If someone will use such attack on website to point to 192.168.8.1? This means that this router can be hacked? Is there any way to protect from it
Do you have HTTPS hajack attack protection? I mean do you provide totally different HTTPS certs for each router (for admin panel) or they are all the same on all routers? If the same what stops attacker to just extract cert from your firmware and do MITM attack on known GL router? Can you consider generating new certificate on first boot (or after firmware reset)?
Yep, they are generated on first start as far as I checked it. But since they are all self-signed … it’s not really security (spoken of trust). If you don’t import it into your trust store you will not know if it changed.
Do you mean a local attack?, not directly but if the attacker succeeds he can decrypt the https traffic, though like @admon said you can store it in your trusted certs, it will then immediately stop the connection.
Such attack is highly unlikely, and probably often happens from a upstream scenario, but because of the firewalling behaviour what a router is supposed to do, it will not work.
To import I need to export it first. How to export?
For home - you are right (probably).
But for public connections or shared WiFi (for example if you are sharing WiFi with neighbours) it can happen.
It will decrease security as it will open router to public network. This can cause brute force and you can NOT prevent this as attacker will have unlimited time.
Also if used modem (cellular network to WiFi) DDNS won’t work (as in my case).
Moreover, you can maliciously point DDNS to any IP (even phishing one (for example phishing proxy)) because you must only know SN and device ID to make this attack.
And no, HTTPS will NOT prevent this attack. Because attacker do something like this:
Your router -> real HTTPS -> attacker server -> attacker HTTPS or HTTP -> you
I am NOT recommend to use DDNS at all. If you need such feature - consider GoodCloud or something like reverse VPN cloudflared. But both of methods will decrease your security more or less.
DDNS will map a DNS entry (from the GL.iNet DDNS service) to your public IP. While running my script, it will indeed open a port (TCP/80) but only for ~10 seconds.
The reason why I said it’s an option: By getting an cert from Let’s encrypt it’s trusted by your browser automatically so you would see if someone tries to hijack the connection.
It depends on how good you understand the process of cert creation / cert validation.
I would simply go with my script (because that is why I created it) - it will update the cert automatically and the cert is trusted by your browsers automatically (so no import in different devices, which is f.e. really painful in iOS)
For truly get security + trust you need to create your own CA and create a self-signed cert from this CA.
Or you can just go with the current installed one and… I guess… no one would try to hack your homerouter.
I believe in that case you should also be fine atleast how it is defined as.
Lets say you are at a public wifi, you set your router up as repeater, then repeater works as wan, meaning the web interface is not accessible and any other direct inbound traffic gets blocked by the firewall, however there might be tools to even mitm connections but not on the local segment so the router web is considered safe, but external web is not, in that case you might want to use a vpn.
Its all about getting the certificate before it hits the router, that is why it is more likely to happen upstream, but upstream does not know about your local network.
However if you really want a open wifi network then i suggest using wifi isolation and maybe adding lan isolation aswell so lan is on a different network, then they can abuse arp to become a router but nothing will respond so it will fail .
“A CSRF attack on a router admin panel is a type of web application vulnerability where an attacker can trick a legitimate user into performing unintended actions on the router's administration interface. This could include changing the router's settings, such as the Wi-Fi password, enabling remote access, or even completely taking over the router.
The attack works by exploiting the fact that the router's admin panel trusts any requests coming from a user who is already authenticated and logged in. The attacker crafts a malicious request, often hidden in an image or a link, and tricks the victim into inadvertently sending that request to the router while they are already logged in. This allows the attacker to perform actions on the router as if they were the legitimate user.
The risk with this type of attack is that it can give an attacker full control over the router and the network it manages, potentially allowing them to intercept traffic, monitor user activity, or even use the router as a launching point for further attacks on connected devices. Proper security measures, such as implementing CSRF tokens and other anti-CSRF protections, are important to mitigate this type of vulnerability.”
It does not make sense to use CA just because you want to use CA.
Without deeply understanding of what you do there and why … it’s just a waste of time.
I don’t understand what you are trying to achieve at all.
In that case, your way is the correct one, even if it does not make sense to create a CA just for one device. You need to keep the CA cert safe. And you need to import it on all devices.
Why do you suspect that someone will try to do a MITM attack within your local LAN?
Local LAN? To access local LAN you need to be connected to my network. If I would use HTTP, won’t it make MITM possible to bad actors without accessing LAN directly (aka sniffing maybe?). Or I gone by wrong way?
.