What can an intruder 'do' if he breaks into your router?

[Arklin K.]

A few articles ago there was a thread on how easy it was for an intruder
to obtain the password of your router, even if you're using WPA2/PSK.

Assuming the intruder 'does' obtain the password, what 'can' they do
besides the obvious which is to log all the web sites you go to?

For example, can they get your bank password & login?
Can they put a rogue program on your computer?
Can they log your keystrokes?

Or can they only just see all the web sites you go to?

[Chris Davies]

Arklin K. <ark...@notmyemail.com> wrote:
> Assuming the intruder 'does' obtain the password, what 'can' they do
> besides the obvious which is to log all the web sites you go to?

At a trivial level, yes, it's possible to see not only the websites you
go to but in any situation where the connection is not protected by https
it's possible to see all the content, too (including anything you send
in a form or a login).

At a more sophisticated level, it becomes possible to start spoofing
DNS responses, so that when you think you're going to (say) your bank's
website you're actually going somewhere else. Your bank's website will
be protected by SSL, sure, but would you *actually* action a "uh oh, this
certificate isn't recognised by your webbrowser" warning when you "know"
you've got to your bank? Would you even realise that the connection was
being made with http instead of https? (No errors, so it must be ok, yes?)

Now, while you personally might be sure you'd never fall foul of these
scenarios, consider whether that level of assurance can be applied to
everyone who has a wireless router.

Chris

[Jeff Liebermann]

On Mon, 21 May 2012 01:45:54 +0000 (UTC), "Arklin K."
<ark...@notmyemail.com> wrote:

I hate security questions, but there's nothing better available today.

>Assuming the intruder 'does' obtain the password, what 'can' they do
>besides the obvious which is to log all the web sites you go to?
>
>For example, can they get your bank password & login?

No. It's encrypted with SSL between the your computah and the bank
computah. Sniffing does not work.

>Can they put a rogue program on your computer?

Maybe. If you have no security or firewall running on your computah,
it might be possible to drop a trojan horse program in an open share
and wait for you to run it. If you do something dumb, like share the
entire hard disk drive, then yes, all manner of evilware can be
installed.

>Can they log your keystrokes?

No. They can only see the results of those key strokes that make it
to the internet. For example, if I login to my bookkeeping system
(Quickbooks) on my PC, my login and password are not sent over the
network and therefore cannot be sniffed. However, if someone is able
to install a key logger, it will be logged.

>Or can they only just see all the web sites you go to?

That is possible depending on the logging and debugging features of
the router. If it's fairly crude, not much can be seen. If it's
detailed logging, then sniffing will bury the attacker in too much
info. In general, if the router has a "block this web site" feature,
it also has a parser built in that will make URL logging easier.

I had a customer that had their router hijacked from the internet. I'm
not sure exactly how it happened, but I have some guesses.
1. The router config had the default password.
2. The users computer was compromised by malware which then attacked
the router.
3. The router had remote management (port 8080) enabled with the
default password.
4. The router firmware was out of date and might have had a problem.
I'm not sure what was used to attack the router, but the results were
interesting. The attack changed the DNS servers configured in the
router to something apparently in Korea. The corresponding malware
setup a proxy server for internet access. I don't know if these two
attacks were related. It's highly likely that the passwords saved in
the registry, address book, saved passwords, bookmarks, etc were
probably sent somewhere for analysis. Again, note that this was
possible by a successful attack on the computer, not the router.

Bottom line... if an attacker wants to collect user files and
keystrokes, they need to attack the users computer, not the router.

--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[Arklin K.]

On Mon, 21 May 2012 08:01:30 -0700, Jeff Liebermann wrote:

>>For example, can they get your bank password & login?
> No. It's encrypted with SSL between the your computah and the bank
> computah. Sniffing does not work.

Good!

>>Can they put a rogue program on your computer?
> Maybe. If you have no security or firewall running on your computah, it
> might be possible to drop a trojan horse program in an open share and
> wait for you to run it.

I think this is good since I don't expressly share anything so the only
things shared would be whatever is shared by default (CentOS, Windoze XP
Home).

>>Can they log your keystrokes?
> No. They can only see the results of those key strokes that make it to
> the internet.

Whew!

> However, if someone is able to
> install a key logger, it will be logged.

I guess they would break into the router, and then somehow install the
keylogger on an open share and THEN I'd still have to click on the
offending executable, right?

