Not to downplay a rather interesting vulnerability, but why does it matter if someone figures out where you are?
As much as I love my own real (not internet) privacy, I don't depend on people not knowing where I am. The success of sites such as Foursquare lead me to believe a large amount of people feel the same way.
I don't think that he obtained control of the router, the article only states that he managed to get the router's mac address and the crossed referenced this with Google's wifi database(I assume). He can't modify the router just get a routing table from the compute somehow. At least that's what I understand from this extremely sparse in detail article.
He does have control of the router's settings (possibly even the ability to update the firmware with a malicious replacement?). Most routers let you set the DNS server addresses to be provided via DHCP. If you control DNS, you control which addresses domains resolve to. No need to control the routing table.
SSL helps mitigate the damage to some extent, but only if the site uses SSL.
Wait where does it state he he gained access to router? You can get the mac address of your router with sending a http request to it. Mine states it on the homepage. Doesn't mean you can change anything on there. What I'd like to know is how he manages to send this request, javascript origination policy should be blocking this.
EDIT: I was referring to the original article, schneier has a point, if the users has the default password set then yes he can login, but how is that even possible on most browsers today which prevents you from sending ajax request to anything but the original server?
EDIT2: Just tried it and got a error from chrome:
400 Bad Request
Cross Site Action detected!
You need to watch the video again. Starting at 1:20 he mentions logging in using the default admin credentials.
He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.
But even without an XSS exploit you can make cross-domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.
The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.
He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")
The hack relies on a specific XSS vulnerability in the Verizon FiOS router. It requires that you're already logged into your router or that you're using default username/password.
Yes, when the attacker has control of the router, the user is a helpless victim. The next step will probably be a man in the middle attack for online banking.
Maybe, even if the user changed the default password, he probably stored the new credentials in the browser.
As much as I love my own real (not internet) privacy, I don't depend on people not knowing where I am. The success of sites such as Foursquare lead me to believe a large amount of people feel the same way.