
How to exploit home routers for anonymity - DanMcInerney
http://danmcinerney.org/how-to-exploit-home-routers-for-anonymity/
======
bradleyland
Probably worth pointing out that one should remain aware of their local laws
when carrying out such activities as the ones outlined in this HOW TO. Because
you're blindly hitting hosts and attempting logins, you don't know whose
infrastructure you're probing. If you accidentally knock on the wrong door,
the simple act of attempting a log in can cause issues for you (legal and
otherwise).

I'm trying to avoid sounding like Chicken Little here, but this article makes
these actions very accessible. If you're someone who is just getting started
toying with networks and security, it's likely that you haven't thought
through what can happen if something you try actually works.

Nmap has a great page that discusses the ins-and-outs of the civil and legal
issues involved with port scanning (a related activity). However, keep in mind
that the guide linked here goes well beyond port scanning in to actually
attempting, and presumably, gaining access to someone else's network. While
the legality of port scanning is ambiguous, accessing someone else's network
is not. If you land on the wrong guy's lawn, you can end up in a very
expensive, and potentially dangerous place.

[http://nmap.org/book/legal-issues.html](http://nmap.org/book/legal-
issues.html)

~~~
0xdeadbeefbabe
Of course you can ignore all that if you are attacking from Nigeria.

Laws are exciting and important (especially good ones like Newton's laws of
motion), but laws could improve too: If someone gets caught doing this they
probably ought to do community service working on some bug bounty program
instead of going to jail.

~~~
Nanzikambe
I love this impression that if you're connecting from <insert somewhere in
Africa>, laws don't apply. I'd wager nobody that's ever actually lived
anywhere in 3rd world bandies it about.

True, you're less likely to actually be _convicted_ , but the months/years
waiting for trail is guaranteed to be worse than your actual sentence
elsewhere, if not fatal.

~~~
domdip
The parent specifically mentioned Nigeria. Africa is not a country, and his
comment may not apply to say, South Africa or Morocco. You're the one
generalizing about 3rd world countries, not him.

If you think LLE or even the FBI is going to open the diplomatic channels
necessary to pursue someone in Nigeria over access to a consumer-grade router,
you're kidding yourself. For all practical purposes, these laws do not in fact
apply there.

~~~
dsl
Unless that consumer grade router is running a bank of a nuclear power plant.

There are very few places outside the reach of US law enforcement. Especially
if they bother to get Interpol involved.

~~~
dasil003
I am now imagining wardriving to a nuclear power plant parking lot in order to
score free wifi off their NetGear.

~~~
domdip
Why not, it worked against TJX, right?

Orders of magnitude more likely to find an open WiFi in a bank's parking lot
than you are to find a WAN-facing consumer-grade router. Any employee in the
company could screw up the former ("I didn't get good wifi so I brought in a
router from home!"). The latter requires grossly incompetent netsec.

------
hf
The opening paragraph asserts that simply not publishing ("censoring") such
concrete, recipe-like exploits of the deficiencies of our shared
infrastructure "won't make practices like those outlined [in the article]
disappear"[2].

I am reminded of Steve Kemp's 2014 post »Secure your rsync shares, please«[0],
relating how he abandoned a project employing zmap[1] upon discovering
numerous openly accessible rsync shares containing sensible information. His
closing remarks echo the sentiment of the article under discussion here: "I
considered not posting this, but I suspect 'bad people' already know..,"[0]

What can be done? Are we reduced to just securing our friends' and families'
infrastructure, all the while standing by idly while others outside of our
direct sphere of influence suffer the consequences of naïvety?

[0]
[http://blog.steve.org.uk/secure_your_rsync_shares__please_.h...](http://blog.steve.org.uk/secure_your_rsync_shares__please_.html)

[1] A cleverly-built, fast network scanner,
[https://zmap.io/](https://zmap.io/)

[2] [http://danmcinerney.org/how-to-exploit-home-routers-for-
anon...](http://danmcinerney.org/how-to-exploit-home-routers-for-anonymity/)

~~~
mcherm
> What can be done? Are we reduced to just securing our friends' and families'
> infrastructure, all the while standing by idly while others outside of our
> direct sphere of influence suffer the consequences of naïvety?

No. We can write articles similar to this one which, instead of clearly
explaining step-by-step procedures for exploiting weaknesses, clearly explain
step-by-step procedures for REPAIRING weaknesses.

~~~
jasonkolb
I think you give way too much credit to the average person. It's easy to lose
sight of how scary technical things are to normal people when you're in it day
in and day out, but to ask the average person to change something in their
router is kind of like asking me to replace a cylinder in my car.

