Routers supplied to customers by ISPs around the world include serious defects that allow remote hackers to take control of them.

Most of the routers have a “directory traversal” defect in a firmware part called webproc.cgi that enables hackers to extract sensitive configuration information, including administrative qualifications. The defect isn’t old and has been reported by multiple researchers since 2011 in various router versions.

Security researcher Kyle Lovett came in some ADSL routers he was examining in his free time several months past across the defect. He unearthed hundreds of a large number of vulnerable devices from different manufacturers that was distributed by ISPs to Internet subscribers in a dozen states and inquired further.

According to Lovett, the hashing algorithm is weak so the password hashes can readily be decoded. Attackers could then log in as administrator and alter the DNS settings of a router.

Large scale DNS hijacking attacks against routers, called router pharming, have become common in the last two years.