Routers: a vulnerable opening to your home and personal data

Kevin Townsend 26 Mar 2019

If hackers get to your router, they can access all the connected devices in your home. Here’s what you need to know.

Wireless routers are perhaps the most fundamental piece of technology required for an internet-connected house. Seventy-six percent of households in the US use Wi-Fi as the primary means of connecting to the internet, and routers give us our Wi-Fi. But once our connections are established, the router is often just part of the furniture; we don’t even think about it.

Should we be paying more attention to the devices that, for so many of us, are our primary means of accessing the online world? Yes, we should.

Malware targeted specifically at routers increased throughout 2018, yet Avast research shows that 51% of people have never logged into their router’s administration page. Even more surprising, 72% of people have never even updated their routers’ firmware. According to similar research by Broadband Genie, the most common reason people give for not paying attention to their routers is “I don’t know why I would need to.” Let’s look at why we do need to.

Why are routers attacked?

Data theft

Wi-Fi hijacking or ‘wi-jacking’ is a security issue that some of us might have encountered in a very limited form: Our neighbors leeching our internet signal. Giving free bandwidth to mooching neighbors is a nuisance, but this can become a much more malicious issue. If hackers are able to gain control of a router, they can – and do – redirect your internet traffic to data-harvesting domains, potentially gaining access to your personal or financial information.

Direct router attacks

Direct attacks on individual routers can happen. Compromised routers are often employed as part of malicious botnets, which can be turned into a variety of nefarious purposes such as DDOS attacks and cryptojacking.

DDoS attacks

One of the easiest and most effective things hackers can use these botnets to hijack your device for is  DDoS attacks against websites. Since routers are hubs which directly handle a household’s internet traffic, they’re perfectly suited to be the vulnerable opening that gives you access to the devices for a DDoS style attack, which overwhelm the target server with requests and takes it down.

Cryptojacking

Cryptojacking is becoming more and more popular with cybercriminals, as the power of botnets to mine crypto-currencies like Monero and Bitcoin becomes more widely-used. Over the first half of 2018, cryptojacking malware detections increased by 459%. Routers are playing a significant part in this, with up to 415,000 devices across the world infected by cryptomining malware in 2018.

Cryptomining with your own computer is not an illegal practice; but nor is it lucrative. However, harnessing the power of thousands of other people’s devices and using their electricity is an altogether more attractive proposition for criminals.

Routers are an easy opening

However, the most significant reason that routers are increasingly targeted is simply that they are so much easier to compromise than other devices. With the general state of security in web applications and mobile devices improving, router vulnerabilities are becoming a more valuable target. Organizations that hunt for zero-day vulnerabilities to sell to government agencies or as part of bug bounties are expanding their efforts to routers. But if routers are so easy to hack, what kind of malicious campaigns have we seen with them?

How do routers get compromised?

Nearly every internet-connected household uses a router. They’re a necessity of the internet age, and usually provided as a basic part of most internet packages. We could be forgiven for taking strong built-in security for granted, and assuming that any successful attacks are only possible from highly determined, skilled cyber-criminals. However, this is distressingly far from the truth. Vulnerabilities and exploits are much more common than we may realize.

Zero-day vulnerabilities

In 2018, over 1 million Dasan routers and up to 800,000 Draytek routers were found to have severe security flaws. In both cases, the vulnerabilities allowed for complete authentication bypass, enabling hackers to take control of the routers and their settings. They were also both exploited in the wild. Draytek users found their DNS settings altered, leading to malicious redirection of traffic. In the case of the Dasan routers, hackers were observed attempting to exploit the flaws before any patch was able to be issued.

Lack of user awareness

One of the biggest problems with router security is simply that we don’t think of them on the same level as we do our other devices. Even if we follow good practice in other areas – we keep our online banking secure, use strong passwords and enable multi-factor authentication wherever possible – our routers are left behind. The default password to log on to routers is often less secure than it looks; even strings of characters which are hard to brute-force may be based on known, solved algorithms that hackers can exploit. When security flaws are discovered, manufacturers usually respond quickly, but security updates tend to be ignored – or even unknown – by users.

