Can someone without the WiFi login and no physical access to a router still access it with the admin login?

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
1
down vote

favorite

If you have an router with default login and password for the admin page, can a potential hacker gain access to it without first connecting to the LAN via the WiFi login?

wifi router

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

If you have an router with default login and password for the admin page, can a potential hacker gain access to it without first connecting to the LAN via the WiFi login?

wifi router

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

If you have an router with default login and password for the admin page, can a potential hacker gain access to it without first connecting to the LAN via the WiFi login?

wifi router

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

If you have an router with default login and password for the admin page, can a potential hacker gain access to it without first connecting to the LAN via the WiFi login?

wifi router

wifi router

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 1 hour ago

Q-bertsuit

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 1 hour ago

Q-bertsuit

1062

asked 1 hour ago

Q-bertsuit

1062

1062

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Q-bertsuit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote

This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:

<img src="http://192.168.1.1/reboot_the_router?force=true">

When a user visits his site, this triggers a request to the router.

The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF.

There are plans to block such requests in the browser, but these haven't been implemented yet.

share|improve this answer

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
  – Q-bertsuit
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
  – Sjoerd
  56 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
  – Q-bertsuit
  49 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.

You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Q-bertsuit is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194048%2fcan-someone-without-the-wifi-login-and-no-physical-access-to-a-router-still-acce%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:

<img src="http://192.168.1.1/reboot_the_router?force=true">

When a user visits his site, this triggers a request to the router.

The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF.

There are plans to block such requests in the browser, but these haven't been implemented yet.

share|improve this answer

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
  – Q-bertsuit
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
  – Sjoerd
  56 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
  – Q-bertsuit
  49 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:

<img src="http://192.168.1.1/reboot_the_router?force=true">

When a user visits his site, this triggers a request to the router.

The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF.

There are plans to block such requests in the browser, but these haven't been implemented yet.

share|improve this answer

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
  – Q-bertsuit
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
  – Sjoerd
  56 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
  – Q-bertsuit
  49 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

up vote
3
down vote

This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:

<img src="http://192.168.1.1/reboot_the_router?force=true">

When a user visits his site, this triggers a request to the router.

The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF.

There are plans to block such requests in the browser, but these haven't been implemented yet.

share|improve this answer

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

This may be possible using cross-site request forgery. In this attack, the attacker triggers a request to your router, for example by including an image on his site:

<img src="http://192.168.1.1/reboot_the_router?force=true">

When a user visits his site, this triggers a request to the router.

The attacker's site can trigger requests, but not view responses. Not all routers are vulnerable to this. Setting a non-default password certainly protects against CSRF.

There are plans to block such requests in the browser, but these haven't been implemented yet.

share|improve this answer

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

share|improve this answer

share|improve this answer

edited 58 mins ago

edited 58 mins ago

edited 58 mins ago

answered 1 hour ago

Sjoerd

14.8k73553

answered 1 hour ago

Sjoerd

14.8k73553

answered 1 hour ago

Sjoerd

14.8k73553

14.8k73553

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
  – Q-bertsuit
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
  – Sjoerd
  56 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
  – Q-bertsuit
  49 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
  – Q-bertsuit
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
  – Sjoerd
  56 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
  – Q-bertsuit
  49 mins ago
  

  
  
  
  

Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
– Q-bertsuit
1 hour ago

Wow interesting. So this requires that a user that has access to the LAN clicks a specific link on some site? A hacker wont be able to specifically target a router?
– Q-bertsuit
1 hour ago

Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
– Sjoerd
56 mins ago

Yes, a LAN user visits the attacker's site and that causes a request from the LAN user to the router.
– Sjoerd
56 mins ago

But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
– Q-bertsuit
49 mins ago

But a router is typically not designed to grant access to its configuration page, even with the login/password details, without a) having physical access or b) having LAN access?
– Q-bertsuit
49 mins ago

add a comment | 

up vote
1
down vote

Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.

You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

add a comment | 

up vote
1
down vote

Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.

You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

add a comment | 

up vote
1
down vote

up vote
1
down vote

Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.

You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

Almost all routers are configured by default to only expose the administration interface to the "LAN" side and not to the internet. Some routers have the option to enable or disable this, so it would be good to check the settings of your router.

You can also test this using an online port scanner or this ShieldsUP! tool. These will check if they can access anything on your router from the internet.

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

share|improve this answer

share|improve this answer

answered 42 mins ago

Sjoerd

14.8k73553

answered 42 mins ago

Sjoerd

14.8k73553

answered 42 mins ago

Sjoerd

14.8k73553

14.8k73553

add a comment | 

add a comment | 

Q-bertsuit is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Q-bertsuit is a new contributor. Be nice, and check out our Code of Conduct.

Q-bertsuit is a new contributor. Be nice, and check out our Code of Conduct.

Q-bertsuit is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194048%2fcan-someone-without-the-wifi-login-and-no-physical-access-to-a-router-still-acce%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email