Illinois-based security firm Team Cymru has released research findings that point to a wide-spread compromise of consumer-grade routers that are commonly installed in homes and small offices all over the world. As many as 300K of these devices from a variety of manufacturers have been hacked to redirect network traffic to counterfeit banking sites and possibly other malware-laden destinations. Though the hacked devices have been found all over the world, the highest concentration seems to be in Southeast Asia and Europe, with Vietnam, Italy, India and Thailand being hit the hardest.
What this means for you:
Hacked routers are not as easy to detect as a malware infection on a computer, primarily because most people never touch their home or small office routers except to install them or to reset them when their internet doesn’t work. In most cases, they might not even know how to access the router, and have long-forgotten the password used to configure and secure the device originally, if that install wasn’t completely handled by their internet service provider. In the hack mentioned above, all the affected devices shared a common trait of having their DNS altered to point to 2 specific IP addresses(126.96.36.199 and 188.8.131.52), allowing the hackers to effectively control where the compromised router sends any and all network traffic routing through that device.
Team Cymru recommends several ways to harden SOHO-class routers against the hacks used in the attacks mentioned above, but the methods require a familiarity with configuring network devices that is not usually found where these devices are installed. In order to make sure your router is secure, you’ll need to know the following:
- Who owns the router (you or the ISP)?
- If it’s owned by the ISP, are they managing it for you?
- If you own it, do you know the login and password for the device?
- Is your connection DHCP or static IP? (Most are the former as statics are an addtional charge)
- If it’s static, make sure you have the IP information documented.
- If you have access to the configuration of the router, is remote management enabled? If so, does it need to be?
- Has your router been updated to the latest firmware? If managed by someone else, will they handle the update?
Not sure how to go about filling in these blanks? Reach out to someone you trust (maybe C2?) with some basic networking and router configuration expertise and have them look at your SOHO router. Your router is a critical device in your home and office network and if it were hacked, every device (and person) connected to it could be severely compromised.