There's a reason things like the Geek Squad are around and can charge as much
as they do...

~~~
bradleysmith
I agree with Oxdeadbeefbabe; you are complementing your own 'technical'
(computer-related) ability, and overstating the task of configuring a router.
Also, not to be pedantic, 'to replace a cylinder' hardly describes a task that
can be undertaken on a motor.

The variance in technical ability of the 'average person' nowadays is pretty
wide. There are still pop-up clicking grandmothers on IE7 out there, but there
are also plenty of baby-boomers with the ability to set the clock on their
VCR's, which is a much more fair analogy to the task of router configuration.

I think the important thing is getting the message out that such configuration
is much more important than having the clock on your VCR right, which is
probably how important the average person thinks router configuration is. As
you said in another comment, routers are effectively shipping to average
people broken. I think if this were more commonly known, people would take the
time to learn and configure their networks. Not ALL people, but more average
people than do today. The real problem is not that people are not technically
capable of doing the task, but they do not know that it is a task that is
really necessary; it's not common knowledge that a brand new router is a
security risk.

~~~
v_vonjesus
It is relatively easy to change a cylinder on a horizontally opposed air-
cooled VW motor (think '60s beetle) or the Lycoming/Continental engines
popular in light aircraft.

------
user24
This submission just links to the homepage. here is the permalink:
[http://danmcinerney.org/how-to-exploit-home-routers-for-
anon...](http://danmcinerney.org/how-to-exploit-home-routers-for-anonymity/)

perhaps a mod can update the URL.

~~~
dabent
For what it's worth, the other articles on the home page look pretty
interesting as well.

------
bluedino
So basically this Shodan service scans the web, indexing devices such as IP
cameras and routers. You can then search their database by device type or
model, and then try the default user/passwords on these devices and create a
VPN account for your own use?

I wonder how many botnets use this technique instead of randomly scanning,
whether it's their own implementation/database or using a service such as
this. Also an interesting business model, "I've got the addresses of 10,000
XYZ routers, model 1234, for $50.00"

~~~
peterwwillis
Botnets typically just infect a site and do drive-by exploiting of the client.
Then they don't need a proxy and they get to siphon user information.
Proxies/VPNs are only useful for things like C&C servers.

------
noonespecial
_The nice thing about this is that you don’t have to wonder whether or not
your VPN provider is saving logs or not, you are in control of that._

If you take over a single router, a provider does indeed have logs of both the
inbound you used to reach the router, and the outbound traffic you create from
it. Simple timing logging will show its you and if its "their" router, they'll
(at least theoretically) be able to decrypt your traffic too. (And that's
assuming it wasn't a great big tasty honey-pot to begin with, pooh-bear)

If you must do this, bounce between a few... and if you must do this, just use
tor already.

~~~
wmf
In this case the VPN "provider" is the router itself and since you owned it
you can eliminate logs. The ISP may have flow-level logs but those are so
voluminous that they probably aren't kept long.

~~~
ZoF
The parent comment was(pretty clearly) referring to what you're calling "flow-
level logs"... Quite obviously you can delete the router's logs(it's mentioned
in the article and by the parent comment); the ISP's traffic logs on the other
hand?

> those are so voluminous that they probably aren't kept long.

Bold assertion.

------
kordless
It feels like we need to include anonymity in the Internet Bill of Rights:

1\. I have a right to read or write public information in an anonymous way.

2\. I have a right to prevent you from reading or writing _MY_ private
information in an anonymous way, even if the intent is to obtain the right to
exercise #1 in the process.

3\. Using someone else's infrastructure/compute/power to enable #1 without
breaking #2 requires you pay for it. I would also propose my private
information is available at a price.

Expecting the right to anonymity by removing the rights of others in the
process places an individual in cognitive dissonance. It's not a good place to
be.

