They wouldn't really have anything to hold ransom. Router's usually have hardware reset switches in the back too. Not saying it's not possible, but little to gain by holding it randsom. If they hacked the router, they'd be doing the kind of things they WON'T inform you about, like man in the middle attacks stealing everything from all your user/passwords to credit/bank/personal info.
Well, the reset switch usually causes the bootloader to reformat the volatile partition of the flash.
But there's nothing to stop an attacker from rewriting the "write protected" areas like e.g. a firmware update does.
Consider that many routers these days come with NAS or MediaServer functionality... and thus are a valid target for hackers.
Furthermore, they are often directly connected to the Internet, and there have been numerous remote-root exploits for cheap chinese knock-offs as well as for highly praised manufacturers like AVM.
Again, the dangerous part isn't holding it hostage, it's what they can do to it without you noticing. They can intercept all your network traffic, redirect websites you visit to a server they control, etc.
If you have a hard drive plugged into your router, they can perform the same crypto-lock attack being discussed here. They can also use your router to launch attacks against the rest of your hardware.
If modern routers are delegated to router duty only, this wouldn't be a problem. However, routers these days are for all intents and purposes, specialised home servers with shared media streaming and the like as well. These are value-added functionalities ISPs use to entice new users and I'm sure a fair number of them use these to store photos, connect their USB drives - mine is also a print server for use with non-wifi network printers.
SSL Strip still works and banks don't care about anything other than providing the illusion of security and standard SSL.
Take for example an old lady down the road who somehow got some futuristic malware on her router. She goes to Bing to search for Wells Fargo to do some online banking (and you know that there is a huge portion of users who only browse the web this way). Hypothetical malware then just runs SSLStrip over the page from bing.com which isn't served over ssl because Microsoft values their bottom line over your privacy and security, which then replaces the link to the https site with http, the router acts as a proxy between http and https so wellsfargo.com is none the wiser. Evil hacker now has poor old lady's password and transfers the money in her account to his own foreign bank account.
This hypothetical scenario is doable even running off of a slow router while not using many more resources than the parental keyword filtering uses. At no point does SSL ever come into play and the top 4 Banks in America (Chase, Citibank, Bank of America, Wells Fargo) don't use HSTS so there's no real way to protect their users from SSLStrip unless a browser includes them in some force SSL list.
> SSL Strip still works and banks don't care about anything other than providing the illusion of security and standard SSL.
Speaking as a security officer for a (non-US) bank, this is not true.
We use EV certificates (to increase visibility vs. standard certs), deployed HSTS over a year ago on most of our propierties, force HTTPS and pin keys wherever we can (i.e. mobile apps). And even if a session is compromised: transactions are screened and verified before execution.
Yes, our chief concern remains the bottom line. Pushing for more trust increases our user base. Fighting fraud avoids compensation payments. Building awareness and implementing technical measures aids both of these goals, so we get to spend a reasonable amount on both.
The UK bank I use doesn't even bother to force HTTPS on most of their site, let alone use stuff like HSTS. They helpfully make use of EV certificates for the bits of the site that are secure though (except those still don't show up differently on many devices).
Does someone have the expertise to set up a Synology OS or DDWRT as some type of virtual machine, run it as a honeypot, and do daily/hourly high-level tests for compromise?
