The Reddit Router Scam

A couple of days ago one Reddit user had the misfortune to return home and discover something rather interesting hooked up to their router, placed there by their roommate. A cross between a multi-level marking scam and hardware malware, the malicious board had been put into a position that allowed it to harvest every bit of available data from their local network.

Mystery hardware. (📷: u/Wardoghk)

Looking at the picture of the board itself, it appears to be an off-the-shelf Friendly ARM NanoPi NEO single-board computer. Built around an Allwinner H3 processor, a quad-core ARM Cortex-A7 running at 1.2GHz with 256MB of RAM, the board has a 10/100Mbps Ethernet jack, and a micro SD card slot. That’s a specification that provides more than enough horse power to snoop in on any traffic going across the local network.

The Friendly ARM NanoPi NEO (📷: Friendly ARM)

Anyone wondering about the single network cable going into the device—as a “traditional” man-in-the-middle (MitM) attack would require the board to have two ethernet connections, and have the network traffic passing through it—it’s quite possible that, with sufficiently sophisticated configuration, that such a board could intercept all the traffic on the network.

While in this particular instance the device seems—at least on the face of it—to be used to “anonymously” buy Facebook advertising, by placing it inside the local network the room mate has given it access to all the data passing through the local network.

If the board is functioning as a MitM proxy, it is also in a place where it can inject Javascript into any unencrypted web page you’re viewing, as well as harvesting any usernames and passwords passed in the clear. While sensitive data will be somewhat protected by using HTTPS connections, that doesn’t mean that the device is harmless.

Most home routers have serious security vulnerabilities which means that while the device can intercept data, it can also—at least potentially–access your router, and in the worst case flash a new compromised firmware onto it. Afterwards, even if the board itself would have difficulty performing a MitM attack, your now compromised router wouldn’t.

Once compromised your router could also be put into service as part of a distributed denial of service (DDoS) botnet for hire, or even used to mine crypto-currency.

Giving an unknown device access to your local network is serious, as most computers, along with most Internet of Things “smart” devices, will trust the other devices on the local network to be “good actors.” By connecting an unknown device to your local network you’re placing what is a potentially hostile device in a position of implicit trust, and whether you trust it or not yourself is now irrelevant. Because your computers, and other devices, will.

We can only agree?



Scientist, Author, Hacker, Maker, and Journalist.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store