Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Router Was Hacked - what was at risk?


  • Please log in to reply
20 replies to this topic

#1 JimmyRiddle

JimmyRiddle

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 17 May 2017 - 04:00 AM

I had some concerns re security, when a third party - who could be interested in me for the sake of malicious hacking / doxxing - got my IP address. I use a Mac and enabled firewall, stealth mode, and all security measures on it. I then changed the router passwords from the generic one, and thought no more of it.

 

A month or so later i was awoken a few times by the mac doing things in the night. When i checked the log i could see nothing - literally nothing - which made me nervous that someone may have got in, then deleted the logs as a way of 'cleaning house' after their action. 

 

I checked in on router to look for any other activity, only to find that the password had been altered and i could not get in. The Password i had set was not guessable so it seems someone had used some software to force entry and 'own' the router. I was leaving the location shortly, so at that point just disconnected the cables, and never used that IP / router again. I then had my Mac wiped entirely and erased just to be sure. 

 

I no longer live there or use this router, but i'm concerned what potentially i have left open. I changed all passwords, and cannot detect any activity on any accounts or tell tale signs. I don't think these people are standard hackers interested in money, scams etc, more people who just want to embarrass or pursue me online for their fun. 

 

I guess i am asking, what conceivably could they have got from the router? Is it possible they could have hacked into Skype, WhatsApp Viber etc and continue to have access to my communications? I also have an iPhone which was using the Router, that i did not wipe - could they have hacked that and using spyware? Could they have found my usernames/account details on other social media platforms / sites? 

 

I realise this is all after the event, and spurious, and ultimately there are no specific answers. I suppose i am just trying to throw some potentialities around, so i have at least looked at all angles. I am just concerned and wish to know what was / is still at risk.  I am not very well educated with IT and before this never really gave any thought to internet security. I have tried to educate myself somewhat, but am certainly not a tech savvy person. 

 

Thanks


Edited by JimmyRiddle, 17 May 2017 - 05:11 AM.


BC AdBot (Login to Remove)

 


#2 dantose

dantose

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 17 May 2017 - 07:49 AM

Could be a WPS crack:

http://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 17 May 2017 - 12:16 PM

You could turn on 2 factor/step authentication for your online services that support it.

 

For example: https://www.google.com/landing/2step/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 17 May 2017 - 05:04 PM

Thanks, will do. 

 

A question i'd like to ask is, if you, or a semi-skilled / skilled hacker were to have 'owned' someone's router, what information and access could you get from it? 



#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:35 PM

Posted 17 May 2017 - 07:11 PM

Thanks, will do. 

 

A question i'd like to ask is, if you, or a semi-skilled / skilled hacker were to have 'owned' someone's router, what information and access could you get from it? 

I could get your ISP user account and password (If not encrypted) and then login and get access to all your emails etc.

From there i would password reset all accounts linked to that ISP email account like facebook etc.

 

Turn off uPnP, ensure firmware is up to date and disable remote access amnagement interface.

 

Also note there has been some public exploits sending a HTTP request and obtaining in clear text admin password etc, even stealing the cookies and then re-sending a request would echo back the password hash which you then add to the login string!


Edited by JohnnyJammer, 17 May 2017 - 07:13 PM.


#6 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 19 May 2017 - 05:54 AM

I just want to put myself in the shoes of someone with access to router in a similar set up - mac on stealth, with firewall and security on. Would that be open to a HTTP request as you describe, Jonny? Sorry i'm not too good with tech and don't really understand all the terms. 

 

Could they get access to the sites i visit, and the usernames i use for them? Basically be able to find me online in other sites and so on? 

 

This stems from someone from a forum i no longer use, making all sorts of claims. It turns out they are at least competent in their knowledge, so the potential for them doing this cannot be discounted. 



#7 x64

x64

  • Members
  • 329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:35 AM

Posted 19 May 2017 - 11:15 AM

You say the Mac was doing stuff by itself - what was it doing?

 

Do you have either of the "Power Nap" settings turned on under System settings / Energy Saver? . If so it can check email and run backups without you waking it from sleep. That might be disconcerting if you didn't expect it.

 

I'm fairly new to Mac but in addition to what others have sad - you could check for remote access software installed, and run scans with Malwarebytes and other AV and AM tools - 'Sophos home' for example or Kaspersky internet security. If you had teamwiewer installed, then there were questions over the security that service a few months back with computers being unexpectedly accessed.

 

Yes, if your router really was compromised then they could monitor any unencrypted communications (any HTTP:// sites and swipe any unencrypted logins. That includes access to mail servers where you have not got SSL/TLS turned on. HTTPS websites would not be compromised as long as you did not override any security warnings. If they really did get onto your Mac then they could have stolen anything.

 

x64



#8 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 19 May 2017 - 03:57 PM

Hi X64,

 

It woke up a few times in the night, and was wirring. I realise this can be a number of innocent things, but it was then that i checked the router, and my old password did not work. At that point i checked the Mac Log, and found that there was no Wake Reasons for the dates (or at least i couldn't see them), and thought maybe it'd been erased after entry, and it's better safe than sorry, unplugged all cables, wiped mac, and never used that router again or net connection again. I changed all passwords and have not noted any presences that are out of the ordinary. 

