According to this MIT Technology Review article there is a 1 in 2 chance you or someone you know has not changed the default configuration password on their home router. Most OEMs don't require users to establish new passwords. Fix this today - bad buys have developed new website exploits that could harvest your IP, probe the router for manufacturer info, then remap DNS to point to bogus webpages that most users won't be able to tell from the real thing. This would mean 

"an unknowing victim who types in the domain name of his or her bank might be greeted by a page that looks legitimate. But any log-in and password information that is entered on that page would go straight to the scammer."

"This particular attack is very powerful in that regard. The attacker doesn't have to be that technically sophisticated to mount it."

Fortunately, fixing the problem is also simple. "The easiest way to defend against this kind of attack is to change your [router's configuration] password," 

The original researchers quoted in the article claim they haven't yet this attack YET, but why wait?  Friends don't let friends surf unprotected.