Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Router Was Hacked - what was at risk?


  • Please log in to reply
9 replies to this topic

#1 JimmyRiddle

JimmyRiddle

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:36 AM

Posted 17 May 2017 - 04:00 AM

I had some concerns re security, when a third party - who could be interested in me for the sake of malicious hacking / doxxing - got my IP address. I use a Mac and enabled firewall, stealth mode, and all security measures on it. I then changed the router passwords from the generic one, and thought no more of it.

 

A month or so later i was awoken a few times by the mac doing things in the night. When i checked the log i could see nothing - literally nothing - which made me nervous that someone may have got in, then deleted the logs as a way of 'cleaning house' after their action. 

 

I checked in on router to look for any other activity, only to find that the password had been altered and i could not get in. The Password i had set was not guessable so it seems someone had used some software to force entry and 'own' the router. I was leaving the location shortly, so at that point just disconnected the cables, and never used that IP / router again. I then had my Mac wiped entirely and erased just to be sure. 

 

I no longer live there or use this router, but i'm concerned what potentially i have left open. I changed all passwords, and cannot detect any activity on any accounts or tell tale signs. I don't think these people are standard hackers interested in money, scams etc, more people who just want to embarrass or pursue me online for their fun. 

 

I guess i am asking, what conceivably could they have got from the router? Is it possible they could have hacked into Skype, WhatsApp Viber etc and continue to have access to my communications? I also have an iPhone which was using the Router, that i did not wipe - could they have hacked that and using spyware? Could they have found my usernames/account details on other social media platforms / sites? 

 

I realise this is all after the event, and spurious, and ultimately there are no specific answers. I suppose i am just trying to throw some potentialities around, so i have at least looked at all angles. I am just concerned and wish to know what was / is still at risk.  I am not very well educated with IT and before this never really gave any thought to internet security. I have tried to educate myself somewhat, but am certainly not a tech savvy person. 

 

Thanks


Edited by JimmyRiddle, 17 May 2017 - 05:11 AM.


BC AdBot (Login to Remove)

 


#2 dantose

dantose

  • Members
  • 15 posts
  • ONLINE
  •  
  • Local time:07:36 AM

Posted 17 May 2017 - 07:49 AM

Could be a WPS crack:

http://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 17 May 2017 - 12:16 PM

You could turn on 2 factor/step authentication for your online services that support it.

 

For example: https://www.google.com/landing/2step/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#4 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:36 AM

Posted 17 May 2017 - 05:04 PM

Thanks, will do. 

 

A question i'd like to ask is, if you, or a semi-skilled / skilled hacker were to have 'owned' someone's router, what information and access could you get from it? 



#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:36 AM

Posted 17 May 2017 - 07:11 PM

Thanks, will do. 

 

A question i'd like to ask is, if you, or a semi-skilled / skilled hacker were to have 'owned' someone's router, what information and access could you get from it? 

I could get your ISP user account and password (If not encrypted) and then login and get access to all your emails etc.

From there i would password reset all accounts linked to that ISP email account like facebook etc.

 

Turn off uPnP, ensure firmware is up to date and disable remote access amnagement interface.

 

Also note there has been some public exploits sending a HTTP request and obtaining in clear text admin password etc, even stealing the cookies and then re-sending a request would echo back the password hash which you then add to the login string!


Edited by JohnnyJammer, 17 May 2017 - 07:13 PM.


#6 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:36 AM

Posted 19 May 2017 - 05:54 AM

I just want to put myself in the shoes of someone with access to router in a similar set up - mac on stealth, with firewall and security on. Would that be open to a HTTP request as you describe, Jonny? Sorry i'm not too good with tech and don't really understand all the terms. 

 

Could they get access to the sites i visit, and the usernames i use for them? Basically be able to find me online in other sites and so on? 

 

This stems from someone from a forum i no longer use, making all sorts of claims. It turns out they are at least competent in their knowledge, so the potential for them doing this cannot be discounted. 



#7 x64

x64

  • Members
  • 314 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:36 PM

Posted 19 May 2017 - 11:15 AM

You say the Mac was doing stuff by itself - what was it doing?

 

Do you have either of the "Power Nap" settings turned on under System settings / Energy Saver? . If so it can check email and run backups without you waking it from sleep. That might be disconcerting if you didn't expect it.