 

The guy in the Apple store was a bit dismissive and said 'with your settings (firewall, stealth mode, admin password etc) it'd be very very unlikely anyone could have done anything. If anything from the stuff i've read online, his attitude is naive. Would you agree? The way i see it, there's very little you can do if someone skilled has the will and the time, and the best thing is to minimise risk, but hey. 

 

At this point i cant investigate it further, as the Mac's been wiped, and i don't use the net connection or router. I just want to see what potentially i've been exposed to. Like i say, i don't think the individual(s) would be interested in crime, theft as such. If anything it's a power trip or something. Pretty sad stuff that comes from taking Forum Trolls seriously i guess. Maybe they are just bleep with me, i don't know. Either way life's too short for this nonsense and i just want to know what's been left open, and not engaging with them again, but that's life. 



#9 x64

x64

  • Members
  • 329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:35 AM

Posted 19 May 2017 - 04:39 PM

Hi,

 

That's a bit more convincing that at least your router was attacked. As to why they did it is another matter - it might have been to attempt to monitor you, but also it could have been too subvert the router to attack others, or just to steal ts processing power. Binning the router was not a bad response, but patching it (if the manufacturer had admitted to and patched a vulnerability could also be a valid response. Disabling remote admin and features such as TR-064, ensuring that default passwords etc are changed are all valuable things to do.

 

As I said, I'm still very new to Mac so don't YET know all of the ins and outs - things like the scope of the guest account access (what could be done with unauthenticated access) etc... I can only leverage my general Windows and networking knowledge (I'm a very experienced 3rd line systems engineer on MS networks and specialise in security). 

 

I'd find it hard to believe that someone would go to the trouble of hacking your router and then hacking a Mac unless there was something very specific why they wanted to target YOU in particular. They'd go for a softer target. If I had to guess - I'd venture that the router was compromised by an automated attack to target a known vulnerability. As to the computer - again they'd go for a soft target - something with a known, easy to exploit vulnerability - either in a system service (unlikely in a Mac) or other software. That's why I mused about the Teamviewer uncertainty in my previous post. If they can easily get onto the desktop then it's worth the small effort to do so, if they have to fight there way in, they'd look at the next victim on they list.

 

You say that you have changed passwords - good. As I mentioned. I'd consider what you might have accessed on the net using unencrypted credentials. Unfortunately that can include email - and that is the key too accessing other services as well(password resets etc)- check  that all systems that used that net connection and accessed pop/imap email did so using TLS/SSL. You may be able to look back at some providers portals and check connection attempts (outlook.com etc can do that - I expect other providers can as well - either through portals or though support requests.

 

Anyway - that's enough for now.

x64


Edited by x64, 19 May 2017 - 04:46 PM.


#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:35 PM

Posted 21 May 2017 - 06:10 PM

as X64 has said, bots scrolling the internet looking for unpatched routers//modems has been going on for years mate.

Normally they want to use the bandwidth that comes with a compromised device whether it be bitcoin calcs to just using your modem/router as a ddos tool.



#11 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 29 May 2017 - 03:05 PM

 

Thanks, will do. 

 

A question i'd like to ask is, if you, or a semi-skilled / skilled hacker were to have 'owned' someone's router, what information and access could you get from it? 

I could get your ISP user account and password (If not encrypted) and then login and get access to all your emails etc.

From there i would password reset all accounts linked to that ISP email account like facebook etc.

 

Turn off uPnP, ensure firmware is up to date and disable remote access amnagement interface.

 

Also note there has been some public exploits sending a HTTP request and obtaining in clear text admin password etc, even stealing the cookies and then re-sending a request would echo back the password hash which you then add to the login string!

 

 

 

 

Would this work if I used a site like GMAIL? how would my ISP have access to that?



#12 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 29 May 2017 - 11:42 PM

 

Yes, if your router really was compromised then they could monitor any unencrypted communications (any HTTP:// sites and swipe any unencrypted logins. That includes access to mail servers where you have not got SSL/TLS turned on. HTTPS websites would not be compromised as long as you did not override any security warnings. If they really did get onto your Mac then they could have stolen anything.

 

x64

 

 

So what could they get from that? A list of all the pages of HTTP sites I visited, and my username and potentially p/words for them? I don't really use the net that much beyond standard email, youtube, newspapers and occasionally a few forums. As I'm aware only the latter would be on a HTTP site. 

 

This whole episode stems from a douche on an Internet forum claiming he could find and locate me. I assumed it was just some tool in his moms basement trying to act tough. So there is a motive. Seems bizarre to me that people would waste their time on stuff like this, but then I guess on some level it's a power trip for them.

 

Anyway, so it is conceivable that if they did take control of my router, that they now have located me on other sites, have access to my usernames, identities elsewhere? I have since changed passwords, and did not notice any log-ins or changes.



