Router Hijacking

2023-11-08Briefly:

Careful on Wi-Fi 
Set your DNS 
Change passwords 
Disable WAN management 
Check manufacturer 

(May 2018) About half a million small office routers and NAS devices are infected with malware called VPNFilter. These devices are made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link, and may have private labels from ISPs. The malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. A report from Cisco said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. " FBI tells router users to reboot now to kill malware infecting 500k devices ".

(Oct 2017) There has been news recently of an attack on the WPA-2 Wi-Fi protocol called KRACK. Attackers can decrypt traffic sent over Wi-Fi and inject content into unencrypted HTTP connections.

Patches for KRACK have been announced for many devices. Microsoft patched Windows 10 in August. Apple patched KRACK on October 31 for High Sierra, Sierra, El Capitan, and iOS. Apple AirPort and Time Capsule routers are not vulnerable. Android and Linux devices are especially vulnerable. Other patches will be rolled out over the next few months. Make sure you keep up to date.

(Dec 2016) There's a new "exploit kit" aimed at infecting your router via Windows and Android devices (but that could change to include Macs any time). An article in Proofpoint gives technical detail on how it works: Home Routers Under Attack. Once they subvert your router, all of your computers are compromised, and no anti-virus scanner will find anything. The article says "there is no good way to counteract these attacks," but a couple of measures can help:

  1. Browsing the web using browsers and operating systems with the latest patches. This may not be sufficient... the bad guys can find vulnerabilities faster than the victims can install patches.
  2. Always using HTTPS when browsing the web. This may not be sufficient... if the bad guys can inject exploit code into any non-HTTPS, connection, and if your computer has any unpatched vulnerability, it could be infected by malware that sees the data when it is not encrypted.
  3. Blocking advertising, using something like uBlock Origin or a tailored HOSTS file.
  4. Setting the DNS in the Mac Network control panel. Note that you should set it twice, once for Ethernet and once for Wi-Fi. This will override any bad DNS stuck into the router.
  5. Using Little Snitch and NoScript, and not permitting outbound traffic to untrusted addresses. (Of course, how do you know what addresses to trust, if you're not an expert? I use Little Snitch and NoScript, and they often ask whether to allow traffic to domains I have never heard of. If you browse bigstore.com and it wants to load from bigstore_cdn.com, you would probably say OK, but who knows.)

(Dec 2016) Netgear routers have a serious security hole. Netgear 6500, 7000, and 8000 series routers can be taken over by hackers. There are lots in Germany and the USA.

(Mar 2015) "At least 700,000 routers given to customers by ISPs are vulnerable to hacking." These are ADSL routers from various makers; some may be rebranded by the ISP. One brand involved was D-Link. Most of these routers seem to be in Asia but some are in the USA. The vulnerable firmware seems to originate from the same Chinese company.

This is a different security hole from the 300,000 home routers whose DNS servers were silently rerouted to hacker's servers, enabling the hackers to pretend to be any web site. The brands involved included TP-link, Micronet, D-Link, Tenda, and Zyxel.

(Jan 2015) A new bug has been found that lets any local client reconfigure ASUS wireless routers.

(Dec 2014) Additional attacks on home routers have been discovered.

(Jan 2014) Some home routers have "back doors" built into them by their manufacturers. Problems have been found in many brands of router. There are also malware programs that try to attack your router from the Internet, or from an infected web page, or from an infected computer on your network, or by somebody driving by your premises. If your router gets infected, a bad guy could take over your connection.

If you use a wireless access point or router that you don't control, it may have malware on it, either because the access point owner is malicious, or because some malicious person tampered with the router, or because it was attacked through a back door. For example, if you are staying in XYZ Hotel, you might see several wireless networks you could connect to: "XYZ HOTEL," "FREE WIFI", "THIRD FLOOR", PUBLIC." You have no way to know which of these is real and which is a fake "evil twin." I have seen these in airports as well.

