How it all started?

Believe it or not, it all started with a simple misconfiguration of the router provided by the ISP. To my utter surprise, I happened to notice that the most of the routers (in my study – Aztech ADSL2+ Wireless G Router) supplied by the ISP to the residential/SOHO customers allow anonymous inbound connections by default making it easier for an attacker to access the management page of the router straight away using the public IP address of the victim! The fun doubles when the router has default credentials or no credentials at all!!

How the whole scenario would work for an attacker?

  • Do a port scan on the ISP’s dynamic IP ranges, in a slow non-intrusive fashion (probably well-known ports on smaller ranges to make it quick). This shouldn’t take much time as an attacker could start by looking at his own dynamic IP address assigned by the ISP
  • Try to visit the web page for that IP address from a browser if port 80 is found to be open, or alternatively try to get telnet access if port 23 is open

Unfortunately, most internet users are non-techies and they leave their routers with blank passwords, making it a cakewalk for the attacker.

So how can it impact a normal user, and why should I care?

It is DNS that is responsible for resolving domain names into IP addresses and if a hacker controls your DNS he can also control where your traffic is directed. Your DNS server essentially is the phone-book of the internet that maps domain domain-names to IP addresses.
To cut a long story short in case when you use DNS to resolve hostnames – And we all are – We trust the information coming from that DNS server to be correct. In the above scenario, the attacker changed the DNS server setting in the victim’s router to his own malicious DNS server. Now this tricked the user into visiting the various phishing websites that the attacker had hosted. For instance, when the victim tries to visit the DNS query gets directed to the attacker’s DNS server where it resolves to a fake Facebook page hosted by the attacker again. Now the beauty of this phishing attack (precisely called as pharming attack) is that the website address stays as in the browser address bar, leaving the user with no clue. The only way to detect a phishing page in such scenarios is to check for HTTPS in the address bar as most of the phishing pages use HTTP. If it is HTTPS, review the website’s SSL certificates for further confirmation. But again, how many of us care to do that?
Once the user submits his credentials in the phishing page, it gets copied to a text file on the attacker’s server and the user gets redirected to the original page. This makes the attack look neat and arouses no suspicion in the user.

Now what?

There are plenty of other options available for an attacker once he gets access to the router. Few of the other interesting things to look at would be:

  • The internet user account credentials. The passwords would be hidden under asterisks. This can be easily viewed for some routers from the web page HTML code
  • Denial-of-Service attack on the router sending reboot command in an automated fashion using scripts
  • Do port forwarding to an internal machine
  • Change the routing table entries
  • Set password for the router
  • Change the wireless network security key or the SSID

In short, an attacker could do a whole lot of things! And if it’s a company gateway, they have more reasons to worry!!

What are the lessons learned?

  • Enforce a strong password on your router. Do not leave the router with default credentials
  • Strictly disable anonymous inbound connections to your router. If at all remote administration is required, restrict access to certain IP addresses and change the port to less obvious
  • Monitor device logs on regular intervals if you notice something fishy
  • Enable the firewall feature on the router

Now we know how bad it looks like when your router management interface is exposed to the internet as such. From a security standpoint, ISPs should not be providing the customers with routers that are misconfigured by default since majority of internet users are non-techies and there are pretty good chances that they land in trouble; and as we just saw the consequences can get real worse.