Hacker News new | comments | show | ask | jobs | submit login
How to exploit home routers for anonymity (danmcinerney.org)
199 points by DanMcInerney 1279 days ago | hide | past | web | 78 comments | favorite

Probably worth pointing out that one should remain aware of their local laws when carrying out such activities as the ones outlined in this HOW TO. Because you're blindly hitting hosts and attempting logins, you don't know whose infrastructure you're probing. If you accidentally knock on the wrong door, the simple act of attempting a log in can cause issues for you (legal and otherwise).

I'm trying to avoid sounding like Chicken Little here, but this article makes these actions very accessible. If you're someone who is just getting started toying with networks and security, it's likely that you haven't thought through what can happen if something you try actually works.

Nmap has a great page that discusses the ins-and-outs of the civil and legal issues involved with port scanning (a related activity). However, keep in mind that the guide linked here goes well beyond port scanning in to actually attempting, and presumably, gaining access to someone else's network. While the legality of port scanning is ambiguous, accessing someone else's network is not. If you land on the wrong guy's lawn, you can end up in a very expensive, and potentially dangerous place.


When I read the announcement, I got the feeling that what he's doing isn't so much leveraging other people's routers as providing the owners of those routers with plausible deniability.

Legal and IMO worthy of much praise.

Of course you can ignore all that if you are attacking from Nigeria.

Laws are exciting and important (especially good ones like Newton's laws of motion), but laws could improve too: If someone gets caught doing this they probably ought to do community service working on some bug bounty program instead of going to jail.

I love this impression that if you're connecting from <insert somewhere in Africa>, laws don't apply. I'd wager nobody that's ever actually lived anywhere in 3rd world bandies it about.

True, you're less likely to actually be convicted, but the months/years waiting for trail is guaranteed to be worse than your actual sentence elsewhere, if not fatal.

The parent specifically mentioned Nigeria. Africa is not a country, and his comment may not apply to say, South Africa or Morocco. You're the one generalizing about 3rd world countries, not him.

If you think LLE or even the FBI is going to open the diplomatic channels necessary to pursue someone in Nigeria over access to a consumer-grade router, you're kidding yourself. For all practical purposes, these laws do not in fact apply there.

Unless that consumer grade router is running a bank of a nuclear power plant.

There are very few places outside the reach of US law enforcement. Especially if they bother to get Interpol involved.

I am now imagining wardriving to a nuclear power plant parking lot in order to score free wifi off their NetGear.

Why not, it worked against TJX, right?

Orders of magnitude more likely to find an open WiFi in a bank's parking lot than you are to find a WAN-facing consumer-grade router. Any employee in the company could screw up the former ("I didn't get good wifi so I brought in a router from home!"). The latter requires grossly incompetent netsec.

> it's likely that you haven't thought through what can happen if something you try actually works.

Yup. Luckily, when I tried something similar, I was very much a minor, so the only consequence was that our ISP banned our previous account and required us to sign up for a new one.

The opening paragraph asserts that simply not publishing ("censoring") such concrete, recipe-like exploits of the deficiencies of our shared infrastructure "won't make practices like those outlined [in the article] disappear"[2].

I am reminded of Steve Kemp's 2014 post »Secure your rsync shares, please«[0], relating how he abandoned a project employing zmap[1] upon discovering numerous openly accessible rsync shares containing sensible information. His closing remarks echo the sentiment of the article under discussion here: "I considered not posting this, but I suspect 'bad people' already know..,"[0]

What can be done? Are we reduced to just securing our friends' and families' infrastructure, all the while standing by idly while others outside of our direct sphere of influence suffer the consequences of naïvety?

[0] http://blog.steve.org.uk/secure_your_rsync_shares__please_.h...

[1] A cleverly-built, fast network scanner, https://zmap.io/

[2] http://danmcinerney.org/how-to-exploit-home-routers-for-anon...

Hopefully, by making this kind of exploitation common knowledge for the more tech-oriented crowd, we will be able to bring about change in the companies that manufacture the devices. You're right that the vast majority of people do not realize why they need to secure their infrastructure and would not know how to do it if they did. For that kind of person, the default needs to change to something more secure.

This kind of "change through widespread knowledge of exploitation" strategy saw some success in changing the default encryption schemes of WiFi routers. So, we're already kind of in the same area.

> What can be done? Are we reduced to just securing our friends' and families' infrastructure, all the while standing by idly while others outside of our direct sphere of influence suffer the consequences of naïvety?

No. We can write articles similar to this one which, instead of clearly explaining step-by-step procedures for exploiting weaknesses, clearly explain step-by-step procedures for REPAIRING weaknesses.

I think you give way too much credit to the average person. It's easy to lose sight of how scary technical things are to normal people when you're in it day in and day out, but to ask the average person to change something in their router is kind of like asking me to replace a cylinder in my car.

There's a reason things like the Geek Squad are around and can charge as much as they do...

I think you are complementing your own technical prowess.

But the truth is, replacing a cylinder in a car is so much harder than reading and following these instructions, and even if you don't understand either task the car cylinder task takes longer, requires more tools, makes a mess, etc.

An average person who has no intuition for passwords could just turn their router off when they aren't using it.

I agree with Oxdeadbeefbabe; you are complementing your own 'technical' (computer-related) ability, and overstating the task of configuring a router. Also, not to be pedantic, 'to replace a cylinder' hardly describes a task that can be undertaken on a motor.

The variance in technical ability of the 'average person' nowadays is pretty wide. There are still pop-up clicking grandmothers on IE7 out there, but there are also plenty of baby-boomers with the ability to set the clock on their VCR's, which is a much more fair analogy to the task of router configuration.

I think the important thing is getting the message out that such configuration is much more important than having the clock on your VCR right, which is probably how important the average person thinks router configuration is. As you said in another comment, routers are effectively shipping to average people broken. I think if this were more commonly known, people would take the time to learn and configure their networks. Not ALL people, but more average people than do today. The real problem is not that people are not technically capable of doing the task, but they do not know that it is a task that is really necessary; it's not common knowledge that a brand new router is a security risk.

It is relatively easy to change a cylinder on a horizontally opposed air-cooled VW motor (think '60s beetle) or the Lycoming/Continental engines popular in light aircraft.

Writing simple instructions about how to configure the router safely will not produce a ready-made solution for EVERYONE, but it will certainly help for SOME PEOPLE. And the question was whether anything could be done to assist those "outside of our direct sphere of influence" (i.e. not friends and family). This clearly would help.

If a random stranger can remotely hack your router, I wouldn't be confident that any settings change will secure it. The router is garbage and needs to be replaced, which is easily within the understanding of an average person.

That view is a bit naive. If the problem with a router is that the router is shipped by default with a known back-door or with insecure settings, that does not mean that "the router is garbage". It points to a deplorable lack of wisdom on the part of the vendor, but does not necessarily imply that the only solution is the pay for a replacement.

I often wonder the same thing. Other things that require the same level of expertise typically tell you that you need to do something by actively breaking. I know I need to call my heating and cooling guy because my air conditioning stops working, but nothing breaks to tell you to change your router settings. Technically, it's already broken.

As usual there's actually one effective way: Education.

You could also try scaring people about the end of the Internet, their money stolen and their pets kidnapped if they don't secure their router, but that would still be education.

This submission just links to the homepage. here is the permalink: http://danmcinerney.org/how-to-exploit-home-routers-for-anon...

perhaps a mod can update the URL.

For what it's worth, the other articles on the home page look pretty interesting as well.

So basically this Shodan service scans the web, indexing devices such as IP cameras and routers. You can then search their database by device type or model, and then try the default user/passwords on these devices and create a VPN account for your own use?

I wonder how many botnets use this technique instead of randomly scanning, whether it's their own implementation/database or using a service such as this. Also an interesting business model, "I've got the addresses of 10,000 XYZ routers, model 1234, for $50.00"

Botnets typically just infect a site and do drive-by exploiting of the client. Then they don't need a proxy and they get to siphon user information. Proxies/VPNs are only useful for things like C&C servers.

The nice thing about this is that you don’t have to wonder whether or not your VPN provider is saving logs or not, you are in control of that.

If you take over a single router, a provider does indeed have logs of both the inbound you used to reach the router, and the outbound traffic you create from it. Simple timing logging will show its you and if its "their" router, they'll (at least theoretically) be able to decrypt your traffic too. (And that's assuming it wasn't a great big tasty honey-pot to begin with, pooh-bear)

If you must do this, bounce between a few... and if you must do this, just use tor already.

In this case the VPN "provider" is the router itself and since you owned it you can eliminate logs. The ISP may have flow-level logs but those are so voluminous that they probably aren't kept long.

The parent comment was(pretty clearly) referring to what you're calling "flow-level logs"... Quite obviously you can delete the router's logs(it's mentioned in the article and by the parent comment); the ISP's traffic logs on the other hand?

> those are so voluminous that they probably aren't kept long.

Bold assertion.