 

I'm fairly new to Mac but in addition to what others have sad - you could check for remote access software installed, and run scans with Malwarebytes and other AV and AM tools - 'Sophos home' for example or Kaspersky internet security. If you had teamwiewer installed, then there were questions over the security that service a few months back with computers being unexpectedly accessed.

 

Yes, if your router really was compromised then they could monitor any unencrypted communications (any HTTP:// sites and swipe any unencrypted logins. That includes access to mail servers where you have not got SSL/TLS turned on. HTTPS websites would not be compromised as long as you did not override any security warnings. If they really did get onto your Mac then they could have stolen anything.

 

x64



#8 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:36 AM

Posted 19 May 2017 - 03:57 PM

Hi X64,

 

It woke up a few times in the night, and was wirring. I realise this can be a number of innocent things, but it was then that i checked the router, and my old password did not work. At that point i checked the Mac Log, and found that there was no Wake Reasons for the dates (or at least i couldn't see them), and thought maybe it'd been erased after entry, and it's better safe than sorry, unplugged all cables, wiped mac, and never used that router again or net connection again. I changed all passwords and have not noted any presences that are out of the ordinary. 

 

The guy in the Apple store was a bit dismissive and said 'with your settings (firewall, stealth mode, admin password etc) it'd be very very unlikely anyone could have done anything. If anything from the stuff i've read online, his attitude is naive. Would you agree? The way i see it, there's very little you can do if someone skilled has the will and the time, and the best thing is to minimise risk, but hey. 

 

At this point i cant investigate it further, as the Mac's been wiped, and i don't use the net connection or router. I just want to see what potentially i've been exposed to. Like i say, i don't think the individual(s) would be interested in crime, theft as such. If anything it's a power trip or something. Pretty sad stuff that comes from taking Forum Trolls seriously i guess. Maybe they are just bleep with me, i don't know. Either way life's too short for this nonsense and i just want to know what's been left open, and not engaging with them again, but that's life. 



#9 x64

x64

  • Members
  • 314 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:36 PM

Posted 19 May 2017 - 04:39 PM

Hi,

 

That's a bit more convincing that at least your router was attacked. As to why they did it is another matter - it might have been to attempt to monitor you, but also it could have been too subvert the router to attack others, or just to steal ts processing power. Binning the router was not a bad response, but patching it (if the manufacturer had admitted to and patched a vulnerability could also be a valid response. Disabling remote admin and features such as TR-064, ensuring that default passwords etc are changed are all valuable things to do.

 

As I said, I'm still very new to Mac so don't YET know all of the ins and outs - things like the scope of the guest account access (what could be done with unauthenticated access) etc... I can only leverage my general Windows and networking knowledge (I'm a very experienced 3rd line systems engineer on MS networks and specialise in security). 

 

I'd find it hard to believe that someone would go to the trouble of hacking your router and then hacking a Mac unless there was something very specific why they wanted to target YOU in particular. They'd go for a softer target. If I had to guess - I'd venture that the router was compromised by an automated attack to target a known vulnerability. As to the computer - again they'd go for a soft target - something with a known, easy to exploit vulnerability - either in a system service (unlikely in a Mac) or other software. That's why I mused about the Teamviewer uncertainty in my previous post. If they can easily get onto the desktop then it's worth the small effort to do so, if they have to fight there way in, they'd look at the next victim on they list.

 

You say that you have changed passwords - good. As I mentioned. I'd consider what you might have accessed on the net using unencrypted credentials. Unfortunately that can include email - and that is the key too accessing other services as well(password resets etc)- check  that all systems that used that net connection and accessed pop/imap email did so using TLS/SSL. You may be able to look back at some providers portals and check connection attempts (outlook.com etc can do that - I expect other providers can as well - either through portals or though support requests.

 

Anyway - that's enough for now.

x64


Edited by x64, 19 May 2017 - 04:46 PM.


#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:36 AM

Posted 21 May 2017 - 06:10 PM

as X64 has said, bots scrolling the internet looking for unpatched routers//modems has been going on for years mate.

Normally they want to use the bandwidth that comes with a compromised device whether it be bitcoin calcs to just using your modem/router as a ddos tool.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users