Access Point (AP) that uses a default password is vulnerable to manipulation by anyone that can gain some form of connectivity to it. If the wireless AP's management interface is Web-based, it can be mimicked, and therein resides a problem waiting to happen.
If an intruder can craft a special Web page that mimics the functionality of an AP management interface, that Web page could take any action against an AP that's allowed by the management interface. So what's to stop an attacker from developing a Web page that, when viewed, changes any of the available AP settings? Not much, apparently.
Symantec chose to call this attack "drive-by pharming," and that bothers me. I saw several headlines about this attack type on the Internet before I read the Symantec blog, and I thought, "Oh great, another way to get in your car, drive around, find unprotected APs, and steal people's information." But this attack has absolutely nothing in common with war-driving. So Symantec introduced confusion with the attack name, and some media reports spread the confusion further.
Symantec would do well to stop confusing us about security problems with its use of misleading attack-type names. In the case of "drive-by pharming," the attack has nothing to do with being in close proximity to an AP (as is the case with war-driving) and is related to "pharming" only in that attackers could use the management interface vector to manipulate DNS to point to the DNS servers of their choice, which in turn could resolve certain host names to IPs that point to pharming sites.
The ability to attack someone's DNS settings could be exploited in a variety of ways, none of which Symantec bothered to mention. For example, an attack could install botnet software or other malware, spy on Web usage habits, intercept email, or intercept sensitive files for corporate espionage; the list goes on and on. It seems to me that misnaming attacks is itself a security problem because it misinforms people who might not have the time to delve deeper into the nuts and bolts behind a given title. I think Symantec should consider patching its naming methods. What do you think? Send me an email with your thoughts on this issue.
If you're interested in the Symantec report, you can read it at: