Finding out what the hijackers are doing/have done while in control of my router

2

2

Recently, security cameras with livestreaming got installed around the house. The cameras are connected to the router and uploading to the company's servers, and then I can watch the streams live on my phone.

The person who came to install the cameras changed a lot of the router settings (I think he did some kind of reset, cause my forwarded ports were gone, and the saved template as well), and also changed so that username and password was not needed anymore - anyone connected via WiFi could access the admin page by simply visiting 192.168.1.1 (sounds like a huge vulnerability, and thus incredibly suspicious).

Now in the middle of my gaming session I noticed the router settings suddenly changed, because I had enabled UPnP after they removed my forwarded ports, but now it is disabled again while I am trying to play. I went to the router page to see what they had done, and I see that username and password is required once again, but they have changed it so I can't even access the page myself now. They essentially hijacked the router.

I want to find out what they are up to. My computer is connected to the router and I have physical access to it. However, I do not just want to physically reset the router and cut their access unless that enables me to see what they have done. In other words: I want to catch them red-handed.

Also, when they have full access to the router, can they eavesdrop on HTTP? HTTPS? Are there perhaps any other security issues I haven't thought of?

The router is a Thomson Technicolor TG799vn v2.

I installed a program called Capsa and perhaps it is the perfect tool for this job. However, my lack of knowledge is too great to do a proper analysis.

Gendarme

Posted 2016-09-23T01:44:24.943

Reputation: 25

This is going to depend entirely on what router you have and what its capabilities are. You won't be able to do much of anything without gaining admin control of the router; if you can do an admin password reset without completely resetting it, you can look at what changes were made to its settings to maybe tell more about what's going on. But you're probably going to end up doing a factory reset on it, and starting over. Also, check your computers for malware/changed settings/etc. – Gordon Davisson – 2016-09-23T20:31:47.977

1Oh, and a "security" company that leaves your router open? That's very very bad. I would not trust anyone who'd do that to secure anything for me. – Gordon Davisson – 2016-09-23T20:33:46.110

Answers

3

The router is a Linux computer, so any Linux programmer with access can program it to do anything that is within its hardware capabilities. If they also have network access, they can upload programs, download video, mirror any camera video on their Internet server, basically just anything at all that the router has access to. They can then upload these videos anywhere on the Internet.

They can also intercept your Internet sessions, record passwords, copy received and sent emails. Anything that passes through the router is fair game.

They cannot see into your computer. So if you are logging into a VPN via the desktop, they cannot intercept your logon, unless the VPN desktop program stupidly sends your id & password in the clear. Unfortunately, HTTPS man-in-the-middle exploits do exist, and your router is right in the middle.

To find out how exactly they have trafficked your router will take a forensic expert to dump your router's system disk and compare its contents to the original image.

You might put a specialized tracing device between the router and your Internet supplier (ISP), to trace if the router is routinely doing unsolicited connects to Internet addresses that you have not requested. That would catch them red-handed and serve as a legal proof. Unfortunately, I cannot recommend any such device, but searching on Amazon will surely come up with one.

However, in the meantime you run a risk any time that you connect to any website that requires entering a user-name and password, of communicating that information to a crook that will use it against you. If you have used the same password on other website or services, you run the risk of them gaining access to those as well.

I do not really think that the people that have installed your router are to blame, or maybe just for unknowingly leaving some back-door open. I would rather think that an organized crime ring used some zero-day exploit for your router model to break in. So the most that you will find is that the unsolicited communication will be going to somewhere in Russia or somewhere else where they are immune from your local law-enforcement agency.

My recommendation is to download and install the latest router firmware from Thomson (or your ISP) which may close off the back-door in the router, secure the router by turning off all Internet control options and changing all default passwords, and finally change all your passwords anywhere.

Anywhere means passwords on the router and any website or service that you might have logged into via the router, or any password that you also use elsewhere. The chances of you catching anyone red-handed and being able to do something about it, are much lower than their chances of doing you harm.

As user cybernard has remarked below, your computer also runs the risk of now being part of a botnet, if they have managed to install any malware on it. Run malware tests on your computer using multiple anti-virus products, and keep on doing it in the future, as the crooks are always ahead of the good guys. The really safe operation is to re-format and install both the computer and the router at the same time, but that might be going a bit too far.

harrymc

Posted 2016-09-23T01:44:24.943

Reputation: 306 093

I have to agree, as someone who monitors there traffic, whoever it is is probably in china or etc and you can't do anything about it legally. I have 100+ new bans a day, most from out of the country like china. The ones inside the US( and outside also) are probably users that don't know any better and have been hacked, and don't know a hacker has made there computer part of a botnet. Botnets have 100,000+ members and you will never find the hacker. – cybernard – 2016-09-25T15:59:51.037

If the attacker had only access to the web interface and did not install their own router firmware, monitoring data is virtually impossible simply because consumer routers don’t offer it. – Daniel B – 2016-09-25T17:02:17.543

@DanielB: I was talking about a new box between the router and Internet. – harrymc – 2016-09-25T17:57:13.103

Yes, but that’s just for observing the router now. I’m referring to what the attacker could have achieved. – Daniel B – 2016-09-25T18:26:10.250

Would they be able to install malware on my computer by simply being in control of the router? Also, we have assumed that they are evildoers, but perhaps they are just incompetent but benevolent. Is there any way to find out if they are actually doing anything sinister before I take the appropriate measures? – Gendarme – 2016-09-25T18:48:19.927

Yes, they can install malware by modifying the web-page content coming back from well-known websites such as google, so as to include an attack vector. This is a military-grade attack that may require bypassing HTTPS and patching router software or configuration files, so is less likely to have happened to you. But running virus scans now and in the future wouldn't hurt. – harrymc – 2016-09-25T19:32:08.197

The question of "what can they do" is wrong because the answer would be "everything". The right question is rather "what will they do", where the answer is "not much" except to set some automated tools to attack your internal network. Unless you are a famous personality or a milliardaire, you will not get their personal attention and will not be attacked by their heaviest tools. Take action to clean up the known infection, secure the router, and verify continuously your computer(s) - you don't need to do much more than that. – harrymc – 2016-09-27T05:57:38.033

1

There are really only two possibilities:

  • The attacker had access to the router’s web interface. He could have used it to:
    • Create port forwardings to expose internal resources/devices
    • (Maybe) steal your internet access credentials
    • Change the DNS server (everyone’s favorite) to redirect you to fraudulent copies of websites
    • (Unlikely) Use some exploit to access not-so-official functions
    • Exchange the firmware, leading to
  • The attacker has switched the router’s firmware, allowing them:
    • Unfettered access to your internal network
    • To intercept any and all network and Internet communication
    • To permanently (even after factory resets) make your router into a spy-box.

If it’s the latter, the router is no longer fit for use. Do not throw it away though, it is evidence.

That being said, the second possibility is highly unlikely because it requires a lot of effort. It’s more of a “foreign intelligence” kind of thing.

Because consumer routers usually do not offer facilities to intercept traffic, the only way they could intercept your data (without replacing the firmware) is by changing the DNS server. This of course only affects devices that acquire their DNS settings via DHCP.

How did it happen in the first place? Because the router no longer required authentication, a cross-site request forgery attack is very likely. This means you visited a fraudulent/compromised website that automatically attacked your router.

tl;dr: You won’t catch an attacker because there isn’t one. It’s all automated.

Daniel B

Posted 2016-09-23T01:44:24.943

Reputation: 40 502

Asked: 2016-09-23T01:44:24.943

Viewed: 386 times

Active: 2016-10-02T09:42:34.797