It feels like we need to include anonymity in the Internet Bill of Rights:

1. I have a right to read or write public information in an anonymous way.

2. I have a right to prevent you from reading or writing MY private information in an anonymous way, even if the intent is to obtain the right to exercise #1 in the process.

3. Using someone else's infrastructure/compute/power to enable #1 without breaking #2 requires you pay for it. I would also propose my private information is available at a price.

Expecting the right to anonymity by removing the rights of others in the process places an individual in cognitive dissonance. It's not a good place to be.

With the advent of cryptocurrencies, we're finally in a place someone can pay me to use a portion of my infrastructure for enabling their anonymity. I'm willing to contribute to the cause as long as it's worth my while.

With the advent of cryptocurrencies, we're finally in a place someone can pay me to use a portion of my infrastructure for enabling their anonymity. I'm willing to contribute to the cause as long as it's worth my while.

Your infrastructure will immediately be used to download or upload child pornography. If you're exceptionally unlucky, the FBI will come knocking and, if you're unable to provide them with a useful honeypot, you may risk legal consequences. If you're unable to prove your innocence (the request for the CP did come from your IP address, after all) then you may be very screwed.

I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem: if you enable strong anonymity, that anonymity will immediately be used for child porn.

One way to combat this would be to have some kind of credentialing, where you are able to generate credentials for the anonymous party to use. Assuming your infrastructure is set up as a Tor hidden service, then it's possible for them to use your infrastructure anonymously, and then you can revoke the credentials for individual violators.

However, under that scheme, your IP address(es) are shared by every user. 4chan will immediately ban all of them as soon as it becomes clear you're a proxy, for example.

It may still be worth exploring, but it needs some thought. Tor itself still doesn't have "endpoint bridges," that is, endpoints which aren't publicly listed. Meaning it's very easy to ban all of Tor, as far as I know.

"I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem"

I'm not sure if you would count this as a solution, but, conceivably you could "enable anonymity" at very low bandwidth ... say ... the equivalent of 9600 baud ?

This is fast enough for speech. It is not fast enough for any kind of multimedia that would be acceptable in 2014 and beyond. It might be a barrier that would cause all bad guys to use other networks, but still allow the kind of "freedom" that we're all convinced twitter gives us (and so on).

Could you "enable anonymity" at very low bandwidth ... say ... the equivalent of 9600 baud?

What a fantastic idea. This seems worth pursuing. It should be possible to configure a modern browser to work with low bandwidth: HTML/CSS/JS would load, but images and other media wouldn't. Is there any reason why HN, Reddit, Twitter, webmail, and other services like IRC wouldn't be usable under those conditions?

It seems like people might be much more willing to rent out their infrastructure to anonymous parties strictly for those purposes.

I would love to see someone try to use HN at 9600 bps. That's bits per second, so 9600 / 8 = 1200 characters per second, roughly.

I used all of those things - irc, the web (gopher), etc., at 9600 baud for years. Wasn't a problem.

Also, you don't really need to configure a browser - just use lynx, which will ignore most of the bandwidth hungry aspects of a site.

When we used the Internet at slow speeds or in batch mode we had people being cautious with bandwidth. Usenet had the informal McQ limit for signatures, which led to newsgroups like alt.fan.warlord to mock people with big or ugly sigs.

The text on the current top story (the Wright Brothers article) is about 11kbytes. That doesn't include any html or css or anything else. That would make a page load at over ten seconds just for the text.

The point isn't that it can not be done, but that people would not tolerate it unless they had a real need.

I regularly use links (as opposed to lynx) to access text heavy sites; nice, clean, distraction-free reading.

I stuck with ~30K bps a lot longer than was reasonable (it's still been years...). HN would be fine, a few seconds waiting for a few minutes reading. Megabyte js monstrosities were the problem, they would time out.

> unable to prove your innocence

Here's the issue. Return presumption of innocence back and problem's solved.

Obviously, that's impossible in a real world.

> credentials for the anonymous party to use

That wouldn't be anonymous anymore. And there's no way to realistically force a single human to have only one credential - if one's banned they'll just generate a new one.

It could be possible to enable someone you trust to use your infrustracture. You don't have to know who this person is. For example, this devconsole HN account that I'm using now is an anonymous HN account, meaning as long as Tor is secure, and I don't reveal myself through e.g. text analysis or timing correlations, it should be hard to figure out who I am. If I were to come to you and ask to use your infrastructure to help me maintain my anonymity, you may read my comment history and decide that you trust me not to do illegal things. Providing such a service would be extremely valuable, because if Tor is indeed not completely impervious, your extra layer of anonymity may be all that preserves one's privacy.

