Most routers /do not/ come with remote access enabled. Wardriving gives an attacker access to the router from /inside/, not from outside. As such, the remote access setting is irrelevant in that case anyway.

WPA2 and disabling UPnP are probably the only useful “protections” that you have given yourself. Better than changing your SSID is turning off SSID broadcasting. A non-default SSID is about as useful as painting your front door a different color: it does not improve the lock on the door.

This hack is just a proof-of-concept at this point. AFAICK, nobody is actually /doing/ this, although I’m sure an attack will be out there any day, now. Given that it’s just a proof-of-concept, the existing hack isn’t very interesting.

As soon as someone wants to make a concerted effort to get this thing out into the wild and do some damage, I’m sure they’ll add brute-force password access into the javascript code. Or, even a simplistic dictionary attack. Simply changing your password from the default might not be enough… you’ll have to make it something that can’t be “easily” broken”.

The real problem is that most users out there are idiots. The means to protect against this type of attack exist, it’s just that nobody bothers to understand enough about security to even care. If everyone used a non-privileged Microsoft Windows login most of the time, many attacks would be stopped in their tracks. It’s just easier to /not/ do that. Likewise, it’s easier not to change your router password.

Sneaky exploit, to be sure; but the solution is simple (and should be rule-of-thumb): change the default password on the router. The script (at least this version of it) can’t detect or hack the password; it simply attempts to login using the known-default password for each manufacturer’s router.

Anyone who doesn’t change the default password on their router is just asking for trouble – and not just from this script (especially since, IIRC with my Linksys router, remote access is enabled by default, leaving the router subject to warjacking attack).

For instance, I’ve got WPA2 enabled with a full-length PSK, remote access disabled, MAC address filtering, non-default SSID, UPnP disabled, and, of course, local router access password changed. I know MAC addresses can be cloned, but it’s one more layer. Also, I am broadcasting my SSID; finding it out is trivial for anyone trying to do so, so why make my own networking more difficult?

Anyway, doubtful anybody in my lifetime is going to get into my network (or router) without my permission – and everything that I’ve done is actually pretty easy to do with any modern router (mine is only an 802.11g, not even draft-n), and will prevent this type of javascript attack.