LAS VEGAS — Are you an Airbnb customer? Are you an owner who rents out property using Airbnb, or any other short-term rental service? If so, you're at risk of being hacked if there's a Wi-Fi router in the rental unit, a security researcher said at the Black Hat 2016 conference here today (Aug. 4).
Jeremy Galloway, a researcher with Atlassian, said that too few homeowners keep the Wi-Fi router behind lock and key. If they don't, he said, any short-term tenant can get physical access to the router and then reset or modify it, with possibly disastrous results.
"When an attacker can touch your hardware," Galloway said, "you don't just have bad network security — you have no network security."
The scope of the danger became apparent to Galloway during a ski trip in Colorado, he said. Taking a break from the slopes, he figured he'd prank his friends by tweaking their Airbnb rental's Wi-Fi router to redirect network traffic to unexpected locations.
"I expected it would take me a couple of hours," he told the conference audience. "Instead, I found that I could just pick up the router and turn it over. Getting into it took me five minutes."
Security experts know that most home Wi-Fi routers have pretty poor security, especially because many users never change a given model's default administrator name and password. But even if the admin credentials are changed, Galloway said, there's a often built-in backdoor — the paperclip-activated reset button.
"I call this the Average Paperclip Threat," he joked, a nod to the advanced persistent threats, or APTs, about which information-security consultants warn corporations. "My APT is all that it takes to wipe out an entire layer of security."
With a paperclip, Galloway said, any kid with a laptop can reprogram the rental unit's Wi-Fi router to enable remote administration (to access it later), change the network name or password, block specific websites, turn on parental controls or, perhaps most dangerously, change the Domain Name Server (DNS) settings so that the router gets its Web addressing information from a malicious source.
Malicious DNS servers could send someone logging into Gmail, for example, to a completely different site that only looks like the Gmail login page. The site could capture the user's Gmail address and password, then send the user to the real Gmail login page, none the wiser.
"If a bored teenager can hack your network, you're in trouble," Galloway said.
He cautioned one- or two-night renters against using a rental unit's Wi-Fi network, and suggested they instead use their smartphones to get online.
"Think twice before having an unprotected 'one-network stand,'" Galloway joked.
Because of the grave potential for harm, he said, both homeowners and renters need to take precautions with rental-unit Wi-Fi. First and foremost, homeowners need to make routers inaccessible to tenants.
"Lock it in a closet, or in a locked room," Galloway said. "Or put it in an electronics enclosure," a locked box transparent to radio signals.
Homeowners should periodically factory-reset their routers, he added, just to clear out anything that might have accumulated. They should never share their personal Wi-Fi networks, if their own living quarters are next to the rental unit. They might also consider not offering Wi-Fi access at all.
Renters should manually set their DNS settings on all devices they travel with, Galloway said, such as to Google's dependable "188.8.131.52" DNS server. That way, a malicious router can't redirect Web traffic.
He also suggested that renters enable two-factor authentication on all online accounts that permit it, minimizing the chances of an account hijack, and to use commercial virtual-private-network services such as TunnelBear.
To see what kinds of attacks upon your devices might be possible, "watch Mr. Robot," Galloway said. "If you watch that show, you're exposing yourself to more security knowledge than 99 percent of the population."
But, he added, unsecured routers and sloppy Wi-Fi security in short-term rental units will be with us for some time.
"This problem is not going away anytime soon," Galloway said. "There's no patch, update or easy fix."