I recently came upon a very common cybersecurity vulnerability that exists in just about every household across the country that should scare every homeowner out of their pants. But as with anything cybersecurity related, unless the consumer realizes how much they’re at risk, they will likely bypass the conversation. So first I will tell you why you should be worried, and then tell you how easy it is to protect yourself.
Post Contents:
- Assumptions
- Background: The Hacker
- Step 1: The vulnerable network connection.
- Step 2: The vulnerable router.
- Step 3: The fake website.
- Step 4: The theft.
- Recommendations
Assumptions
Let’s first make a couple of assumptions that create the vulnerability that I am explaining in this article.
- Assumption #1: You never changed the name of your home network when you purchased a router from a store or received one from your Internet Service Provider (ISP) such as Spectrum, Optimum, or whoever else may own the Internet in your area. If you did, kudos to you, but many people in the United States have not.
- Assumption #2: You never knew that there was a login portal that allowed you to change settings configurations from your browser. This is different from the standard practice of plugging in whatever router you have and connecting to the internet for the first time. I know that some ISPs will provide instructions for changing the network’s password when you first implement it in your home, but that is also different from what I’m talking about. As a result, the default admin username and password to access your router’s configuration settings have never been changed.
- Assumption #3: You changed your network password as prompted when you first set up your home router. This is good that you did that, but is only one part of the picture.
With these assumptions in mind, let’s get hacking. For the sake of all readers, I won’t go into the specifics of the hack, but I’ll walk you through each step on the macro level.
Disclaimer: All instances referenced in this article are strictly hypothetical. Any similarities to actual events are completely coincidental and should not be attributed to criminal wrongdoings of the author. The steps to the hack outlined here are strictly for educational purposes and should not be replicated in real-world environments where violations of privacy can be charged under federal, state, and local law. Please do not try any of this on any of your devices unless you have received special training.
Background: The hacker.
First, I’ll begin by defining the hypothetical hacker (who I will reference in first person for the sake of storytelling). Three months ago, I got into hacking as a crime because I’m behind on my bills and need some extra money to feed and keep a roof above my family. I learned how to hack all kinds of systems in the past three months by dedicating my nights to learning on TryHackMe.com and practicing on their included Capture the Flag rooms. From this experience, I’ve learned just enough to be effective at hacking simple targets with hacking tools that are free and open to the public to download (like Wireshark, Metasploit tools, Ettercap, and more). With these skills, I have become good at using simple networking traffic sniffing tools, cracking passwords, performing various man-in-the-middle attacks, and hijacking the sessions that you use when connected to secure websites. For the equipment I use, I purchased a higher power Wi-Fi antenna that has enough range to pick up a house’s network traffic from the road. I also have a second-hand gaming laptop that I purchased at the local computer store that has a good amount of processing power, enough to do plenty of tasks all at once. For the last two weeks, I’ve been going around the neighborhood searching for signals that I can pick up and running some simple hacking tools to brute force attack router network passwords. I’ve had some troubles with the last several houses, but then I got to yours.
Step 1: The vulnerable network connection.
I’m able to capture the signal from your router using my equipment. The first thing that I noticed is that you never changed the network name (called an SSID). Based off a simple google search of the default name, I can narrow down what model router you have and guess the default browser log in information that your router uses to configure security settings. I’ll remember this later, but first I need access to your network to make those changes. Just like you put in your network password when you log in to get Internet, I used my free and open-source hacking tools to brute force the password to gain entry. At first, I tried a tactic that goes through all the combinations of letters, numbers, and special symbols, but unlucky for me, it still took too long. I couldn’t wait any longer because I had to get back to my day job and I would rather not look suspicious. So I resorted to using another method that cycles through the 1000 most frequently used passwords and I got in.
Step 2: The vulnerable router.
As I previously mentioned, since I was able to Google the standard username and passwords for your specific router based off your SSID, I used those credentials to log into your router on your network. Without doing anything tricky, I can now see how the settings are configured on your router and modify them to make it easier for me to conduct my hacking. I can see the current encryption standard being used by the router. I can also see the firmware version of the router and see that maybe you haven’t ever updated the firmware. Because I know the version of your firmware as well as the model of your device, I can research security vulnerabilities affiliated with this information that are listed on the web and can conduct numerous other attacks. But, sticking to this scenario, I’m more concerned about finding methods to take your money. On to the next step.
Step 3: The fake website.
With full knowledge and control of your router, I can forward the data that you would otherwise transmit to the router directly to my computer. Over the course of a couple of weeks, I am able to steal network traffic from your router and see that you visit your bank’s website routinely around 7pm on Sunday after dinner is done. During this time, you’re planning your expenses for the week ahead. With a free and open-source tool called SEToolkit, I can easily create a copy of the bank’s website that is very similar to the real one. It will look just similar enough to keep you from noticing or verifying that you are still on the same secure site you always use. This is called a Watering Hole attack. I can count on you missing it because humans rarely confirm that they are using a “https” connection before logging into their bank account, especially when it is the millionth time that they’ve logged into the website. To my expectation, you input your login credentials to my fake website and clicked the “Login” button, which sent me your credentials in plaintext. In return, I send you the actual website you wanted in the first place, and it looks like your computer just glitched and didn’t take the credentials the first time. Now you put the same login information into the webpage, and you get the results you want. But now because I have the same information, I am going to dish you some results you don’t want.
Step 4: The theft.
