How Chinese Spies Hacked my Home | How my DIY Network Uncovered a Cyber Attack on an Aerospace Company

This article is about a network intrusion incident that happened on one on my internet connected devices at my home and how my DIY networking setup uncovered a sophisticated cyberattack on a major aerospace and aviation company even before their security operations team could detect the attack.

Prologue

On the early hours of May 19, 2022, I was woken to an alert from my home network system with the reports of suspicious traffic outbound and inbound from a specific device. Just a few months ago, at that time, I was working on replacing my home router with one that's designed by me , one that offers a finer control over my home internet setup and offers enhanced privacy, security and usability, as a security measure against rising internet risks and surveillance fears amongst other reasons.

After a lot of googling and learning stuff, I've installed the network setup with a custom firmware on an off-the-shelf router with customizations and replaced my entire home's network stack. I made a post, back then, about my DIY network .

This was my first time ever attempting to build a software-defined network without prior experience and this is a single router that does everything acting from acting as a WAF to automatically blocking attacks in real-time, so when I got my first alert, I was curious and happy that it caught something.

The Story

Ever since quitting from my job, I always found a lot of time to work on lot of side projects, free from heavy work and commitments. While this was one side project of mine, another one was to build ground stations for tracking the airspace above my home to track civilian airplanes, and share real-time ADS-B data with the global aviation community and with commercial customers of mine.

As a part of that aviation network, I had procured and installed hardware from several vendors from around the world. One such vendor was AirNav Systems - an industry pioneer with over 20 years of experience in the air surveillance industry, and has a proven track record of providing affordable and reliable Flight Data & ADS-B tracking services to aviation businesses, government agencies, airlines and airports are some of the public and private sector clients worldwide.

My Home Network Setup - Design

In a typical home, you'd have a single network/WiFi SSID that covers the entire home and you'd then have all the devices, from TVs, mobile phones, computers or other smart devices connected to the same network/SSID. This works for the majority of us/home consumers, however this approach to networks have these 2 security flaws:

• Because all the devices are behind a Port Address Translation (PAT), every other device is: a) just one network hop away, b) Each device can 'talk' to other devices connected to the same network via inter-device communication.
• In case of a compromise of a connected device for whatever reason, an attacker can quickly move laterally and compromise other devices.

However, mine was specifically designed in a different way, as it was built ground up with security in mind (otherwise I wouldn't have replaced my trusty chinese router at all!)

The following security features were in place at the time of intrusion:

1. Network Segmentation: Several Categories of internet devices are grouped into categories (eg: "Smart" devices such as IoT sensors, switches etc in a group, TVs, Computers and other devices in a separate group and so on). These groups were each assigned their own subnet via VLANs and had their own separate WiFi networks and even IP ranges, all from a single router.This means an old IoT device with WPA-only support can share a different, less secure wireless password from the rest of the network. This also means any compromise would be limited to the specific subnet. They all share a single, same upstream connection to the ISP but that's not an issue and can be configured to use more than one WAN if necessary.
2. Client Isolation: All clients (devices) connected to any wireless or wired networks are prohibited from 'talking to each other'. In technical terms, any packets from any device that is sent to any local IP range or device is dropped at the kernel without ever reaching any other device.In almost all cases, you'd never have a situation at your home where in one device directly wants to 'talk' to another device on the same network via their local IP. There may be some devices such as WiFi printers that would want to be talked to, from other devices on the network, to receive print jobs, but this doesn't apply to me, so I went ahead and disabled P2P comms in my network setup.I just wanted to highlight these 2 as I'll be referencing these in the upcoming sections of this article.There were a hell lot of thoughts that went in the name of security and controls were implemented accordingly in the network [bragging again xD]. My intent with a DIY setup is to have 'full control' and visibility over every 'packet' that enters and exits my home, after grabbing inspiration to build an enterprise-level security for my home network, from my workplace that implemented these for their security. Thanks to my bosses at my former workplace for involving in top/high-profile projects :)

The Intrusion on the device

At around 03:17 AM on the 19th of May, 2022 (IST), there was a suspicious inbound SSH traffic from an external network into the XRange2 device (pictured earlier). The network immediately detected the inbound traffic anomaly and logged the incident based on AI-rules. I DID NOT configure it to explicitly log this behaviour (in fact, I never knew it was possible to even SSH into it), it did it automatically because it never saw it happen in the past and thought it was weird, and is kinda cool as it flagged it in the log! I was asleep like everyone else at that time.

Later, the same day morning, when I woke up, I got alerted to an anomaly with the network, but not because of the log (which I didn't check as it was just logged in the system log, not raised as a warning), but because of an suspicious outbound traffic event.

After the incoming SSH connection to the device, it seemed like the device connected to several IPs in China, exchanged around 45 MBs of data, and had a few concurrent active connections to China. This was definitely highly suspicious to my system that it decided to raise an event and logged all involved communications and IPs.