If an authority were to come to you and demand you cooperate in determining my identity, then there would be no way for you to oblige, except by providing them with a log of the VPN activity, or allowing them to set up a pen trap to log the VPN activity. At that point, the privacy is still as strong as the Tor network, so both Tor and this extra layer would have to fall in order to be unmasked.

(In practice, it's more complicated than that: your infrastructure would be a fixed endpoint, meaning that if it's compromised then an adversary would gain a log of your activity. That would provide an overall picture of what you're up to on the internet. Tor rotates endpoints, making it hard to piece together that info. So in practice a user should want your service to be something like a middleman between two different anonymity services. But that's outside the scope of this comment for now.)

This becomes a pretty attractive idea, because it's not necessarily a great idea to assume that Tor should be the world's one realistic defense. Since Snowden used Tor, you can be absolutely certain that various powers are going to take a keen interest in penetrating Tor. They may use dirty tricks to do it, such as joining the Tor project as an apparently-trustworthy developer.

Extra layers of defense such as the one outlined above may be worth pursuing.

> It could be possible to enable someone you trust to use your infrustracture. You don't have to know who this person is.

Am I the only one to whom this sounds absolutely crazy? How can I trust you if I don't know who you are? (I mean the general you, not you personally, devconsole.)

Your comments could have been deliberately sanitized -- perhaps you have trolling accounts elsewhere that you are exceptionally good at keeping separate from this one, and spend time making this one look good. One could be posing as a mild-mannered Python developer here on HN, but be spending one's evenings being Super-Mallory the Malicious, trolling and trading illegal information.

I really want to be able to support things like mesh networks and Tor, but the very risk the GP noted (people will use your resources for Bad Things, and good luck defending from the feds) prevents me from being willing to do so. There's no way I would trust you or someone else that I don't personally know enough to use my resources, unless I were somehow able to keep meticulous logs which exonerate me from any activity they do. (And, I don't trust that such logs would even do that...)

Saying that you should be able to trust a stranger is like saying that you should be able to run a courier service for strangers where you have no idea whether they are transporting drugs or counterfeit money.

> Am I the only one to whom this sounds absolutely crazy? How can I trust you if I don't know who you are?

Well, cryptographers had invented a fancy thing called "ring signatures" that allows one to check whenever a signature belongs to someone in a group, but don't allow to determine who exactly that was. So, technically, it's well possible to remail anonymous (as far as belonging to a group does not break your anonymity) and be trusted at the same time.

But, unfortunately, I don't think F2F mesh networks would prosper anytime soon.

While I don't disagree with you, at least in the UK, possession in a cache and in some circumstances, transmission of child abuse images is a strict liability offence, meaning intent doesn't come into it - I suspect it's the same in many jurisdictions. It's a ridiculous position, but it's still the reality for many.

Are there any actual cases where someone was found guilty just for operating a computer/router/whatever that relayed information?

What is a piece of legislation says and what is actually "law" is often not the same, as the courts can interpret it however they want.

There are a couple that stick in the back of my head, but I can't remember the names - I'll try and dig them out when I get home next week!

I think our ability to communicate privately as a society at large is more important than the issues of child pornography or terrorism, both of which have policing avenues besides pervasive monitoring and tracking of all associations and messages through communication networks.

But yes, we should think of the children, 9/11, etc.

Could you provide a definition for "in an anonymous way" in #1 and "prevent from reading" in #2?

My concerns are:

As for anonymity: Internet protocols require addressing - without an address where to send packets back you can only communicate unidirectionally - sending information but not receiving any. Does being identified by an address still considered "anonymous"?

As for prevention: I'm not sure why need any sort of law to do so. Is there any case - except for law enforcement situations - where one's prevented from disclosing their private information?

Also, writing "requires you pay for it" may have bad consequences. For example, in Russia we had a copyright law that said quite similar thing - a statement that any software license must explicitly define payment process (or explicitly declare rights being provided free of charge) - and this led to issue with perceived legality of some FLOSS licenses that don't say anything about. To my knowledge, this hadn't been ever examined in a court and had been fixed in laws since then, but hope you see the point.

The Bill of Rights already explicitly says it isn't the List of Rights.

The intent of it is a framework, right? i.e. it's not inclusive of all rights, just ones that are currently applicable and a template of intent for future ones.

The answer is in the assumption that powers are enumerated and rights are not. That's why the BoR contains that disclaimer.

A couple years back there was a similar presentation at Defcon that used routers that exposed UPNP to the public internet. I've linked the talk below:


Stuff like this is why I built my own router (I recommend the ALIX series http://pcengines.ch/alix.htm). High quality hardware and you don't have to worry about the software because you control all of it. Right down to the BIOS if you want to.