Finally, I’ve reached my return on investment. All the efforts I’ve made to get to this point will give me the ability to transfer the money you have to an offshore bank account that is untouchable by US authorities. I can now withdraw it at my desire. The worst part of all is that you will likely contact your bank and law enforcement to report the theft. However, I’ve used a combination of IP and MAC spoofing along the way, the authorities won’t be able to tell who actually took the money. They may actually determine that a computer on your network did it because remember, my computer was on your network, and I was able to spoof my addresses to make me look like you.
—
The crazy thing about this scenario is that it is an extremely technical way to hack into your network. I could have posed as a technician from your internet service provider and asked you to provide me with the network password as well as the username and password to access the browser portal. At this point, I could’ve easily skipped the legwork I had to do initially. This would be called Social Engineering, and it happens to be one of the most effective ways for hackers to get into places they shouldn’t be. Even after endless training at work, people will tend to think they are completely safe from harm, and they have nothing to worry about, when in fact they’re wrong. It is in my opinion that the security of your default gateway to the Internet, aka your Router, is perhaps one of the most important focuses on security that you should have at home. It should arguably be just as much of a concern as the cameras you may put up to strengthen the physical security of your home. If you’ll stick with me just for a moment longer, I will give you some easy steps to protect this incredibly important device from even the most technical and malicious of hackers.
Recommendations
- Change the network name (SSID) and password. When prompted upon first connecting the router to the plug-in ports at home, change the name of the network to something that is not easily distinguishable from the router’s make or model. This should not be hard, as you could pick something like “FBI Spy Van” and you will be just fine. Then also set a passphrase that uses a combination of lowercase and uppercase letters, as well as special characters and numbers. Your password should be anywhere from 12 to 15 characters long, as a strong passphrase will prevent brute force attacks for upwards of hundreds of years (maybe more with stronger and stronger passphrase). Take note that I use the term “passphrase” and not “password.” Using a passphrase helps you to more easily remember the password, but if you use a combination of random words like drake, frogs, and bug, you can modify them to a passphrase like “dr@k3f&06$bu6” and have great security. Even better, you can use a password generator that generates completely random passwords and input them directly to your browser when they’re needed. Password managers improve security because they prevent the reuse of passwords and only require you to remember one to enter the manager, which you can and should change frequently.
- Change the default router administrator credentials. Look on the underside or the backside of the device to see if there is a default username or password. There should be and you should take note of it. Then, if there is a user manual that tells you the browser website to log into to configure advanced settings for your device, log into that website with the credentials you took note of. Then change the administrator username and password so that no one can ever log into the router with the same credentials again. Finally, add the new credentials to that password manager. I recommend NordPass. It does come with a bit of a cost, but it uses an advanced encryption method that will keep your passwords safe. You can configure multi-factor authentication when logging into it to ensure only the correct people can access it, aka you and only you.
- Ensure you are using a good encryption method. In the security settings of your router, you may see that you can select from many encryption methods. It is important to choose the right one, as a good standard will preserve the confidentiality of the data going across your router and prevent hackers from cracking your encryption key and decrypting your information. This will prevent many other problems as well. I recommend that you use WPA2 as your encryption method. WPA3 is a better one, but can often cause issues with the speed of your Internet connection, especially if you are using devices that aren’t optimized for that standard. WPA2 will work great for home use and keep you secure.
- Set a reminder to look for router firmware updates. You can set this reminder on your phone or in a planner, or whichever works best for you. This will be a nice reminder to log back into the browser and see if there is an update available for the router’s firmware. These updates are always good because they are distributed by the manufacturer to fix security issues and other issues associated with the functioning of the router.
- Use a Virtual Private Network. Virtual Private Networks (VPNs) allow encrypted access directly to another gateway that virtually hides your device from the rest of the Internet. This is particularly beneficial as trackers and other malicious actors on the Internet will not see the exact address of your home connection. If you have a hard time visualizing this, imagine driving through a big city to get to work a couple miles away. If you had to travel on the roads of the city, you may run the risk of others hitting you or stealing your car. But if you could drive through an underground tunnel instead, you would be protected from all of those risks above ground. While this is a loose analogy, internet protocols that enable VPN connections using this kind of method to secure your Internet traffic. In other words, you should have one! This will add to the defenses protecting you from bad people.
I recognize that sometimes ISPs may not let you access some settings on the routers you rent from them. While this makes sense because that ISP will turn around and rent it out to someone else after you, it limits how much control you have of its security. You may have to trust that your ISP has the device set to keep you safe, but at the very least, you should know how you can improve your home security. You should also consider purchasing a router yourself that allows you to have the control you want. And please do your research before buying. There are countless routers that have cool features (like the ability to access files from anywhere that are stored on your router) that are not inherently secure. At the end of the day, it may cost you a few hundred dollars to buy a router on your own, but that sure beats the consequences of insecure gateways.
In closing, it would certainly be nice if you could take the router out of the box and install it with great security already in place. But the fact of the matter is that manufacturers set these devices up to be convenient because modern society loves nice conveniences. But we must also be smart and harden our devices before we use them to ensure they are not allowing our information to escape where we can control it. We are moving into a world where people with malicious intent will find any way possible to gain an advantage unfairly; the Internet is their playground. So protect yourself and take 10 minutes to look at your router. Or pay a local Cybersecurity student a few bucks to help you out…definitely not a shameless plug.