Is your router vulnerable?


In May of this year, officials in private and public sectors warned of hackers infecting nearly a million consumer grade routers across the globe. Among the numerous types of infections, an especially nefarious purpose is what’s known as a VPNFilter to perform a man-in-the-middle attack. It can inject malicious packets info traffic as it passes through an infected router. The packet payloads exploit specific devices connected to the infected network. It’s important to note that VPNFilter is not a router exploit that an attacker can find and use to gain access — it is software that is installed on a router unintentionally that is able to do some potentially terrible things.

In addition to covertly manipulating traffic within the networks, “ssler” can also steal sensitive data passed between connected endpoints and even outside. It actively inspects browsed sites for signs they transmit passwords and other sensitive info data so they can be copied and stored on servers under the attackers control. In this case, intercepted data is being sent back to servers with known ties to the Russian government. To bypass encryption designed to prevent such attacks, ssler downgrades secure HTTPS connection to plaintext HTTP traffic. It then changes request headers to signal the endpoint isn’t capable of using encryption.

VPNFilter is also able to change incoming traffic to falsify responses from a server. This helps cover the tracks of the malware and allows it to operate longer before you can tell something is going wrong. Hackers have evolved such that they can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money or any other data going in and out of the device.

Depending on your skillset, it’s difficult or impossible to tell if you are infected. Researchers suggest anyone who uses a router known to be susceptible to VPNFilter assume they are infected and take the necessary steps to regain control of their network traffic.

Signs Your Router May Have Been Hacked
Did you receive a ransom web message, an antivirus alert, or toolbars on your browser that you didn’t install? When you click on a link, are you redirected to a site you didn’t ask for and has nothing to do with the previous page you were on? Are you getting a lot of random pop ups websites on your computer screen? Have you heard from your friends or colleagues that they’ve gotten social media or email invitations from you that you didn’t send? Are you missing money from transactions in your online banking accounts that you can’t explain? These are all red flags that your router may have been hacked and is infected with dangerous malware.

F-Secure’s Router Checker
This online tool is a great way to find out if an internet connection is safe or if your router has been infected. Click the blue “Check Router” button to view your detailed results and discover if your Domain Name Server (DNS) has been altered. You can also use a free trial to check and see if your mobile devices have been affected or purchase a paid subscription if you want to use the service on an ongoing basis. If your DNS has been hijacked, this tool will expose the insecurities in detail, so you’ll know if you need to take action. Find it here: F-Secure.com’s Router Checker

Routers known to be vulnerable
This list contains routers known to be susceptible to VPNFilter. If your model appears on this list it is suggested you follow the procedures in the next section of this article.

Asus Devices:
RT-AC66U
RT-N10
RT-N10E
RT-N10U
RT-N56U

D-Link Devices:
DES-1210-08P
DIR-300
DIR-300A
DSR-250N
DSR-500N
DSR-1000
DSR-1000N

Huawei Devices:
HG8245

Linksys Devices:
E1200
E2500
E3000
E3200
E4200
RV082
WRVS4400N

Mikrotik Devices:
CCR1009
CCR1016
CCR1036
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5

Netgear Devices:
DG834
DGN1000
DGN2200
DGN3500
FVS318N
MBRN3000
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200
WNR4000
WNDR3700
WNDR4000
WNDR4300
WNDR4300-TN
UTM50

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND
TL-WR841N

Ubiquiti Devices:
NSM2
PBE M5

ZTE Devices:
ZXHN H108N

What steps to take if your router is on the list
Right now, as soon as you’re able, reboot your router. Unplug the power supply for 30 seconds then plug it back in. Many models of router flush installed apps when they are power cycled.

The next step is to factory reset your router. You’ll find information about how to do this in the manual that came in the box or from the manufacturer’s website. This usually involves inserting a pin into a recessed hole to press a microswitch. When you get your router back up and running, you need to ensure it is on the very latest version of its firmware. Again, consult the documentation that came with your router for details on how to update.

Next, perform a quick security audit of how you’re using your router.

Never use the default user name and password to administer it. All routers of the same model will use that default name and password and that makes for an easy way to alter settings or install malware.

Never expose any internal devices to the internet without a strong firewall in place. This includes things like FTP servers, NAS servers, Plex Servers or any smart device. If you must expose any connected device outside your internal network you can likely use port filtering and forwarding software. If not, invest in a strong hardware or software firewall.

Never leave remote administration enabled. It may be convenient if you’re often away from your network but it’s a potential attack point that every hacker knows to look for.

Always stay up to date. This means check for new firmware regularly, and more importantly, be sure to install it if it is available.
Finally, if you’re unable to update the firmware to prevent VPNFilter from becoming installed (your manufacturer’s website will have details) just buy a new one. I know that spending money to replace a perfectly good and working router is a bit extreme, but you will have no idea if your router is infected unless you’re a person who doesn’t need to read these sort of tips.

We love the new mesh router systems that can be automatically updated whenever new firmware is available, such as Google Wifi, because things like VPNFilter can happen anytime and to anyone. It’s worth having a look if you are in the market for a new router.


Leave a Reply

Your email address will not be published. Required fields are marked *