>>Or can they only just see all the web sites you go to?
> That is possible depending on the logging and debugging features of the
> router. If it's fairly crude, not much can be seen.

At one point I enabled logging on my WRT-54G and it was pretty boring
stuff in the log file.

> I had a customer that had their router hijacked from the internet.

> The attack changed the DNS servers configured in the
> router to something apparently in Korea. The corresponding malware
> setup a proxy server for internet access.

Interesting.

> Bottom line... if an attacker wants to collect user files and
> keystrokes, they need to attack the users computer, not the router.

I guess what you're saying is that it's much worse when the computer is
attacked than when the router is attacked (which makes sense).

The router, it seems, will only give them information, and maybe set up a
rogue DNS server - while the computer can do anything.

Thanks!

[Jeff Liebermann]

On Mon, 21 May 2012 16:42:41 +0000 (UTC), "Arklin K."
<ark...@notmyemail.com> wrote:

>I guess they would break into the router, and then somehow install the
>keylogger on an open share and THEN I'd still have to click on the
>offending executable, right?

Basically correct. However, if your computer isn't properly
configured, protected, and updated, there are other ways of installing
malware.

Look at it this way. If you plugged your computer directly into the
DSL or cable modem, with no router in between, how safe would you
expect to be? In the past, it was fairly easy to attack a machine
through open ports and unpatched exploits. That's not the case so
much these days. It's an easy test to try. Make an *IMAGE* backup of
your computah (I use Acronis True Image). Then, put it directly onto
the internet and see what happens. If it gets compromised, then patch
the hole or restore the image backup. If not, you're safe.

>I guess what you're saying is that it's much worse when the computer is
>attacked than when the router is attacked (which makes sense).

Yep.

>The router, it seems, will only give them information, and maybe set up a
>rogue DNS server - while the computer can do anything.

The rogue DNS server was apparently to deliver advertisements while
browsing web pages. However, the bad guys could sniff everything you
do on the internet with the proxy server setup. All your outgoing
traffic would go through the proxy. Of couse, that would take far too
much bandwidth to be worthwhile, so it's not commonly done. However,
the proxy server setup is done on the computah, not in the router.

[Char Jackson]

On Mon, 21 May 2012 16:42:41 +0000 (UTC), "Arklin K."
<ark...@notmyemail.com> wrote:

>I guess what you're saying is that it's much worse when the computer is
>attacked than when the router is attacked (which makes sense).
>
>The router, it seems, will only give them information, and maybe set up a
>rogue DNS server - while the computer can do anything.

Also keep in mind that the Internet connection itself may be what
someone is after.

[Arklin K.]

On Mon, 21 May 2012 10:37:54 -0700, Jeff Liebermann wrote:

> Make an *IMAGE* backup of your computah (I use Acronis True Image).
> Then, put it directly onto the internet and see what happens.

That would be an interesting case study!

Maybe I should post my IP address here too!

(just kidding)

[Ant]

On 5/21/2012 1:48 PM PT, Arklin K. typed:

> Maybe I should post my IP address here too!
>
> (just kidding)

It's 127.0.0.1. ;)
--
"I got worms! That's what we're going to call it. We're going to
specialize in selling worm farms. You know like ant farms. What's the
matter, a little tense about the flight?" --Lloyd Christmas (Dumb and
Dumber movie)
/\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
Ant is currently not listening to any songs on this computer.

[Chris Davies]

Jeff Liebermann <je...@cruzio.com> wrote:
> put it [the computer] directly onto the internet and see what happens.

> If it gets compromised, then patch the hole or restore the image backup.
> If not, you're safe.

Actually, no. If it doesn't get compromised during the test it just means
that it wasn't compromised during the test. It does not mean it's safe.

Chris

[Jeff Liebermann]

I knew there was a reason that I don't get involved in security
discussions. Sigh...

There's a small logic problem. While it's quite easy to demonstrate
that the computer is unsafe by showing that it's vulnerable to some
manner of exploit, it's completely impossible to demonstrate that the
computer is completely safe, invulnerable, and free of security holes.
Even the best secured servers have been successfully attacked. My
crude test does not demonstrate that it's safe. It demonstrates that
it might be safe to use without an external firewall, relying on
whatever incoming firewall comes with the operating system.