Remember how I mentioned I segmented my network? It came in handy. From the system's POV: A device with no prior history and from the IoT zone/segment is making a large number of network outbound requests in the middle of the night to servers in China. The key conditions/triggers were each highlighted in bold in the previous sentence. With just a pair of these triggers are enough to raise an event by themselves, all of them when combined, triggered a defined heuristic rule, and system went into lockdown mode.

Automatic actions from my network

When the system raises an event due to a single/a combination of multiple events, it enters what's called the "lockdown mode" by design.

During lockdown mode, the following restrictions apply to my entire home network:

• The bandwidth of each connected device falls to 10 MBps upstream and 10 MBps downstream. The channel bandwidth remains unchanged, however packets are controlled accordingly. This is to prevent an exfiltration of large data, in case of a confirmed compromise, however, while still allowing enough bandwidth to prevent an interruption to legitimate applications/operations.This restriction would be later removed as I felt it would tip an attacker if they know that the system had triggered the lockdown mode, and also because it was difficult to implement bandwidth throttling for non-TCP connections/applications.
• All traffic data is captured, down to the last byte, from all interfaces, unless the capture is manually stopped, including all encrypted connections. The idea is to analyze/replay the conditions at a later time to understand what's happening. Obviously this creates a huge capture file and is a pain to work with, but at least I'll have something to work with rather than having no idea.
• Some Layer 4 and 7 data is captured: The webserver IP or hostname from SNI fragment, the source and destination IPs, the DHCP logs, the MAC address of the device, the DNS queries before and after, the timestamp of connection attempt to the connection closure, the type of connection, and even the size of the payload is logged. For encrypted connections, breaking HTTPS would break the TLS encryption and isn't performed, however the max possible data is extracted without it. Even with the packets captured (in the second point), it would be much easier to work with L4 and L7 data rather than manually analysing sessions in wireshark.
• The routers settings would become read-only even for administrators. This is to prevent any potential compromise/persistence attempt on the router and to avoid maliciously bypassing any security control implemented, or tampering router's settings. This is done at at the hardware-level by writing values directly and securely to the Flash chip's registers so that it acts as read-only unless reset via special commands via a serial communication over a physical PIN access. Any non-flash operation would still work, such as shutting down an interface or stopping capture.
• and other secret stuff!

My Investigation/Analysis

All these happened on that day from around 03:17 AM. Later that day, when I woke up in the morning, I was greeted to this alert from my network. Immediately, I knew something was wrong, but I wanted to know if there was a false positive or if it's a real one as I never tested it before. As soon as there were comms. to IPs in China, I knew it was the latter and prepared for the worst.

I woke up, did the morning routine (brush, bath, home stuff), had breakfast (because, priorities) and then immediately opened my laptop and began to investigate the massive accumulated data and this incident. To keep this article smaller, I'll just share my analysis results rather than and how and what I analyzed.

It looked like the attacker SSH'd into the XRange2's hardware from Airnav (the hardware's company) after breaching the company's own systems. After SSHing, it's a linux system, the attacker had downloaded and installed programs and packages. They installed programs that would tap into the decoder's data, capture it, process it "on-device" (as ADS-B data requires decoding and processing), and then send the processed data to China and other Chinese Flight tracking companies (eg: Variflight, Feeyo etc.) directly from the device 24*7.

I COULD HAVE BEEN SENT TO JAIL!

As soon as I found out what was happening, I immediately blocked all connections from/to the entire subnet that the device was connected to. I didn't want to power it down as it may lose memory thus potentially destroying any trails left in temp dirs, or in memory, by an attacker.

The RAW ADS-B data obtained from the device is RAW, meaning it contains sensitive ADS-B information of all the flights flying not "just above my home", but anywhere in 500km radius around my home, and this is not just for commercial flights, but also for sensitive military flights that may happen to fly in the area.

Imagine if someone sent realtime, LIVE and precise latitude, longitude, altitude, squawk code, heading and other data parameters of an IAF fighter jet that's on a sensitive operation/the Indian airspace to Chinese government! That's how bad that was.

Someone could literally aim a missile using these coordinates and it would strike within a 1 meter radius of the obtained value. That's how accurate a GPS receiver on a airplane/jet is. Aside from the privacy concerns, I could be booked for espionage for compromising national security and risking threats to our Indian assets for no fault of mine.

Regardless, I was uncomfortable with this and immediately shut the network offline without affecting the rest of home internet devices.

The Communication to the Company

The same day, at 11:59 AM, shortly after my investigation concluded, I gathered all relevant data and sent an urgent email to the support email and to several top executives and the within the company whose emails I obtained from a community group with detailed information about the compromise. As a part of the investigation, I concluded that I wasn't specifically targeted (this was super important for me to know), but it was the company's devices. This means devices all around the world could have been/were compromised from the same exploit/modus operandi.

In an hour, they replied the below:

This was after several non-responsive attempts to get this directly communicated to the founders over WhatsApp, on their personal numbers, so it looked promising.

I began communicating this observation to fellow users of the community who were also using these devices so that they could protect themselves, most of who have been already compromised by that time, and started demanding answers from the company, as this data not only breached their device but other extremely sensitive info about them as well that I'm not covering in this article.

