Router Security What can go wrong if a router gets hacked Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
See my Oct 11th blog: Using a router to defend against Xiongmai video devices
 

In a word, Everything.

Every bad thing you can imagine happening to a computing device, can happen to one that sits behind a hacked router. The only limit is the imagination of the bad guys.

A router sits between the Internet and all the computing devices on a LAN. To illustrate what can go wrong, consider two people who speak different languages communicating through an interpreter. If the interpreter is malicious, they can manipulate either person into thinking anything.

POTENTIAL PROBLEMS

Spying on your activities (goes without saying). We saw a public example of this in September 2018 with an attack on MikroTik routers. The attackers spied on the routers by forwarding a copy of network traffic to the spies. This was done using the built-in packet-sniffing capabilities of MikroTik routers. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. For more see 7,500+ MikroTik Routers Are Forwarding Owners' Traffic to the Attackers, How is Yours? by Netlab 360.

DNS Hijacking (changing the DNS servers that the router gives out to attached devices). A victim using malicious DNS servers can think they are at website A, when they are really seeing a scam copy of it. Kiss that password good-bye.

If a computer is downloading software, the router can trick it into downloading a malicious copy of the software.

An infected router may do nothing to its owner other than slow down the Internet connection. A big reason for taking over routers (and IoT devices too) is to use them in distributed denial of service attacks.

If the router is sharing files, those files can be visible to an attacker.

In August 2018, Micah Lee of The Intercept wrote that the NSA would use hacked routers to copy VPN traffic so they could decrypt the VPN. Quoting from the article: "In 2014, The Intercept reported on the NSA's plans ... to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt."

In July 2018 we heard of two cases where a compromised router was used to access computers on the LAN behind the router. In one case, a bank in Russia lost about $920,000. In another case sensitive US military documents were stolen and found for sale on the dark web.

In May 2018 we learned of a new problem that malware on a router can create - bricking the box. This was seen (as far as I know for the first time) in the VPNFilter malware first reported on by the Talos division of Cisco. Many of the 500,000 infected routers were in the Ukraine, so speculation was that Russia was out to permanently disable routers to disrupt the entire country.

The VPNFilter malware would also change outgoing HTTPS requests to HTTP thus making it easier for an infected router to both spy on the transmitted data and also to change it. Another interesting trick used by VPNFilter was to listen for a special incoming trigger packet, without opening any ports.

In June 2018 we first heard of a hacked router serving as the Command and Control of a botnet.. Bad guys hacked a data center belonging to a Central Asian country and embedded malicious JavaScript code on government websites. The code re-directed victims to malicious websites hosting exploitation tools that attempt to infect victims with a remote access trojan (RAT). The attackers hacked a MikroTik router to host the command and control server of the RAT. The hacked router controlled and retrieved data from victims, providing an additional layer of anonymity between the bad guys, victims, and forensic investigators.

A very common router attack is changing the DNS servers. In late April 2018, an ISP was hacked to use malicious DNS servers. The hack pointed users of MyEtherWallet.com to a phishing site at a Russian IP address. Anyone who logged into their account would have had their passwords stolen. Likewise, browsers already signed in, would have transmitted cookies which bad guys could have used to log on to the site. The malicious DNS servers were active for only two hours, but users of MyEtherWallet.com lost around $150,000. Victims should have received a warning that the scam site was using a self-signed digital certificate. They ignored it, perhaps because they did not understand what the warning meant. While this was not a router hack (technically it was a BGP leak), it illustrates what can happen when using malicious DNS servers. The Test Your Router page lists websites that display your current DNS servers.

April 16, 2018: The New York Times, reporting on Russian hacking (U.S.-U.K. Warning on Cyberattacks Includes Private Homes) quotes Howard Marshall, the deputy assistant director of the cyber division at the FBI: "Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords ... It is a tremendous weapon in the hands of an adversary."

April 16, 2018: A joint Technical Alert was issued by the Department of Homeland Security, the FBI and the British National Cyber Security Centre - Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. It had a section called, Own the Router, Own the Traffic, which details what can go wrong: "Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization's gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization's internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts ... An actor controlling a router between ICS-SCADA sensors and controllers in a critical infrastructure - such as the Energy Sector - can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network."

Federal networks susceptible to router hacks, DHS says by Derek B. Johnson of FCW March 6, 2018. The Department of Homeland Security just released a report from 2016 on network infrastructure security. The report (see bellow) says that "as security practices for individual computers and devices have hardened, nation-state hackers have adapted by focusing on weaker network infrastructure devices, like routers, that 'are often working in the background with little oversight -- until network connectivity is broken or diminished'." A letter, released along with the report, quoted the agency head: "for several years, network infrastructure devices have been the attack-vector of choice" for advanced persistent threat hacking groups to conduct denial of service attacks, data theft and alteration of data moving across federal networks.

The report referred to above is The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. One section details what can happen after a router is hacked: "If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data. Intruders with infrastructure privilege and access can impede productivity and severely hinder reestablishing network connectivity ... Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts."

In May 2017, Trend Micro wrote "A compromised home router can open up the user to significant consequences: information or even identity theft, malicious sites and advertisements, VoIP fraud, and more. Cybercriminals can also profit by using compromised home routers in for-profit distributed denial-of-service attacks (DDoS) or as part of a rented botnet. Botnets have become quite profitable ... "

In March 2013, Leon Juranic of Defense Code documented flaws with UPnP. His document started with this: Hacking network devices is a sort of the Holy Grail for hackers, because once we're in a network device like a router or switch, we can (more-or-less) overtake all machines behind it. Network traffic sniffing, man-in-the-middle attacks, binary infection on-the-fly, further network penetration, so on, and so on... His document included a huge list of routers vulnerable to particular UPnP bug. No Peplink routers were on the list.

DOCUMENTED EXAMPLES OF ROUTER HACKS

See the Routers in the news page.

An infected router can setup a bad guy as a Man-In-The-Middle. Here is a funny story of what one person did when a neighbor used their Wi-Fi network without permission: Upside-Down-Ternet. In this case, the person whose Wi-Fi was being stolen, was the Man-In-The-Middle, and he was playing a joke on the thief - every image the Wi-Fi thief saw, was upside-down. Pretty darn funny.

TARGET TAILS LINUX

If I ran a spy agency, one group of people that I would most want to spy one would be those downloading the Tails version of Linux which is used to access TOR. In fact, Tails is the best way to access the TOR network. Tails lives at https://tails.boum.org which (as of June 2015) resolves to IP address 204.13.164.188. The Internet thinks this IP address is in the United States, specifically in Seattle, Washington.

A malicious router could easily change every outgoing packet destined to 204.13.164.188 and replace the legitimate IP address with one for a malicious copy of the tails.boum.org website. A victim would never know they were looking at a scam website with scam checksums for the modified hacked ISO at the scam site.

Then again, if I ran a spy agency, I would have the ISP do this for me. Much less work than hacking a router and it lets me corrupt far more copies of Tails Linux.



Top 
This page was last updated: September 7, 2018 11PM CT     
Created: June 18, 2015
Viewed 24,115 times since June 18, 2015
(20/day over 1,221 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2018