Monday, September 2, 2013

Hacked through the mains!

A few months ago, I was confronted to an issue: my wireless network was not powerful enough to get to the very far confines of my office, and my desktop computer would periodically lose its connection to my small LAN. To solve this I went to a nearby computer store and I bought a pair of ethernet-to-mains modems from TP-Link, which I used for a few weeks. They are

As I didn't have a Windows machine at that time, I left the modems in their default configuration. Then, as I had a few disconnection issues and I didn't like the fact that the traffic was not encrypted, I replaced the pair with a very long cable.

Recently, I found them back and I decided to play a bit with them. To my surprise, as soon as I plugged the first one, it picked up a connection. Surprising as the other one was still in my hand ... I decided to plug the cable and check what network I was connected to.

The router is a Netgear's DGND3300B, an interesting model with a few cool features, such as a Traffic Meter, a built-in shared drive - provided that a USB device is plugged in -, a media server and much more. Well, it's also the case that the box has a default username/password combination of "admin/password".

This gave me access to my neighboor's router. So basically, I pwned his network: I could have disabled the DHCP server to install my own in order to play man-in-the-middle (MiTM), activated random features or even leeched on his network.

These little powerline modems are cool, but they are also very dangerous: in the same way as a wireless connection, it is very difficult to put an exact border to the network once it is extended through the power network, and it falls on the user to make sure the devices are properly configured to only talk to each other, and never to any other device that could be reachable.