After sharing the detailed investigation and every info I had about them to the company, I've received the below email later that day:

I hate it when devs/companies try to downplay the severity or the seriousness when they are in damage control mode. From my analysis, the number of compromised units should be in the hundreds or low thousands. However, in this case I must really appreciate their small team that did all they can and in a short while, AFTER I had pointed out the intrusion.

Very luckily, this was identified, communicated and stopped right when the attacker was beginning to exploit units all around the world. As of writing this post, there are 32,096 stations from over 185 countries acting as data collection stations.

I also worked with their dev team, behind the scenes to help identify the vulnerability that led to the compromise on the servers and it was a lack of access control mechanisms. The system in place to originally allow the company to initiate connection to the device for troubleshooting was the point of intrusion and had a vulnerability that allowed one user to connect to other users device when the device authenticates with the server. The team wouldn't share any internal or insider info as I wasn't an employe and they had implemented security through obscurity (even to date) however I worked my way up reverse engineering the client code.

Conclusion/FIN

It looks like the devices were being breached one after the other, from around 15th of the same month, all around the world, 15th was 4 days before the day mine was intruded. All these 4 days, they've had no idea of this happening, probably because it's impossible to detect network activity for their customers. However, the server intrusion must have been detected if they had the visibility.

Around the 20th of the same month, they shared a newer firmware file and the communication that there was exploit that was used on some devices. They didn't share the data that was compromised though. The firmware is to be flashed onto the device by physically removing the screws on the device, removing the SD Card from the circuitry, and rightly flashing the firmware on the card from a computer and then reinserting, restarting and configuring everything from scratch; something that's difficult even for an experienced user as they need to have the tools and equipment, as opposed to the plug and play they did when they initially set up the device.

Only with the newer firmware, the devices were free from the installed malicious packages, meaning those who haven't done these steps are still compromised and are feeding data to China in addition. I've tried contacting the relevant Indian government organizations and top contacts from Indian Civil Aviation unsuccessfully, without any response to inform the breach of Indian airspaces' traffic data.

Epilogue

After the events settled, I began working on the postmortem performing a forensics on the compromised machine's firmware (that I backed up before flashing the newer firmware) and on my network to see if there's anything that can be done better. My forensics found that the attacker was careful to leave no trace on the system by erasing their footprint on the device, but despite this, I managed to reconstruct the data, events and actions done to find out if nothing else was stolen.

After a thorough investigation and analysis, I've concluded the below:

• The attackers were sophisticated and were careful not to blow the operation as they intentionally went ahead and deleted all possible traces. Despite this, their actions were discovered, because while their actions may have left a trace and got deleted, the deletion actions itself were logged, ironically.
• The attackers IPs were linked to government-backed networks/attackers from networks operated by the Chinese Government and this IS an attempt from the chinese spies to infiltrate devices around the world in an attempt to create a botnet of devices and to obtain ADS-B data from around the world. You'd not see this news anywhere.
• Even with all the inbound firewall restrictions on my network, the device established an outbound connection to their servers and used that as a channel to receive SSH commands from the remote server.
• Thanks to my network's design choice of segregation and isolation, the attacker was unable to move laterally and hack other devices on my network, even after fully compromising the receiver.

What changed after the incident?

• I've implemented more tighter 'outbound' traffic restrictions on my network. Outbound rules are often underlooked.
• The compromised devices were booted off Airnav's network, making China look for alternate sources lol. (sorry bro)
• I learned a LOT all along this as this was the first time when I became a SOC operator, a hacker, a developer, a forensics investigator, a protector!
• Later, I built and launched my private DNS service based on the exact baseline data that I used to protect my home network and made it available for FREE for anyone to help stay protected and to extend the privacy and security benefits to their home network, mobile device or any device, with enterprise-grade DNS security offering to everyone - without them have to build complex systems or even be tech-savvy . Please check this other side-project of mine: Frodo Secure DNS Service for more info on this.
• All network access credentials were rotated despite finding no evidence of a compromise or even access beyond the device, as a security measure. All logs checked. A new generic rule added to block UDP connections to all of China on non-standard ports.
• Added "Single-handedly fought off Chinese attackers from my network and so can, from your company's network" to my resume.

From then to now, I'm super proud of the system that I had built without prior networking knowledge, certification or any formal qualification, as I'm reaping the benefits to date and it's been protecting me and my family from internet risks, threats and comes with a smart routing, queue management, multiple VPN configs, and keeps getting improved!

Thanks for reading and stay tuned for articles/write ups that feature more such cases where my DIY network helped me identify vulnerabilities in applications when it was passively intercepting traffic. That's how I was able to defend myself and uncovered network intrusion on a major Aerospace Company - AirNav Systems.

If you liked the article, please share your comments on the post be it whatever.

Credits: Stock images and captions from this post by Daniel Solove . Thanks to AirNav Systems/it's founder Andre Brandao for the working together on this, and to their teams for deploying timely patches.