Can a router lie?

The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed

In article , says...

The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed

Of course it can is my guess.

pjp wrote:
In article , says...

The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed

Of course it can is my guess.


I had no doubt it could be hacked. But there's another element here.
Could someone hack it and then stay invisible when I log in?

Ed

On 12/28/2017 11:04 AM, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed


I disabled WiFi on my router. Our PCs are connected via ethernet cables.

--
David E. Ross
http://www.rossde.com/

President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when your message is really your own and not your attorney's.

In article , says...

pjp wrote:
In article , says...

The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed

Of course it can is my guess.


I had no doubt it could be hacked. But there's another element here.
Could someone hack it and then stay invisible when I log in?

Ed

Well seeing how it's been hacked it can display whatever it wants to
including spoofing existing pages DUH!!!

On 12/28/2017 11:04 AM, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.
It got me wondering, though. Could my router be hacked and not show the
hacker?
Ed

As far as blinking LED lights showing activity - I think it depends on
what model router you have, here's one that allows you to disable that
behavior. You can find out very easily by logging into your router or
reading the manual.
https://kb.netgear.com/24603/How-do-...ghthawk-router

Ed Cryer wrote:
pjp wrote:
In article , says...

The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed

Of course it can is my guess.


I had no doubt it could be hacked. But there's another element here.
Could someone hack it and then stay invisible when I log in?

Ed


Some (but not all) routers run Linux. Some use an
embedded OS of some sort.

The router can have a three pin interface, consisting
of TTL level Transmit, Receive, GND. That's a serial port
but without an RS232 level translator.

To connect to that, there were some adapters for cell phones,
that were USB on one end, and TTL level three pins on the other
end, and you'd solder one of those to your router to talk to it.

Once the USB connector is plugged into your PC, you should
be looking at the console port traffic of the embedded OS.
You should also be able to run commands from there.

For example, you could run the "ps" command and do process
status. And see whether any strange processes are present.
Or use the "who" command and see who is logged in. Now,
that's not likely to work, and it'll probably show that
"root" is the only user. All that's left then, is seeing
whether any process has a strange name. And you know
how well that's going to work (disguise is the first thing
they'd do in there).

So yes, it's possible to snoop on what a router is doing,
if you can find the header with that interface on it. And
assuming the console is enabled and dumping to that port.

*******

If you bought a router from this company, it might have
a console port on the outside of the chassis.

https://mikrotik.com/products

This is an example. A five port Ethernet PCB, with a serial port.
It's $70, but it doesn't say what quantity you have to buy
to get that pricing. The products they make, are designed
to be more than simple consumer products.

https://mikrotik.com/product/RB450

Once you see something you like, then go off on a
Google spree, and see if any of those are out in the
wild, with someone bragging about what they've
done to it or with it.

Paul

Mike S wrote:
On 12/28/2017 11:04 AM, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices
connected; both mine, both legit. A Win10 tablet was updating.
It got me wondering, though. Could my router be hacked and not show
the hacker?
Ed

As far as blinking LED lights showing activity - I think it depends on
what model router you have, here's one that allows you to disable that
behavior. You can find out very easily by logging into your router or
reading the manual.
https://kb.netgear.com/24603/How-do-...ghthawk-router


The PHY silicon on Ethernet usually has programming options
for stuff like that. Some PHY can be programmed for
a one LED RJ45, a two LED RJ45, and so on. When you
de-assert RESET on a PHY, it'll auto-negotiate with
the other end, and if you have a bicolor LED (yellow/green),
the LED will indicate whether the link is running
100BT or GbE or whatever. While a second LED blinks
for activity.

There might have been strap options for the thing
as well, to determine what mode it comes up in by
default.

The nice thing about the PHY, is it can do stuff by
itself, even if the processor is dead. When you're working
in the lab, if you see the LEDs flash, it means your
board got power, and the RESET signal is deasserted.
(The PHY won't start if the RESET signal is present.)

After the processor starts running, you can
have some firmware go in there and program the registers
to any non-strap state you might want at that point
in time. (Like change from full-duplex to half-duplex
perhaps.)

The blinking, doesn't even have to come from the
processor. The PHY itself can have a pulse stretcher,
so that a 20uS runt packet, causes the LED to flash
for 20 milliseconds. That allows low duty cycle activity,
to give a decent light level for the user to notice.
And when the packet rate is railed, the LED can blink
in a fake activity pattern (50% duty cycle, or 30/70
or whatever). Pulse stretching takes a miserable LED
light show, and makes it decent looking. If you didn't
have pulse stretching, that indicator would really be
hated by people.

The first time I used one of those, I was really
impressed by the thought they put into it.

