4

If you connect to the internet using a router that's controlled by a hacker, is there some way you can safely surf the internet without getting hacked? By using a vpn and firewall maybe?

Does it make a difference what kind of router it is?

  1. A wired router

  2. A wireless router

  3. A 4g usb dongle (Could this be used for a bad usb attack?)

Anders
  • 65,052
  • 24
  • 180
  • 218
Linux_user0987
  • 261
  • 1
  • 8
  • If you would use a VPN and connect to your own server, which is configured the right way, I would not see a problem (based on the assumption that you are using TLS and encryption in all ways and route your whole traffic over this VPN, also your DNS requests). The attacker would be able to save your encrypted traffic but nothing more would happen. – Cyberduck Nov 12 '19 at 17:58

5 Answers5

3

If you use a VPN, Tor or 100%1 HTTPS (w/o ignoring warnings) on your local machine to connect through the router to the internet than the attacker on the router cannot extract passwords or similar from your traffic and cannot manipulate the traffic. He can deny or delay the traffic though and in case of HTTPS he can at least see where you are connecting to in order to collect information about you or only disturb selected traffic. With HTTPS he can also intercept and manipulate plain2 DNS requests and responses but this does not affect the security of HTTPS itself.

All of this is independent of how the router connects to the internet, i.e. it does not matter if 4G, DSL, fiber, cable or others. It also does not matter if you connect to the router with wire or wireless. With a "4g usb dongle" though you get additionally potential USB based attacks - although in this case (BadUSB) it is not enough for the attacker to be "at the router" but he has to be deeper in the firmware in order to make the USB device not behave like a router but like a keyboard or similar.

But even though your internet traffic is mostly protected, having an attacker on a local router means to have the attacker in the local network. Depending on the configuration of your system the attacker might attack your machine directly. A firewall on your local system which denies any connections initiated from outside will protect you from such network level attacks (i.e. not from BadUSB).


1 Note that 100% HTTPS is unrealistic, there is usually at least some plain HTTP involved. And plain HTTP could be modified by the attacker on the router.

2 Plain DNS means no DNS over TLS or DNS over HTTPS or otherwise protected DNS (like in DNSSec). Plain DNS is still the most common way of using DNS.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Technically HTTPS security is not guaranteed if they can control DNS and get you to trust their certificate, but that is a *very* unlikely set of circumstances, so not really a serious comment – Conor Mancone Nov 13 '19 at 00:17
  • Although perhaps the malicious router may direct you to install a certificate in order to gain access to the internet, effectively social engineering you into completely compromising your connection.... – Conor Mancone Nov 13 '19 at 00:18
  • @ Steffen: When you say he can intercept and manipulate DNS requests, are you talking about a situation where DNS is used over HTTP or HTTPS? Will I be safe if I use DNS over HTTPS? – Linux_user0987 Nov 13 '19 at 04:28
  • @ConorMancone: *"... and get you to trust their certificate, ..."* - how? I've specifically ruled out ignoring warnings by the user. *"...the malicious router may direct you to install a certificate..."* - how? This is specifically assumed to be 100% HTTPS so the attacker on the router has no way to modify traffic in order to redirect the user. – Steffen Ullrich Nov 13 '19 at 05:36
  • @Linux_user0987: I'm talking about common DNS and not DNS over something (i.e. no DNS over TLS, no DNS over HTTPS). But since the attacker cannot modify anything over HTTPS this would include DNS over HTTPS. – Steffen Ullrich Nov 13 '19 at 05:37
  • @ Steffen: Could the attacker controlling the malicious router use sslstrip against vpn or tor? – Linux_user0987 Nov 14 '19 at 16:35
  • @Linux_user0987: sslstrip requires initial connections to be HTTP and then downgrades following connections from HTTPS to HTTP. It will not work with 100% HTTPS, VPN or Tor since the necessary preconditions (plain HTTP) are not given. – Steffen Ullrich Nov 14 '19 at 16:39
1

I'll break your question down into two sections: The risks associated with using a malicious access point; and whether the type of router makes a difference.

