Finding out what the hijackers are doing/have done while in control of my router

Recently, security cameras with livestreaming got installed around the house. The cameras are connected to the router and uploading to the company's servers, and then I can watch the streams live on my phone.

The person who came to install the cameras changed a lot of the router settings (I think he did some kind of reset, cause my forwarded ports were gone, and the saved template as well), and also changed so that username and password was not needed anymore - anyone connected via WiFi could access the admin page by simply visiting 192.168.1.1 (sounds like a huge vulnerability, and thus incredibly suspicious).

Now in the middle of my gaming session I noticed the router settings suddenly changed, because I had enabled UPnP after they removed my forwarded ports, but now it is disabled again while I am trying to play. I went to the router page to see what they had done, and I see that username and password is required once again, but they have changed it so I can't even access the page myself now. They essentially hijacked the router.

I want to find out what they are up to. My computer is connected to the router and I have physical access to it. However, I do not just want to physically reset the router and cut their access unless that enables me to see what they have done. In other words: I want to catch them red-handed.

Also, when they have full access to the router, can they eavesdrop on HTTP? HTTPS? Are there perhaps any other security issues I haven't thought of?

The router is a Thomson Technicolor TG799vn v2.

I installed a program called Capsa and perhaps it is the perfect tool for this job. However, my lack of knowledge is too great to do a proper analysis.


Solution 1:

The router is a Linux computer, so any Linux programmer with access can program it to do anything that is within its hardware capabilities. If they also have network access, they can upload programs, download video, mirror any camera video on their Internet server, basically just anything at all that the router has access to. They can then upload these videos anywhere on the Internet.

They can also intercept your Internet sessions, record passwords, copy received and sent emails. Anything that passes through the router is fair game.

They cannot see into your computer. So if you are logging into a VPN via the desktop, they cannot intercept your logon, unless the VPN desktop program stupidly sends your id & password in the clear. Unfortunately, HTTPS man-in-the-middle exploits do exist, and your router is right in the middle.

To find out how exactly they have trafficked your router will take a forensic expert to dump your router's system disk and compare its contents to the original image.

You might put a specialized tracing device between the router and your Internet supplier (ISP), to trace if the router is routinely doing unsolicited connects to Internet addresses that you have not requested. That would catch them red-handed and serve as a legal proof. Unfortunately, I cannot recommend any such device, but searching on Amazon will surely come up with one.

However, in the meantime you run a risk any time that you connect to any website that requires entering a user-name and password, of communicating that information to a crook that will use it against you. If you have used the same password on other website or services, you run the risk of them gaining access to those as well.

I do not really think that the people that have installed your router are to blame, or maybe just for unknowingly leaving some back-door open. I would rather think that an organized crime ring used some zero-day exploit for your router model to break in. So the most that you will find is that the unsolicited communication will be going to somewhere in Russia or somewhere else where they are immune from your local law-enforcement agency.

My recommendation is to download and install the latest router firmware from Thomson (or your ISP) which may close off the back-door in the router, secure the router by turning off all Internet control options and changing all default passwords, and finally change all your passwords anywhere.

Anywhere means passwords on the router and any website or service that you might have logged into via the router, or any password that you also use elsewhere. The chances of you catching anyone red-handed and being able to do something about it, are much lower than their chances of doing you harm.

As user cybernard has remarked below, your computer also runs the risk of now being part of a botnet, if they have managed to install any malware on it. Run malware tests on your computer using multiple anti-virus products, and keep on doing it in the future, as the crooks are always ahead of the good guys. The really safe operation is to re-format and install both the computer and the router at the same time, but that might be going a bit too far.

Solution 2:

There are really only two possibilities:

  • The attacker had access to the router’s web interface. He could have used it to:
    • Create port forwardings to expose internal resources/devices
    • (Maybe) steal your internet access credentials
    • Change the DNS server (everyone’s favorite) to redirect you to fraudulent copies of websites
    • (Unlikely) Use some exploit to access not-so-official functions
    • Exchange the firmware, leading to
  • The attacker has switched the router’s firmware, allowing them:
    • Unfettered access to your internal network
    • To intercept any and all network and Internet communication
    • To permanently (even after factory resets) make your router into a spy-box.

If it’s the latter, the router is no longer fit for use. Do not throw it away though, it is evidence.

That being said, the second possibility is highly unlikely because it requires a lot of effort. It’s more of a “foreign intelligence” kind of thing.

Because consumer routers usually do not offer facilities to intercept traffic, the only way they could intercept your data (without replacing the firmware) is by changing the DNS server. This of course only affects devices that acquire their DNS settings via DHCP.

How did it happen in the first place? Because the router no longer required authentication, a cross-site request forgery attack is very likely. This means you visited a fraudulent/compromised website that automatically attacked your router.

tl;dr: You won’t catch an attacker because there isn’t one. It’s all automated.