I'm also assuming that most attacks are scripted and automated. I
haven't turned on detailed logging on my firewall in a while, but back
about a year ago, I found that about 5-10% of my incoming traffic came
from probes, port scans, and exploit attempts. It's probably about
the same today. If someone manually targets a specific machine, it's
highly likely that they'll eventually be successful at taking over the
machine.

Crudely, there's little on a home users machine worth stealing. The
amount of effort needed to steal credit card numbers and passwords to
accounts is somewhat higher than the potential reward. It's much more
profitable to target a web servers that stupidly saves credit card
numbers on the web server, or a service provider that leaves user
account information accessible from the internet. At best, what an
attacker wants is a spam relay or a new addition to their botnet.

Machines directly on the internet is going to become a real problem as
IPv6 is deployed. IPv6 does not allow for NAT, which is the main form
of workstation protection these daze. You can either put the machine
directly on the internet, or buy a SPF (stateful packet inspection)
firewall. Either way, it's one routeable and targetable IP address
per machine.

First IPv6 Distributed Denial of Service Internet attacks seen.
<http://www.zdnet.com/blog/networking/first-ipv6-distributed-denial-of-service-internet-attacks-seen/2039>

Internet attacks target small cities, small biz in India
25% of bot- infections reported from small cities, targeted attacks up
from 77 a day to 82.
<http://business-standard.com/india/news/internet-attacks-target-small-cities-small-biz-in-india/165620/on>

Those who would give up essential security to purchase a little
temporary convenience, deserve neither security nor convenience.
(Appologies to Ben Franklin).

[alexd]

Jeff Liebermann (for it is he) wrote:

> Machines directly on the internet is going to become a real problem as
> IPv6 is deployed.

I don't think it is - so long as the vendors of consumer-grade gear do
everybody a favour and make the stateful inspection approach the default.
IOW, it'll be just like it is now with an IPv4 NAT router, except there
won't be NAT. Only people who get onto their routers and have a tinker will
end up vulnerable.

> IPv6 does not allow for NAT, which is the main form of workstation
> protection these daze.

This is something I hear oft-repeated about IPv6. It's not the NAT that's
the protection - it's fact that you need the stateful inspection to make the
NAT work that makes it look like it's the NAT doing security, and if you
somehow manage to turn off the stateful inspection with IPv4, your internet
will stop working, which won't be the case with IPv6.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
21:13:00 up 132 days, 23:45, 5 users, load average: 0.10, 0.43, 0.37
Qua illic est reprehendit, illic est a vindicatum

[Jeff Liebermann]

On Wed, 23 May 2012 21:19:11 +0100, alexd <trof...@hotmail.com>
wrote:

>Jeff Liebermann (for it is he) wrote:
>
>> Machines directly on the internet is going to become a real problem as
>> IPv6 is deployed.
>
>I don't think it is - so long as the vendors of consumer-grade gear do
>everybody a favour and make the stateful inspection approach the default.
>IOW, it'll be just like it is now with an IPv4 NAT router, except there
>won't be NAT. Only people who get onto their routers and have a tinker will
>end up vulnerable.

Ummm... that's what I said. Quoting myself:

You can either put the machine directly on the internet,

or buy a SPI (stateful packet inspection) firewall.

Either way, it's one routeable and targetable IP address
per machine.

The only problem with this is that there's no way for Joe Sixpack to
know that the SPI firewall is actually working. I could turn it off
and most people would not know that anything has changed.

>> IPv6 does not allow for NAT, which is the main form of workstation
>> protection these daze.
>
>This is something I hear oft-repeated about IPv6. It's not the NAT that's
>the protection - it's fact that you need the stateful inspection to make the
>NAT work that makes it look like it's the NAT doing security, and if you
>somehow manage to turn off the stateful inspection with IPv4, your internet
>will stop working, which won't be the case with IPv6.

<http://en.wikipedia.org/wiki/Stateful_firewall>
Many older models do not do SPI. However, with forged and custom
crafted packets floating around everywhere, relying on just NAT for
external security is not a good idea. However, please note that there
are some routers (i.e. most Linksys) where SPI can be disabled. For
example, the shiny new Linksys E4200:
<http://ui.linksys.com/files/E4200/2.0.25/firewall.html>
There are some good reasons for disabling SPI, but I don't want to
discuss it without doing some reading first.




--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com je...@cruzio.com
# http://www.LearnByDestroying.com AE6KS