|Router Security||What can go wrong||
Website by |
Every bad thing you can imagine happening to a computing device, can happen to one that sits behind a hacked router. The only limit is the imagination of the bad guys.
A router sits between the Internet and all the computing devices on a LAN. To illustrate what can go wrong, consider two people who speak different languages communicating through an interpreter. If the interpreter is malicious, they can manipulate either person into thinking anything.
Spying on your activities (goes without saying).
A victim on the LAN can think they are at website A, when they are really seeing a malicious copy of it. Kiss that password good-bye.
If a computer is downloading software, the router can trick it into downloading a malicious copy of the software.
An infected router may do nothing to its owner other than slow down the Internet connection. A big reason for taking over routers (and IoT devices too) is to use them in distributed denial of service attacks.
If the router is sharing files, those files can be visible to an attacker.
In August 2015, Jeff Atwood blogged about how two people he knew fell victim to compromised routers (see Welcome to The Internet of Compromised Things). In one case, the infected router inserted ads onto all HTTP web pages. Quoting:
It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level ... I write about this because it recently happened to two people I know ... This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them. Router malware is the ultimate man-in-the-middle attack ... [bad guys] can direct you to phishing websites at will - if you think you're on the "real" login page for the banking site you use, think again.
In May 2015, Scott Hanselman wrote about an infected router at his local sandwich shop that "... started to redirect me to a fake 'update your flash' and download a 'Install flashplayer_10924_i13445851_il345.exe' malware file..... This affects their PoS (Point of Sale) system, tablets, iPhones ... It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML."
In October 2016, Brian Krebs wrote about malware that targeted Asus and Linksys routers. The software turned the routers into SOCKS proxies, which help bad guys hide their location, much like Tor. Bad guys were using these hacked routers for "or a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites." Plus, access to these hacked routers was being sold in exchange for Bitcoin.
Or, when visiting popular websites, the router can install malware by prompting users to install a plug-in. Here is a screen shot of this from 2012 in Brazil. See also Info Stealer Poses as Google Chrome Installer from Trend Micro.
Victims don't have do anything to have their computing devices infected with malware. A hacked router can corrupt the self-update mechanism of either the operating system or a specific application. In June 2015 a case like this got a lot of publicity; the pre-installed Swift keyboard on Samsung smartphones self-updated in an insecure way that could be corrupted by anyone able to modify network traffic. A hacked router is one source, so too is a malicious ISP, a bad guy on the LAN or malware running on another LAN-resident device. Because the keyboard software ran with very high system privileges there was almost no end to what malware it was tricked into installing could do.
An infected router can setup a bad guy as a Man-In-The-Middle. Here is a funny story of what one person did when a neighbor used their Wi-Fi network without permission: Upside-Down-Ternet. In this case, the person whose WiFi was being stolen was the Man-In-The-Middle and he playing a joke on the thief - every image the Wi-Fi thief saw, was upside-down. Pretty funny.
TARGET TAILS LINUX
If I ran a spy agency, one group of people that I would most want to spy one would be those downloading the Tails version of Linux which is used to access TOR. In fact, Tails is the best way to access the TOR network. Tails lives at https://tails.boum.org which (as of June 2015) resolves to IP address 220.127.116.11. The Internet thinks this IP address is in the United States, specifically in Seattle, Washington.
A malicious router could easily change every outgoing packet destined to 18.104.22.168 and replace the legitimate IP address with one for a malicious copy of the tails.boum.org website. A victim would never know they were looking at a scam website with scam checksums for the modified hacked ISO at the scam site.
Then again, if I ran a spy agency, I would have the ISP do this for me. Much less work than hacking a router and it lets me corrupt far more copies of Tails Linux.