For most people, it's really not a problem. But here's a fun example I recently came across.
I'm looking for an apartment in SF, and I stumble across a few places that seem too good to be true. Pretty sure they're spam, but out of curiosity, I go ahead and email. (Plus the way to make life difficult for spammers is to give them a lot of false positives, playing along for as long as possible, wasting their time, but unfortunately yours too.) The response I get back is clearly a scam—the "pay $200 deposit to schedule a tour" kind of scam. I get a few more emails, pressing me to pay the "deposit." Out of curiosity, I check the email headers. The sender is using Yahoo, and the IP address is being leaked. I do a geo IP lookup, and it turns out the IP is from Ghana.
Naturally, I enter the IP in my browser, and guess what shows up? An authentication dialog for the "EchoLife Home Gateway." Sure enough, entering "admin" for both username and password works fine (first try too), and here I am, connected to some scammer's router, halfway across the globe.
What's more, the router connects to the ISP using PPPoE, so the username for the account is visible in the PPPoE config. And the password is hidden under a password field, but it's being loaded by some sketchy javascript (you know how router software is). Pretty trivial to check out the DOM and find a plaintext password. Next time I'm in Ghana, I get free DSL! Did I mention that the username for the PPPoE account was clearly an actual name? A bit of google-fu and I know quite a bit about the guy who tried to scam me. Turns out it's no secret he's a scammer—in his early days it looked like he'd been using his actual name to run scams, so there were a ton of postings on scam reporting sites.
I stopped there because, as fun as it was, this was just an exercise of intellectual curiosity, I never had the intention of breaking stuff. As much as a scammer might deserve it, vigilantism isn't really the way to do it. I just reported the email to Yahoo/Google and moved on. I doubt there was much anyone could do to stop the guy from scamming anyway. But there's a lot you can do with an open router if you want to harm someone, and that's an understatement. All it would take is something as simple as setting up a VPN connection (I don't think the router I was dealing with actually supported VPN, but I'm sure you could do something malicious, like port forwarding to netbios)
The moral of this should be pretty clear; if you're a scammer don't leak your IP. Also don't use default passwords for routers. Clearly that was the bigger issue here, but how many average people do you think use default passwords? At least if their IP is hidden, there's an extra layer of obscurity. Not a great one, but better than nothing.
Thanks for sharing. This was an awesome read. I'm surprised the router allowed external connections to access the internal configuration. However, some older routers are pretty poorly designed from a security standpoint.
I'm looking for an apartment in SF, and I stumble across a few places that seem too good to be true. Pretty sure they're spam, but out of curiosity, I go ahead and email. (Plus the way to make life difficult for spammers is to give them a lot of false positives, playing along for as long as possible, wasting their time, but unfortunately yours too.) The response I get back is clearly a scam—the "pay $200 deposit to schedule a tour" kind of scam. I get a few more emails, pressing me to pay the "deposit." Out of curiosity, I check the email headers. The sender is using Yahoo, and the IP address is being leaked. I do a geo IP lookup, and it turns out the IP is from Ghana.
Naturally, I enter the IP in my browser, and guess what shows up? An authentication dialog for the "EchoLife Home Gateway." Sure enough, entering "admin" for both username and password works fine (first try too), and here I am, connected to some scammer's router, halfway across the globe.
What's more, the router connects to the ISP using PPPoE, so the username for the account is visible in the PPPoE config. And the password is hidden under a password field, but it's being loaded by some sketchy javascript (you know how router software is). Pretty trivial to check out the DOM and find a plaintext password. Next time I'm in Ghana, I get free DSL! Did I mention that the username for the PPPoE account was clearly an actual name? A bit of google-fu and I know quite a bit about the guy who tried to scam me. Turns out it's no secret he's a scammer—in his early days it looked like he'd been using his actual name to run scams, so there were a ton of postings on scam reporting sites.
I stopped there because, as fun as it was, this was just an exercise of intellectual curiosity, I never had the intention of breaking stuff. As much as a scammer might deserve it, vigilantism isn't really the way to do it. I just reported the email to Yahoo/Google and moved on. I doubt there was much anyone could do to stop the guy from scamming anyway. But there's a lot you can do with an open router if you want to harm someone, and that's an understatement. All it would take is something as simple as setting up a VPN connection (I don't think the router I was dealing with actually supported VPN, but I'm sure you could do something malicious, like port forwarding to netbios)
The moral of this should be pretty clear; if you're a scammer don't leak your IP. Also don't use default passwords for routers. Clearly that was the bigger issue here, but how many average people do you think use default passwords? At least if their IP is hidden, there's an extra layer of obscurity. Not a great one, but better than nothing.