Risks associated with connecting to a malicious access point

Connecting to a malicious access point can expose you to several risks. An attacker may be able to:

  • Perform a man-in-the-middle attack;
  • Perform a downgrade attack;
  • Perform a Session Sidejacking attack;
  • Track your SSID/MAC-address;
  • Exploit vulnerabilities and misconfigurations to gain access to your machine, and;
  • Share malicious files with you.

A VPN - assuming it was configured correctly - would help mitigate the first three items on the list. Further mitigations built into modern some OSs would help further protect you from attack using the last two vectors on the list

Does the type of router make a difference?

The type of router does make a difference. The threats associated with wired and wireless routers are broadly similar, however, it would not be possible to track someone using their SSID on a wired router for obvious reasons.

4G is considered safer than public wifi (assuming the malicious access point is public wifi). 4G devices connect to the Internet through their provider’s cellular connection. Instead of receiving a signal from an Internet Service Provider as the device would at home or work, it receives data from the cellular company in the same way it receives a mobile phone connection. However, it would be possible to attack a machine using a malicious USB dongle.

1

When using Tor the attacker can still control your path and in this way force you to use nodes he controls. So he can use traffic correlation attacks or just capture traffic at the exit node.

Depending on the skill of the attacker he can acquire legit certificates and also get access to https traffic.

With a VPN connection it depends on the security of the endpoints. NordVPN has been hacked a while ago and private keys have been stolen. You could chain VPNs to mitigate that issue. Of course you have to trust the provider not to log your data.

anon1980
  • 11
  • 1
0

VPN will help in this case, He will only be able to get the enrypted traffic, Traffic decryption and performing replay attack is another challenge. It depends upon the skills of hacker but while using VPN or encrypted channel you are some how safe but not completly safe.

semw
  • 47
  • 2
-2

There are different types of attacks for rogue or malicious APs, most common ones are to sniff and steal data. If that is the case:

I don't recommend the use of a VPN (at least not standalone) as you don't know (I guess) the attacker capabilities, they could set up the connection with SSLStrip or exploit a vulnerability of your VPN to still see and inject traffic. If you must (I don't see why you will do this), you can consider using Tor through a second router with WDS and DNS properly set up, to connect to the malicious router. Tor will protect you from sniffing even at a LAN level, plus a VPN will do the trick.

Of course it will worth to know more details about the malicious router beforehand, you can accomplish this using DNS probes, doing a port scan to the gateway while connected directly to the attacker, verify how the connection goes after you connect to the malicious router using traceroute to determine how is the AP configured, try to figure out if he uses the real MAC and if he does you can figure out the device he is using to outsmart the attacker.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 1
    `I don't recommend the use a VPN` why not? That's the first thing I would recommend... – ThoriumBR Nov 12 '19 at 19:01
  • if all traffic is going through the malicious router, Tor won't help either. – schroeder Nov 12 '19 at 21:53
  • @schroeder : Do you disagree with other answers saying vpn and tor will work? – Linux_user0987 Nov 13 '19 at 04:33
  • ThoriumBR --> Not Stand alone considering you are connected to a rogue AP. schroeder --> False, TOR traffic is not visible even on LAN (go do the lab test) @schroeder --> I do not disagree, but considering this is the worst case scenario where someone tries to surf the web thru a malicious AP I think VPN can still be fooled or, depending on the VPN hacked to sniff everything. – Edward Gavilán Nov 17 '19 at 01:38
  • +In my comment I only considered MiTM attacks as the question is about surfing the web but that's only a portion of the whole pool of LAN attack vectors, nor TOR nor a VPN will help you against a misconfiguration exploitation case, virus spreading,etc. – Edward Gavilán Nov 17 '19 at 01:57
  • @EdwardGavilán : You say mitm is one possible way to attack on LAN. But if I use vpn and/or Tor to connect to the internet and also a firewall, would this provide the necessary protection? – Linux_user0987 Nov 24 '19 at 04:22
  • Sorry for the delay Linux_user0987. No, I would not say that since nothing is guarantee, no matter the attack surface, there is almost always a way to get around security. – Edward Gavilán Sep 24 '22 at 20:51