What Could Go Wrong

A compromised router could

For example, using a hacked router, someone could spoof your online banking site and steal your money. Your Mac usually gets the addresses of the name servers that it uses to look up domain names from the router that it's connected to. Unless the router has a manually set DNS address, it will in turn ask your phone or cable modem, and that device will normally get the settings from the phone or cable provider. A hacked router can send your Mac the address of a fake DNS server, which can send you to a fake page that looks just like the real one.

What To Do

  1. If you are using a wireless access point you don't trust, only use SSL URLs, and check that your browser displays the lock symbol. Don't do sensitive operations like online banking and shopping over such connections: assume your access could be observed or hijacked.
  2. In  ► System Preferences... ► Network, set your DNS servers for both Ethernet and Wi-Fi to Google Public DNS (8.8.8.8, 8.8.4.4) or OpenDNS (208.67.222.222, 208.67.220.220). If your router does get hijacked, your Mac will use your manual settings instead of accepting the ones sent from the router.
  3. Change your router administration passwords from the vendor default. Use long, strong passwords. Changing the password may prevent an outside attacker from taking control of the router.
  4. Put a long, strong password on your wireless network. Otherwise, someone can join your network and access it as if they were "inside" if they are near your house. (Sometimes called "wardriving.") Some routers have weaknesses that network users with inside access can exploit to cause network mischief. While you are at it, change your network name from the default to some other string.
  5. Disable the ability to manage your router from the "outside" (also called the WAN). This will improve protection if an outside attacker gets past your router admin password.
  6. Check with the maker of your router to see if there are issues, and if there are firmware updates that cure these issues. Some routers came with back doors that let outsiders in, if they knew a secret. These holes were closed by later firmware updates.. but users rarely update their router firmware.
  7. Use Firefox or Chrome as a web browser.
  8. If you get a "certificate warning" page, don't ignore it. This may be a sign of a forged site. Make sure that the "lock" symbol is shown by your browser if you go to a site that should be protected by SSL.
  9. Continue to use basic security practices: e.g. back up, be careful what you click in email and web pages, and so on.

Specific Reports

Malware that attacks routers

Routers With Back Doors or Vulnerabilities

Several versions of Cisco Wireless Home Gateways and cable modems have a security hole that allowes attackers to hijack the routers remotely. This problem was found in July 2014. Cisco has released a patch to cable companies so that they can pass it on to customers.

Several versions of D-Link router firmware were discovered to contain a back door that allowed any local network user to bypass the admin password. This weakness was found in October 2013. "The affected models likely include D-Link's DIR-100, DIR-120, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, DI-624S, TM-G5240 and possibly the DIR-615. The same firmware is also used in the BRL-04UR and BRL-04CW routers made by Planex." Firmware updates are available for some of these routers: others are no longer supported by D-Link, so tough.

ISE published a paper titled Exploiting SOHO Routers sometime in 2013 that listed 13 routers that were vulnerable to takeover. It listed specific model numbers for Linksys, Belkin, Netgear, TP-Link, Verizon, D-Link, ASUS, and TrendNet routers.

A back door is built into some Linksys wireless/DSL modems. It was first found in a Linksys WAG200G, but at least 190 other models from the same OEM may be affected. It uses TCP port 32674. Some Belkin, Cisco, and Netgear routers are also affected by the same backdoor as the Linksys problem. The affected Cisco routers are described in a support note. (Cisco used to own Linksys but sold it to Belkin in 2013.)

Another Linksys vulnerability was found in February 2014. It affects many models including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N.

Another attack on D-Link, Micronet, Tenda, TP-Link, Zyxel, and other brands of router was discovered in March 2014. It seems to be aimed at changing the DNS settings for computers that connect through the routers.

(8/27/14) A back door is built into NETIS routers. It uses TCP port 53413.

Home | FAQ © 2010-2023, Tom Van Vleck updated 2023-11-08 08:53