Paul

On 12/28/2017 9:19 PM, Paul wrote:
Mike S wrote:
On 12/28/2017 11:04 AM, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices
connected; both mine, both legit. A Win10 tablet was updating.
It got me wondering, though. Could my router be hacked and not show
the hacker?
Ed

As far as blinking LED lights showing activity - I think it depends on
what model router you have, here's one that allows you to disable that
behavior. You can find out very easily by logging into your router or
reading the manual.
https://kb.netgear.com/24603/How-do-...ghthawk-router


The PHY silicon on Ethernet usually has programming options
for stuff like that. Some PHY can be programmed for
a one LED RJ45, a two LED RJ45, and so on. When you
de-assert RESET on a PHY, it'll auto-negotiate with
the other end, and if you have a bicolor LED (yellow/green),
the LED will indicate whether the link is running
100BT or GbE or whatever. While a second LED blinks
for activity.

There might have been strap options for the thing
as well, to determine what mode it comes up in by
default.

The nice thing about the PHY, is it can do stuff by
itself, even if the processor is dead. When you're working
in the lab, if you see the LEDs flash, it means your
board got power, and the RESET signal is deasserted.
(The PHY won't start if the RESET signal is present.)

After the processor starts running, you can
have some firmware go in there and program the registers
to any non-strap state you might want at that point
in time. (Like change from full-duplex to half-duplex
perhaps.)

The blinking, doesn't even have to come from the
processor. The PHY itself can have a pulse stretcher,
so that a 20uS runt packet, causes the LED to flash
for 20 milliseconds. That allows low duty cycle activity,
to give a decent light level for the user to notice.
And when the packet rate is railed, the LED can blink
in a fake activity pattern (50% duty cycle, or 30/70
or whatever). Pulse stretching takes a miserable LED
light show, and makes it decent looking. If you didn't
have pulse stretching, that indicator would really be
hated by people.

The first time I used one of those, I was really
impressed by the thought they put into it.

Â*Â* Paul

I'm impressed by the thought and detail you put into your posts!

On 28-12-2017 20:04, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed


Yes, it can. Our router was hacked, we found that even the system
firmware was changed. We were never aware of anything, until I logged in
onto our router. It referred to a different IP address and I was not
aware to change that. Eeven a reset did not work.
It didn't show any hacker's IP address or whatsoever. The IP address was
something from a Brazilian site.
We bought a new router.

Fokke

On 12/29/2017 10:19 AM, Fokke Nauta wrote:
On 28-12-2017 20:04, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed


Yes, it can. Our router was hacked, we found that even the system
firmware was changed. We were never aware of anything, until I logged in
onto our router. It referred to a different IP address and I was not
aware to change that. Eeven a reset did not work.
It didn't show any hacker's IP address or whatsoever. The IP address was
something from a Brazilian site.
We bought a new router.

Fokke



My Netgear router allows me to save its current configuration in a file
from which I can restore that configuration. Of course, a changed
firmware might disable my ability to restore.

--
David E. Ross
http://www.rossde.com/

President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when your message is really your own and not your attorney's.

On Thu, 28 Dec 2017 17:20:32 -0800, David E. Ross wrote:

I disabled WiFi on my router. Our PCs are connected via ethernet cables.

And it's still connected to the Internet...

--
s|b

On Fri, 29 Dec 2017 19:19:43 +0100, Fokke Nauta wrote:

Yes, it can. Our router was hacked, we found that even the system
firmware was changed. We were never aware of anything, until I logged in
onto our router. It referred to a different IP address and I was not
aware to change that. Eeven a reset did not work.
It didn't show any hacker's IP address or whatsoever. The IP address was
something from a Brazilian site.
We bought a new router.

Care to share which routers?

--
s|b

On 12/29/2017 1:47 PM, s|b wrote:
On Thu, 28 Dec 2017 17:20:32 -0800, David E. Ross wrote:

I disabled WiFi on my router. Our PCs are connected via ethernet cables.

And it's still connected to the Internet...


Yes, but I eliminated one hacking path.

--
David E. Ross
http://www.rossde.com/

President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when your message is really your own and not your attorney's.

On Fri, 29 Dec 2017 19:19:43 +0100, Fokke Nauta
wrote:

On 28-12-2017 20:04, Ed Cryer wrote:
The activity light was flashing away for some minutes on my
router-modem, so I logged into it and found just two devices connected;
both mine, both legit. A Win10 tablet was updating.

It got me wondering, though. Could my router be hacked and not show the
hacker?

Ed


Yes, it can. Our router was hacked, we found that even the system
firmware was changed. We were never aware of anything, until I logged in
onto our router. It referred to a different IP address and I was not
aware to change that. Eeven a reset did not work.
It didn't show any hacker's IP address or whatsoever. The IP address was
something from a Brazilian site.

Probably spoofed. Why would a Brazilian want to use your
router ? There are so many available here with just the default
passwords set ... admin admin etc.

We bought a new router.

I hope you changed the password before connecting it to the
net...
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012