Quiet Recon At Your Front Door – A Routers Gift To Malware

July 18, 2017

Since Mirai, security researchers and the telecoms industry have become far more aware of the security risks that routers produce, especially from ones with poor security. Mirai highlighted how incompetency had led to mass infections around the world which allowed individuals with limited knowledge in computing to carry out devistating attacks on corporations/governments and most importantly complete countries. Well, it seems that routers can still help malware, but in a different way. Although security considerations are taken into account in modern household routers, they can still be utilised to identify an individual. This security issue also led me to think about how dangerous it can be to actually stay connected to your home network, to which you rely on your router to not identify you from your client. Many considerations are taken on the client aspect of a network, your own PC. Many privacy advocates would say the best way to stay safe would be to install tails, all traffic through TOR by first connecting to a VPN. But little is talked about the first step of getting actually online and the security issues that may occur if not correctly setup from there. Custom router firmware is around, but very few use it, instead we rely on telecoms to keep our gateway to the internet safe. Spoofing your MAC address is something else that many practice when carrying out nefarious behaviour, but without a custom piece of firmware, your router will always show it’s own MAC address when requested correctly.

So why is it so interesting that a household router leaks information without authentication? It is true that logins could be intercepted by malware, but not many people login to their router interface often and so you could be waiting a long time. The information that is leaked in this particular household router, a TALKTALK one, allows malware to do far less calls than it needs to. Many pieces of malware will search for an external IP address by using¬† a HTTP request to a ‘what is my ip address’ type site, reading the response which could be inaccurate and from a VPN or proxy. With one HTTP request (ofcourse, assuming that the infected client has this particular router firmware) we can understand their external IP address, DNS servers used on the router, the MAC address of the router and the routers default gateway. We can also learn some less important things like the SSID of the router, but, the most important ones are things we can uniquely identify a user from, even when they have installed such strong protections on their computer. The one caveat to this is ofcourse, the actual attack vector is fairly small, although TalkTalk is a large ISP in the UK, a targeted attack would only really gain from this.¬† Either way, to me, it is bad privacy design.

So with all that talk, let’s give you a picture of me showing you information that can be retrieved unauthenticated. Don’t worry just about your PC, worry about your the security on your router and how they give out information.