With the advent of cryptocurrencies, we're finally in a place someone can pay
me to use a portion of my infrastructure for enabling their anonymity. I'm
willing to contribute to the cause as long as it's worth my while.

~~~
devconsole
_With the advent of cryptocurrencies, we 're finally in a place someone can
pay me to use a portion of my infrastructure for enabling their anonymity. I'm
willing to contribute to the cause as long as it's worth my while._

Your infrastructure will immediately be used to download or upload child
pornography. If you're exceptionally unlucky, the FBI will come knocking and,
if you're unable to provide them with a useful honeypot, you may risk legal
consequences. If you're unable to prove your innocence (the request for the CP
did come from your IP address, after all) then you may be very screwed.

I invite the community to toss around ideas about how to protect against this.
I hypothesize that it's an unsolvable problem: if you enable strong anonymity,
that anonymity will immediately be used for child porn.

One way to combat this would be to have some kind of credentialing, where you
are able to generate credentials for the anonymous party to use. Assuming your
infrastructure is set up as a Tor hidden service, then it's possible for them
to use your infrastructure anonymously, and then you can revoke the
credentials for individual violators.

However, under that scheme, your IP address(es) are shared by every user.
4chan will immediately ban all of them as soon as it becomes clear you're a
proxy, for example.

It may still be worth exploring, but it needs some thought. Tor itself still
doesn't have "endpoint bridges," that is, endpoints which aren't publicly
listed. Meaning it's very easy to ban all of Tor, as far as I know.

~~~
drdaeman
> unable to prove your innocence

Here's the issue. Return presumption of innocence back and problem's solved.

Obviously, that's impossible in a real world.

> credentials for the anonymous party to use

That wouldn't be anonymous anymore. And there's no way to realistically force
a single human to have only one credential - if one's banned they'll just
generate a new one.

~~~
devconsole
It could be possible to enable someone you trust to use your infrustracture.
You don't have to know who this person is. For example, this devconsole HN
account that I'm using now is an anonymous HN account, meaning as long as Tor
is secure, and I don't reveal myself through e.g. text analysis or timing
correlations, it should be hard to figure out who I am. If I were to come to
you and ask to use your infrastructure to help me maintain my anonymity, you
may read my comment history and decide that you trust me not to do illegal
things. Providing such a service would be extremely valuable, because if Tor
is indeed not completely impervious, your extra layer of anonymity may be all
that preserves one's privacy.

If an authority were to come to you and demand you cooperate in determining my
identity, then there would be no way for you to oblige, except by providing
them with a log of the VPN activity, or allowing them to set up a pen trap to
log the VPN activity. At that point, the privacy is still as strong as the Tor
network, so both Tor and this extra layer would have to fall in order to be
unmasked.

(In practice, it's more complicated than that: your infrastructure would be a
fixed endpoint, meaning that if it's compromised then an adversary would gain
a log of your activity. That would provide an overall picture of what you're
up to on the internet. Tor rotates endpoints, making it hard to piece together
that info. So in practice a user should want your service to be something like
a middleman between two different anonymity services. But that's outside the
scope of this comment for now.)

This becomes a pretty attractive idea, because it's not necessarily a great
idea to assume that Tor should be the world's one realistic defense. Since
Snowden used Tor, you can be absolutely certain that various powers are going
to take a keen interest in penetrating Tor. They may use dirty tricks to do
it, such as joining the Tor project as an apparently-trustworthy developer.

Extra layers of defense such as the one outlined above may be worth pursuing.

~~~
gknoy
> It could be possible to enable someone you trust to use your infrustracture.
> You don't have to know who this person is.

Am I the only one to whom this sounds absolutely crazy? How can I trust you if
I don't know who you are? (I mean the general you, not you personally,
devconsole.)

Your comments could have been deliberately sanitized -- perhaps you have
trolling accounts elsewhere that you are exceptionally good at keeping
separate from this one, and spend time making this one look good. One could be
posing as a mild-mannered Python developer here on HN, but be spending one's
evenings being Super-Mallory the Malicious, trolling and trading illegal
information.

I really want to be able to support things like mesh networks and Tor, but the
very risk the GP noted (people will use your resources for Bad Things, and
good luck defending from the feds) prevents me from being willing to do so.
There's no way I would trust you or someone else that I don't personally know
enough to use my resources, unless I were somehow able to keep meticulous logs
which exonerate me from any activity they do. (And, I don't trust that such
logs would even do that...)

Saying that you should be able to trust a stranger is like saying that you
should be able to run a courier service for strangers where you have no idea
whether they are transporting drugs or counterfeit money.

~~~
drdaeman
> Am I the only one to whom this sounds absolutely crazy? How can I trust you
> if I don't know who you are?

Well, cryptographers had invented a fancy thing called "ring signatures" that
allows one to check whenever a signature belongs to someone in a group, but
don't allow to determine who exactly that was. So, technically, it's well
possible to remail anonymous (as far as belonging to a group does not break
your anonymity) and be trusted at the same time.

But, unfortunately, I don't think F2F mesh networks would prosper anytime
soon.

------
dtwwtd
A couple years back there was a similar presentation at Defcon that used
routers that exposed UPNP to the public internet. I've linked the talk below:

[http://defcon.org/html/links/dc-
archives/dc-19-archive.html#...](http://defcon.org/html/links/dc-
archives/dc-19-archive.html#Garcia)

------
timtadh
Stuff like this is why I built my own router (I recommend the ALIX series
[http://pcengines.ch/alix.htm](http://pcengines.ch/alix.htm)). High quality
hardware and you don't have to worry about the software because you control
all of it. Right down to the BIOS if you want to.

