Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Router Was Hacked - what was at risk?


  • Please log in to reply
20 replies to this topic

#16 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:08:47 PM

Posted 30 May 2017 - 01:39 PM

Thanks X64. 

 

Unfortunately the fact that i had set a password that was broken, says to me the router was very likely 'owned', and can only assumed and by this individual. You're right, this is all after the event, and there's not been any noticeable consequence from it, other than a lot of worry and stress.

 

I stopped using the router/connection instantly, I have changed passwords, checked gmail settings for fwding, intrusion etc, and come up with nothing. 

 

Fact is they must have gone to a fair bit of effort for this, why else would someone bother cracking codes just for the sake of an extra router to co-opt, when as you say there's many with unprotected p/words, wide open out there? Makes no sense to me. Does this take time? How much in the way of labour would be involved in it. 

 

Then once in, surely after the hassle they would at least try and cause some sort of mischief. I suppose it's possible they hoped i had easy holes after caputring the router, and found that i was at least somewhat careful (i think, but then my tech skills are pretty low - prior to this i was at a 'slightly concerned luddite, who's read a couple of articles' level), didnt bother, but honestly i think at that point they would at least have tried to get in.

 

Whether they did or not will be impossible to prove, and i have at least not felt any direct consequence of it at this point. My intention was to speculate here,  to see what could have, and potentially still be exposed, and i think i've pretty much explored all avenues.

 

Thanks very much for your time and considered responses on here, and to all who replied. It really is much appreciated. 



BC AdBot (Login to Remove)

 


#17 x64

x64

  • Members
  • 338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:07:47 PM

Posted 30 May 2017 - 02:14 PM

I still maintain that the router compromise alone is most likely. The attacks are usually automated and may well (automatically as part of the attack script) reset the admin password. The attack vector would have been a firmware vulnerability, poor remote access config (possibly through an ISP config channel - ISTR a recent attack leveraged some ISPs poor config of a protocol called TR-069), or just an unchanged default password (in general - not your case). I serioiusly doubt that anyone would have put manual effort into it.

 

The fact the admin password was reset does not suggest or prove manual involvement, and does not suggest that they forcibly cracked the old password. Much more likely they did an automated end-run around the password then reset it as part of the attack.

 

x64



#18 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:08:47 PM

Posted 01 June 2017 - 04:12 PM

Thanks X64. 

 

Slightly random one here, but as it's in a similar vein as this topic thought i'd ask. My wifi here has suddenly come up as a 'security recommendation' on my Iphone, whereas the same wifi never displayed that message before. It says it is WPA and i should change to WPA2. Do you have any idea why that would change like that? 

 

This is a new location, router and apartment, so not related to earlier situation


Edited by JimmyRiddle, 01 June 2017 - 04:14 PM.


#19 x64

x64

  • Members
  • 338 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:07:47 PM

Posted 02 June 2017 - 12:55 AM

Not sure why it would change. I can think of a couple of possibilities such as negotiation at WPA2 failing and the phone temporarily falling back to WPA but no firm idea.

 

I'd suggest going into your router settings and choosing the option for WPA2 only. Many routers have a setting which uses WPA2 where the client device supports it but allows WPA2 if not. When selecting WPS2 if there are a number of variations, select the one saying PSK and/or AES.

 

I also tend to run off features that aid easy connection to wi-fi by pressing a button on the router or entering a PIN instead of a long key). Unfortunately you then have to enter a long key manually on a small iPhone keyboard, but that's good for the soul (as well as being a good indicator of when your next opticians appointment is due!). As an extra idea, you could also customise your wi-fi key away from the default that the router had - not that (in most cases) someone could guess a suitably complex key, but just so it's not the one printed on the bottom of the router (for any unattended visitor to see)

 

x64



#20 GoofProg

GoofProg

  • Banned
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 12 June 2017 - 01:36 PM

Routers used to always get logged into with default passwords.  I would not worry unless it is a programmable switch.



#21 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 12 June 2017 - 06:15 PM

Routers used to always get logged into with default passwords.  I would not worry unless it is a programmable switch.

Active attacks can be utilized from even a relatively "dumb" router. Let's say I compromise your router. What do i want to do with that? Steal credentials? fine, set your primary DNS server to my own IP address, and have www.actualwebsite.com point instead to a cloned copy of that website i control. Your browser shows www.actualwebsite.com, so you plug in your password. 

 

Maybe I do a port scan and discover a webcam with default login credentials. It's mine now! Maybe I capture a weak password hash. Fire up good old Johnny, now I've got access there. Check for telnet, SSH, etc. All sorts of stuff I could get into.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users