#13 x64

x64

  • Members
  • 329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:35 AM

Posted 30 May 2017 - 01:02 AM

A few brief answers - only got a few minutes to reply:

 

Locate you? depends on a lot of things. If router was compromised and the managed to get access to the old admin password, would that have allowed them onto an ISP portal that had your personal info on it?

 

Additionally, if (and I'm still very doubtful that this happened), they got on your Mac, then obviously anything on there was up for grabs. Realistically that would only happen if you installed something that allowed them in (remote access software, PUP, software containing malware etc.).

 

My feeling is still that the issue is 'only' a router compromise, aimed at the attacker stealing your routers processing power and your internet connection.

 

But yes, anything unencrypted could have been monitored. Unlikely though.

 

Defense - strong passwords, update software/firmware, disable remote management, do not override OS security settings, avoid consumer devices that connect to the internet (internet of things, I'm also wary of smart TVs..), take regular backups. Use two factor auth where important websites offer it. The usual stuff.....

 

Oh and gmail/hotmail etc via webmail - yes that would be secure, as it is HTTPS:

 

x64



#14 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:35 PM

Posted 30 May 2017 - 02:21 AM

Thanks X64, that's my instinct too.

 

Sadly, I think it's very likely that they did 'own' my router, as there was a previous password that I'd set, which appeared to have be altered (not by me or anyone else I know). They do have a motive outside of the usual phishing/hacking/scammers, in that directly it stemmed from a douche from a forum stating they could 'find me online', by which I think he means doxx and or gain access to my social media, pics, or other personal details, rather than a physical location as such - though I'm aware an approximate one is given with IP. 

 

My feeling is, if someone goes to the bother of gaining access through a cracked router password, then they are likely to get up to stuff once in. Why bother doing the former without a wish for the latter. There must be countless un-passworded routers out there to use as proxies or gain processor power. Plus the fact the guy basically threatened this in the first place.  

 

As I say, I've not noticed any undue log-ins, p/word changes or anything particularly out of ordinary since then. If all he had was access to the router and unencrypted sites, then I can't see much there to be concerned about. Why people would bother for the sake of pointless forum arguments is beyond me, I suppose it's some sort of power play for these people. Sad stuff. 

 

 

ps - to answer your question directly -

 

"If router was compromised and the managed to get access to the old admin password, would that have allowed them onto an ISP portal that had your personal info on it?"

 

I have no idea. I never used the ISP portal that I'm aware (it was a rented apartment, and that was all set up by owner), so I certainly never concsiously put any information on there, if that is what you mean? 


Edited by JimmyRiddle, 30 May 2017 - 03:06 AM.


#15 x64

x64

  • Members
  • 329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:35 AM

Posted 30 May 2017 - 11:50 AM

Unless you have reason (other than just someone saying 'they can')they could still be just causing trouble rather than actually having that ability (think of the time we're spending talking about it. Just accessing a router can for instance allow them to use your router to be one of thousands co-opted to participate in a DoS attack on someone else's web site. Depending on [router/patch level/router config /ISP remote management provision (sometimes poorly implemented)] that may not have had to crack the router's password. Other reasons may be just stealing processor power to mine bitcoin. People really do set automated attacks on routers just to do this and never leverage that access in other ways. Of course it they threatened with then came though with the threat the that's different (is that what you meant). Of course, router vulnerability scans are common on the internet - that could just be coincidental with the troll's threat.

 

If more than router compromise did happen, I suppose then it all comes down to sequence of events, and vulnerabilities/poor practices. If the router was compromised then unencrypted comms through the router and poorly protected resources on your home LAN are vulnerable. Poorly protected could mean 'unpatched'/'weak or no password' etc. Other poor practices could be reusing passwords, using 'dodgy' software, reducing OS security settings in favour of convenience, or storing personal details on non-https websites.

 

In any case your physical address has changed, passwords have changed (did you change security questions as well?), router /internet contract have changed. As long as you now have good security practices the door is closed. Just anything stolen at the time is still out there. All you can do is assess what that might be - questions to ask yourself are were you using passwords on multiple sites? Could they have got access to email (unencrypted comms or remote access to mac through malware or a subverted remote legit remote control software)?

 

 

The 'geographical location of IP addresses' mapping does not necessarily point at you. If your router has a static external public IP address it MIGHT depending on how well your ISP sticks by the registry rules (most don't). Otherwise it just points to your ISP. it might be just down the road from you or in another city. I even has one customer (located within a few hundred yards from Tower Bridge London who had their IP addresses showing as geo-located in the USA because of a quirk with the ISP they used before we took them on (we moved them). 

 

Forum 'trolls' do it just to annoy/worry people (thereby exerting power over them) or waste time. Occasionally here you will see a new member posting on-topic but useless simple comments to ongoing threads to provoke others to wast time commenting or just to build post counts. Also I suspect a lot of vague questions by new members are there just to waste an experts time in replying to them. I will not go near them. 

 

x64






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users