As it turns out, the paperclip can be mightier than the sword — it just depends how you use it.
Ten years ago, there were alarm bells over public Wi-Fi in coffee shops, and then it was hotel Wi-Fi. But today, one security researcher says that the short-term house rental market is so big that now it’s the Wi-Fi network in the home you share that has become the target.
Jeremy Galloway, a security researcher, says that the housing market, which between Airbnb and HomeAway alone accounts for more than three million homes, is a “huge attack surface that can’t be ignored any longer.”
Galloway told me on the phone ahead of his talk at Black Hat on Thursday that attackers will “always go after the weakest point,” which in any network is usually the router. It’s no secret that routers are woefully insecure. Vint Cerf, co-inventor of the internet, who along with other experts has long championed a massive overhaul in router security, arguing that router makers are letting a key part of the internet’s infrastructure “rot in place.”
On a recent annual vacation trip, he tested his logic. Arriving back at the house early, he wanted to “punk his friends” by messing with the Wi-Fi. “It took thirty seconds,” he said. “I thought it’d take a few hours — and within minutes I had full ‘godmode’ control of the network.”
His hack is simple enough. What if you could quietly own an entire network, rather than reading wireless packets on a Starbucks Wi-Fi network, where the attacker is a client just like its victim?
If you can physically hold that router, you can reset its credentials and quietly modify its settings.
He calls it the “average paperclip threat,” or an APT — stylized after a same-named persistent attack from hackers and nation state groups. There’s nothing advanced about it, but using a paperclip to reset a router can give a hacker full access to the device.
“If someone can physically reset a router, they now control that device,” he said. “A bored teenager could do it. If a bored teenager can hack your network, you’ve got a real problem.”
And then they can walk away and wait for the next person to come in. That’s when the attack begins.
Once they’ve reset the router, they can conduct man-in-the-middle attacks to capture traffic as its flowing over a network — and steal usernames and passwords. They can send users to a malicious site using custom DNS settings, which as we’ve seen before can be used to trick a user into accessing fake websites. And, they can change the settings so that they can remotely log back into the router at any time.
“You can completely wreak havoc on a network and it doesn’t take any zero-days,” he said, pointing to one vulnerability — that being physical access to the router. “It’s really about changing settings.”
Millions of homes are vulnerable to this — even unsecured networks at pubs and bars, and coffee shops. But he said that there are things that can be done.
Physically removing access to the router is a major mitigation that will stop most opportunist network hackers in their tracks. Preventing a bored teenager from pushing a bent paperclip into the router’s reset button will massively reduce any attack.
It “raises the bar just high enough to make it so incredibly easy to carry out real damage,” said Galloway.
At very least, setting up a guest Wi-Fi network, which many modern routers allow. Or, if you’re a house owner and you make a living out of renting out your property — a separate business account line running into the house pays for itself.
“Whatever you do — you never, ever, ever want to share your main network,” he said.
As for the renter who’s staying, there are some things to consider. Use things like a virtual private network (VPN), but for anything secure, “use your phone,” he said. “Do it off of Wi-Fi, and use a legitimate banking app,” he said. The mobile networks around you are bolstered with heavier security than the average Wi-Fi network.
Galloway said there is “no easy fix.” He said it takes a “rapid rethinking” on how we provide secure networks. But it doesn’t warrant a constant fear of getting hacked.
Just “know that it can happen,” he said, and that it’s “something to be aware of,” he said.