2

In the hypothetical scenario where someone has managed to gain unlawful access to a SOHO router (any of the consumer wifi models will serve nicely), what steps can you take to verify this, so as to present evidence to a court?

These devices don't seem to have much logging built in, and even if they do how can you show they were not tampered with? What reliable evidence can be obtained from such devices?

AviD
  • 72,138
  • 22
  • 136
  • 218
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
  • 2
    Legal and evidentiary matters are specific to the jurisdiction of the parties. Unauthorized access is not necessarily illegal in every country. – this.josh Sep 08 '11 at 07:25

2 Answers2

5

To clarify I think you are asking about consumer grade home broadband routers with built-in wireless (802.11a/b/g/n), right?

Out of the box, you are going to have a very difficult time proving any kind of intrusion using these devices. Besides the fact there is nothing authenticating your valid users. How would you distinguish between legal and illegal users?

For tampering, you would need to have a snapshot of the device and configuration when setup to compare against it after it has been tampered with.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
  • SOHO routers is a better term, as such routers are not limited to the home, IMO. Illegal users could be established by a MAC address not belonging to an allowed device, which in a small environment is easy to manage. – Sonny Ordell Sep 07 '11 at 20:20
  • Seems to me that the presence of the MAC address alone would be pretty hard to justify. You would need to tie the changes made to the router to that particular MAC. – Steve Sep 07 '11 at 22:07
  • Besides, mac address sniffing and spoofing are trivial. – Steve Dispensa Sep 08 '11 at 00:36
  • So the, there is no way? If someone breaks into your network and commits crimes, such as child porn or whatever, no way to prove it wasn't you? Barring examining the actual PC.... – Sonny Ordell Sep 08 '11 at 01:18
  • @Sonny, yes, that seems about right. If police had to figure out whether it was you or not, they'd probably grab your PC and start looking through it forensically. – D.W. Sep 08 '11 at 06:01
  • @D-W Actually that is exactly right. See [SWAT Team Raids Home Because Guy Had An Open Wireless Router](http://www.theagitator.com/2011/04/24/) Contrary to what you may see on tv, few law enforcement agencies are technology savy. – this.josh Sep 08 '11 at 07:33
  • @Sonny: I used that term, because the lack of features listed illustrate how they are barely qualified for home office. How do you log the MAC address? How do you persist the log? Besides MAC address spoofing being easy. – Bradley Kreider Sep 08 '11 at 16:00
3

I'd point out that just because they don't have much logging doesn't mean that they don't have any. Assuming you recognized the intrusion before the log rolled over, I believe that you would see evidence of it on most of the consumer-grade SOHO routers I've used if logging was enabled. I was able to detect intrusion (and DoS) attempts on routers from DLink, Linksys, and Netgear by analyzing their logs relatively near the event.

Additionally, if you were looking to protect a deployment, running dd-wrt provides a significantly much more robust logging mechanism through syslogd that supports logs being offloaded to provide a permanent record and avoid the rollover problem.

However, as I believe was pointed out above, logging is often off by default on these devices and as a result I can't see being able to get much from them in that case.

scottsh
  • 96
  • 3
  • OK I think I understand your question better based on your comment above. You want to know that if you suffered and intrusion and then wanted to prove that later after the miscreant did something you weren't the one to do it. If this is your main concern, then I'd run dd-wrt or get a router than has robust logging that you can archive. I might also document your network and the way your systems interact and use the router such that your personal activity is discernible from an intruder's. – scottsh Sep 08 '11 at 04:19