The problem has become so widespread that in October 2018, a hacker known as “Alexey” actively exploited a known flaw in MikroTik routers. The vulnerability had been patched as far back as April 2018, but general router security was so lax that Alexey was able to hack into over 100,000 routers using the flaw. His motive, evidently, was to install the security update on the users’ behalves, effectively protecting them from his own attack. This drew mixed reactions from his ‘victims’, as it was seen as an intrusion of privacy by many. For good or bad, it certainly illustrates how often security updates for routers are ignored.

Famous malicious router campaigns

While in some respects both users and hackers are only just waking up to the issues of router security, we have already seen significant, damaging and high-profile attacks featuring routers.

Mirai

Mirai is perhaps the most famous and widespread malware that threatens our routers. It certainly has the most significant legacy, with variants, spinoffs and copycats increasing year on year. Mirai and its variants are botnet malware that use IoT devices – particularly routers and web cams – to add to their processing power. In 2016, Mirai was responsible for the biggest DDoS attack ever seen up to that point, and took down such high-profile sites as Spotify, Netflix and Twitter. In most cases turning the router off and switching it back on is enough to remove Mirai.

Torii

The Torii botnet was a more destructive, advanced evolution of Mirai’s paradigm which began to surface in 2018. Targeting routers alongside general IoT devices, Torii could not be removed with a simple reset of the router. This attack had the added privacy threat of being able to access any personal data being handled by the infected device – including internet traffic passing through a router. Like Mirai, Torii is a botnet, but appears to be geared towards data theft rather than DDoS attacks.

VPNFilter

Unlike other widespread botnet attacks, VPNFilter was specifically engineered to attack routers, rather than IoT devices in general. Believed to be a Russian state-affiliated attack, the VPNFilter campaign made use of over half a million compromised routers in 2018. The malware can intercept and snoop on internet traffic, as well as render a device completely inoperable – or ‘bricked’.

What can we do to keep our routers safe?

The first step in improving router security and limiting the growing trend of hackers targeting is to be, and make sure we stay, aware. Once we stop seeing our routers as part of the furniture, we can turn our attention to keeping them as safe and secure as possible.

We have some in-depth guides for router security, and we recommend you check our blog on 12 ways to boost your router’s security. Here are some simple, general steps to help you get started.

Keep the hardware secure

If possible, the router should be away from the window and towards the interior of the property; this is to minimize the Wi-Fi signal available to the outside world. A small step, but every little action to make it harder for hackers to access is a step worth taking. It may also be worth periodically switching your router off, waiting 10 seconds, and switching back on again. This is sometimes all you need to do to remove router malware.

Stay properly configured

The next step is to make sure your router’s settings are as secure as possible. Log on to your router’s administration page; turn off automatic WPS configuration and turn on WPA2 encryption. If possible, disable the option to manage router settings over the internet entirely. Make sure to check for any firmware and security updates – you may have to refer to the manufacturer’s documentation for how to do this. Don’t forget to make use of Avast Wi-Fi Inspector, included in Avast Free Antivirus, which will scan for vulnerabilities and security issues in your router.

Keep best practices

Once you have your router secure and up to date, all that remains is to make sure it stays that way. Most of the general advice that applies to staying secure online applies to routers as well.

  • Change your router’s default admin password to a strong, unique password (there are tips on making good passwords here).

  • Always log out properly when you’ve finished on your router’s administration page to prevent session hijacking.

  • After your initial setup and configuration, make sure you regularly check for updates and security advisories and install any new patches promptly.

Good router security isn’t that difficult – the main problem is that we generally don’t bother.


Kevin Townsend is a guest blogger on the Avast Blog where you can catch up on all the latest security news.  Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products. Join in the conversation with Avast on Facebook and Twitter.

--> -->