How would you verify on demand that the BIOS isn't compromised?

I don't know about "on demand" but PCEngines will give the source for the BIOS and has an older version posted to the site. http://pcengines.ch/tinybios.htm

What I mean is, how would we verify the BIOS firmware matches what that source code should produce? If it's possible for us to make our own builds (i.e. there's no cryptographic signing for the BIOS binaries) then an adversary can insert a backdoor into the source code, make their own build, and then remotely flash your hardware with it. Or does flashing the hardware require some kind of manual operation, like holding down a button for 30 seconds?

Could be the processors as well, better to forge the chips by hand to be sure.

If you fancy going out, this works pretty well. I tried it on my router:


Yes - default WiFi passwords for a big chunk of the routers in Europe are pretty easy to calculate.

This is a good write up Dan. Is there anything as an owner of a home router we can do to protect ourselves?

Make sure your router doesn't allow admin access from the outside. Make sure you have a decent admin password. Disable any built-in cloud/ftp/sharing services that you don't use or need. If you use them, make sure to use good passwords and remove any built-in/default account. Disable UPnP in the router if you don't really need it (and understand the risks).

I'm no expert but I imagine it's a combination of keeping your router's firmware up-to-date, using a properly configured firewall, and using a strong password for your router login.

You'd think, but most consumer equipment is abandonware and the firmware isn't updated once a newer model is out.

don't let your router be able to be accessed from outside, ie disable 80/8080/22.

Another reminder to use strong, non-default credentials on something that is the edge of your network.

I'm still amazed by how many people drive around leaving their cars unlocked.

I leave my keys in the car sometimes when I'm running errands in my home town. I care a whole lot more about my network security at home than I do my car. It's just a car.

You are potentially exposing yourself to liability should your car be stolen and involved in an accident:


(IANAL, it looks like a court is not likely to find you liable, but you're still exposing yourself to the hassle of a law suit.)

In my country, it's illegal to leave the keys in your car when you're not in it (a child could get in it to play and hurt themselves or others)

The reason to secure your network is a good reason to secure your car.

Your network and your car can/will be used by bad guys to do bad things.

You should care.

somehow i'm less worried about people stealing my car when I'm driving around at 60kmph.

You are part of a society in which you have an obligation to protect and preserve the safety of others through reasonable and responsible actions.

I don't think that locking your car while it is parked or not leaving your keys in it while it is unattended is too much to ask.


Why release pre-made tools that allow anyone to cause harm? You could still explain the problem without them or show code snippets if you have to.

Because I don't believe you until you release the proof-of-concept. It's like saying you made some huge scientific discovery without including the data and methods to back it up.

It's the most effective wake-up call.

Ah. Great. Anonymity in the identity-theft way.

This is, incidentally, the reason why government-resistant anonymity services need to be legal. If you don't care about stealing credit card numbers or hurting people then you don't care about breaking into some poor sucker's router. But if you're blowing the whistle on some organizational malfeasance, you won't, so you need the likes of Tor.

I think that oversimplifies an important point. Criminals may not CARE about breaking into someone's computer or router, but that doesn't mean they're capable of doing so. Tor significantly lowers the bar for anonymity online, and there is no question in my mind that it enables criminals who wouldn't have the means to mask their identities otherwise.

This is not necessarily an argument against tools like Tor, but it's a tradeoff that I think many Tor supporters are too willing to ignore.

Criminals are humans. They will use and abuse whatever infrastructure any other person has access to for their own purposes, much like (you guessed it) any other person.

Your argument is about as lazy as it is old. The only possible solutions are to make all criminals go extinct (good luck), or to take away tons of important tools away from the public, because get this, criminals might use them! How terrible.

Nowhere did I advocate "taking away tons of important tools", in fact I specifically said my point wasn't necessarily an argument against Tor. But what I think is lazy is the way some people pretend that there are no tradeoffs involved in things like Tor and that they only benefit "the public".

> Criminals may not CARE about breaking into someone's computer or router, but that doesn't mean they're capable of doing so.

The problem with this line of reasoning is that it covers such a small number of people. The only people your argument covers are serious criminals who a) are too stupid to be able to download a simple tool to exploit routers with unpatched vulnerabilities from last year and yet b) are still competent enough to use Tor without doing anything that would reveal their identity.

And that also excludes the most serious criminals because the set of people who can break into the computers of large organizations to commit crimes is essentially a superset of the set of people who can break into an unpatched consumer-level router.

seems like google is saying it's a malware site where's the cached version

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact