0

I know that it's theoretically possible that a router can be hacked, and malware can be spread throughout a network merely by being connected to it.

However, I'm wondering what exactly the chances of this is, since, we never really hear about it often.

For example, universities share connections with hundreds of students, and not to be stereotypical, they are likely downloading all sorts of content that isn't deemed safe (verifying, torrenting etc).

So, let's say an infected device was connected to my home network. What's the chances of that particular device infected my network, and therefore infecting other devices on the network?

Here are my thoughts;

  • attacker would first need to compromise the router

  • attacker, if successful in compromising the router, would then need to know a zero-day attack to infect other devices

that's the only way they would be able to right? ignoring DNS poisoning.

schroeder
  • 123,438
  • 55
  • 284
  • 319
aslingaboutsec
  • 1
  • 1
    You are mixing up a few concepts. An infected router is different from an infected endpoint, so your university note seems strange. And universities have enterprise-grade routers, so the comparison to home networks doesn't work, either. You start off talking about the router getting compromised and then the rest of the network, but you then talk about endpoints getting compromised first. Second, why would a "zero-day" need to be used? Can you clarify? – schroeder Feb 16 '22 at 19:17
  • It may not be as uncommon as you think. Many consumer-grade routers have default admin passwords that have never been changed, and are well known. Although the admin interfaces on these routers are usually not accessible from the WAN side, in most cases they can be accessed from the LAN side. See https://security.stackexchange.com/questions/221658/what-would-happen-if-some-random-webpage-made-an-ajax-request-for-http-127-0-0/221659 for some interesting reading on how an attacker can circumvent SOP to compromise a router in this case from the LAN side. – mti2935 Feb 16 '22 at 19:33
  • 1
    @mti2935 or we could simply mention the Mirai botnet ... – schroeder Feb 16 '22 at 20:16
  • @schroeder, yes, indeed. – mti2935 Feb 16 '22 at 20:17
  • I'll try and tackle one issue at a time. Regarding the zero day exploit, I thought that if other devices are up to date, you would therefore need to compromise that system with a method that isn't know, otherwise it would be patched. So let's say an attack did compromise your router, they would still need to compromise each device to infect it. I'm assuming for a router to be compromised via malware, it would either need to be remotely hacked or a infected device connects and spreads that malware across the network, but to do that they have to evade the other devices security updates. – aslingaboutsec Feb 17 '22 at 01:00
  • Ok, you are focused on a particular type of compromise and one small range of threats. You are also assuming that all patches are applied as soon as they come out. Vulnerabilities that can be weaponised are weaponised in less than a day. People update their machines, on average, 7 days after patch release for OS patches (longer for non-OS patches). Auto-updates help to reduce that time, but the average is still longer than the time to weaponise. – schroeder Feb 17 '22 at 09:16
  • Wannacry was not that long ago. Neither was Mirai. Things have improved, but the underlying weaknesses in people haven't gone away. If your question is, "what is the practicality of a spreading device compromise in a perfectly run network that doesn't have an authentication domain" then that's a different question. – schroeder Feb 17 '22 at 09:17

1 Answers1

-1

You're correct in your assumptions.

Yes, a router which is compromised doesn't pose a threat in itself unless we are talking about DNS poisoning. To compromise further devices on the net you need to attack their listening network ports and by default it's no easy feat as e.g. Windows 10/11 by default have pretty much all of their ports closed even on LAN, Linux by default listens/opens only port 22 which is sshd and there are literally millions of such servers on the net, so you can bet sshd is quite a reliable piece of software with no known vulnerabilities.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13