~~~
devconsole
How would you verify on demand that the BIOS isn't compromised?

~~~
timtadh
I don't know about "on demand" but PCEngines will give the source for the BIOS
and has an older version posted to the site.
[http://pcengines.ch/tinybios.htm](http://pcengines.ch/tinybios.htm)

~~~
devconsole
What I mean is, how would we verify the BIOS firmware matches what that source
code should produce? If it's possible for us to make our own builds (i.e.
there's no cryptographic signing for the BIOS binaries) then an adversary can
insert a backdoor into the source code, make their own build, and then
remotely flash your hardware with it. Or does flashing the hardware require
some kind of manual operation, like holding down a button for 30 seconds?

------
bananas
If you fancy going out, this works pretty well. I tried it on my router:

[http://www.nickkusters.com/Services/Thomson-
SpeedTouch](http://www.nickkusters.com/Services/Thomson-SpeedTouch)

Yes - default WiFi passwords for a big chunk of the routers in Europe are
pretty easy to calculate.

------
jonaldomo
This is a good write up Dan. Is there anything as an owner of a home router we
can do to protect ourselves?

~~~
checker
I'm no expert but I imagine it's a combination of keeping your router's
firmware up-to-date, using a properly configured firewall, and using a strong
password for your router login.

~~~
engtech
You'd think, but most consumer equipment is abandonware and the firmware isn't
updated once a newer model is out.

------
dfa0
Another reminder to use strong, non-default credentials on something that is
the edge of your network.

I'm still amazed by how many people drive around leaving their cars unlocked.

~~~
kordless
I leave my keys in the car sometimes when I'm running errands in my home town.
I care a whole lot more about my network security at home than I do my car.
It's just a car.

~~~
dfa0
The reason to secure your network is a good reason to secure your car.

Your network and your car can/will be used by bad guys to do bad things.

You should care.

~~~
MAGZine
somehow i'm less worried about people stealing my car when I'm driving around
at 60kmph.

~~~
ticktocktick
You are part of a society in which you have an obligation to protect and
preserve the safety of others through reasonable and responsible actions.

I don't think that locking your car while it is parked or not leaving your
keys in it while it is unattended is too much to ask.

FFS.

------
abus
Why release pre-made tools that allow anyone to cause harm? You could still
explain the problem without them or show code snippets if you have to.

~~~
xenophonf
Because I don't believe you until you release the proof-of-concept. It's like
saying you made some huge scientific discovery without including the data and
methods to back it up.

------
MrClean
Ah. Great. Anonymity in the identity-theft way.

~~~
AnthonyMouse
This is, incidentally, the reason why government-resistant anonymity services
need to be legal. If you don't care about stealing credit card numbers or
hurting people then you don't care about breaking into some poor sucker's
router. But if you're blowing the whistle on some organizational malfeasance,
you won't, so you need the likes of Tor.

~~~
rainsford
I think that oversimplifies an important point. Criminals may not CARE about
breaking into someone's computer or router, but that doesn't mean they're
capable of doing so. Tor significantly lowers the bar for anonymity online,
and there is no question in my mind that it enables criminals who wouldn't
have the means to mask their identities otherwise.

This is not necessarily an argument against tools like Tor, but it's a
tradeoff that I think many Tor supporters are too willing to ignore.

~~~
vezzy-fnord
Criminals are humans. They will use and abuse whatever infrastructure any
other person has access to for their own purposes, much like (you guessed it)
any other person.

Your argument is about as lazy as it is old. The only possible solutions are
to make all criminals go extinct (good luck), or to take away tons of
important tools away from the public, because get this, _criminals_ might use
them! How terrible.

~~~
rainsford
Nowhere did I advocate "taking away tons of important tools", in fact I
specifically said my point wasn't necessarily an argument against Tor. But
what I think is lazy is the way some people pretend that there are no
tradeoffs involved in things like Tor and that they only benefit "the public".

------
notastartup
seems like google is saying it's a malware site where's the cached version

