New malware is targeting WiFi routers around the world. Here's what to do about it.
Two weeks after the FBI urged consumers to tighten the WiFi security in their homes, the security researchers who first identified the malware threat say it is potentially more harmful than originally thought.
On Wednesday, the researchers at Cisco's Talos information-security group expanded the list of products vulnerable to a type of malware known as VPNFilter. They also learned that the malware could enable a hacker to monitor traffic flowing through a home router, inject malicious code into that traffic, and steal personal data—all without detection.
An infected router could disable SSL encryption, for example, which would make your data viewable in plain text and allow hackers to steal passwords or financial information.
We are seeing "that bad actors are continuing to evolve the attack," says Talos director Craig Williams.
In its initial report on May 24, Talos stated that VPNFilter had affected half a million routers, along with certain other devices, in 54 countries. The group says that the overall number in its initial assessment had not changed, but dozens of additional models were now part of the exploit.
Editor's Note: This story has been updated to include new information from Talos on the malware threat and affected products.
"The average American could be compromised, giving attackers access to personal data and control over the device," says Williams. "This is why it is crucial that consumers install security updates regularly."
The devices are particularly important for consumers' security because they transmit all the data that flows in and out of the home, from emails to credit card information. VPNFilter could allow attackers to not only monitor data traffic but also shut down a network of routers or use them for illegal activity, according to Williams.
Routers have long been a favorite target for hackers. In Symantec’s latest annual Internet Security Threat Report, routers were the most frequently exploited type of device in IoT, or internet of things, attacks.
See If You're Vulnerable to VPNFilter
In its initial report, Talos identified more than a dozen products that are vulnerable to the malware. The list of manufacturers included Linksys, MikroTik, Netgear, QNAP, and TP-Link. On Wednesday, the group updated the list, adding 57 models from six new manufacturers: ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. To find it, you have to scroll to the bottom of Talos' long, fairly technical blog post. (You'll probably have to search your router itself for a label that identifies its model number.)
How do you know whether the malware has actually infected your router? According to both Williams and other security experts, there's no way to be sure.
"This is the scary part of router malware," says Craig Young, principal security researcher at Tripwire VERT, a security research firm. "A sophisticated attacker can create malware that would be completely undetectable by even tech-savvy end users. It is simply not possible for someone without specialized tools to confirm whether any particular router is infected or clean."
At this point, says Rich Fisco, who leads the router testing at Consumer Reports, everyone should take steps to upgrade their router security, just to be safe. To fix the problem, do a hard reset of the router and update the firmware, as described below. Even a model purchased yesterday could have out-of-date security software, explains Fisco, if it sat on a store shelf for a few months.
Update Your Firmware
Router manufacturers typically roll out software updates throughout the year to address security problems. And if your router has the latest updates, you're much less likely to be infected with VPNFilter. Researchers say the malware appears to take advantage of vulnerabilities that had already been identified in the past.
If your device may have been infected, experts say, you should start by doing a hard reset, which will revert the device to the way it was when it came from the factory. Note that doing this wipes out any changes you made to your router settings.
Many routers have a button you can press for several seconds to perform the reset. You may need a paper clip to do this—router makers intentionally make it a bit tricky to avoid accidental resets. If there's no button, you may need to log into the router settings, which will also allow you to update the software.
Newer models make this relatively easy through a mobile app, which you can download to a phone, just like any other app.
For other routers, you'll need to open a web browser and type in the device's IP address. Very often, the address is 192.168.0.1 or 192.168.1.1, but this varies by brand—as do the instructions for downloading and installing your software. So do an online search for the customer support pages for your router model.
Once you perform the update, don't log out.
Instead, take some more time to really harden your defenses against future attacks. Routers are chronically ignored by many consumers, but Consumer Reports' data security and router experts say that taking the following steps can help protect you going forward.
And these steps make sense even if your device isn't vulnerable to VPNFilter.
Turn On Automatic Updates
The easiest way to make sure your router always has the newest, safest software is to set up automatic updates, which are available on many newer models. To see whether this is an option for you, check the router's companion app or look in settings.
If your router doesn't allow for automatic updates, you'll have to periodically download and install the new software from the manufacturer's website yourself.
To be safe, do this every quarter, advises Fisco. You should also see whether there’s a way to get security notices via email from your router’s manufacturer. The best way is to complete the product registration process online, during which you’ll be given the option to receive notifications when new software is available.
But eventually companies will stop releasing new software for old routers—and just when this happens varies by brand.
“If you find your router is no longer getting updates,” Fisco says, “it's too risky to keep using it. Verify its status with the manufacturer, and if it has reached the ‘end-of-life’ stage, buy a new router.”
Use Strong Passwords
If you've never done so, you should change two crucial passwords on your router: the one that lets you manage the device's settings and the one that lets you connect other devices to its wireless network.
This prevents a hacker from using a default password—or one that's easy to guess with a little online sleuthing—to access your network and potentially control your router. If that were to happen, the hacker could change your passwords, spy on you, or access the files on a network-attached hard drive.
Be sure the passwords you create are strong. They should each comprise at least a dozen characters, using seemingly random upper- and lower-case letters, numbers, and symbols. “Having a password people can easily guess only prevents those who are indifferent from breaking in,” says Robert Richter, who oversees CR's security and privacy testing program.
Turn Off Features You Don't Use
Modern routers come with many handy features that help you manage your WiFi network, but some of them also create weak spots in your security wall. “The more things there are to poke at, the more likelihood one of them will break,” Richter says.
So while you’re logged into your router's settings, take a minute to review applications that could present opportunities for hackers.
If you don't use Remote Administration (also known as Remote Management or web access from WAN), make sure it's turned off. This denies access to the router's control panel from outside your home network. In most routers, the feature is off by default, but you should confirm this by visiting the advanced or administration section of the settings menu.
Disable Universal Plug-and-Play, which many home routers have enabled by default. UPnP can help devices on your home network connect to each other, but the added convenience isn't worth the security risk: This feature can make it easier for malware to spread through your network.
To disable UPnP, log into your router like you would when changing your password. Find the tools, advanced or advanced networks menu. From there, make sure the “Enable UPnP” box is unchecked.
After doing so, you may notice hiccups in the performance of certain devices on your network. You may need to retype the WiFi password into a Chromecast streaming stick, for example. But most laptops, speakers, TVs, and printers should make the transition without a hitch.
And, last, if you have a guest network without a password, disable it. You don't want unwanted guests using it without permission. Not even the neighbors' kid, who may decide to download movies illegally via your internet connection.
Install Antivirus Software
Antivirus software can protect your router—and by extension all devices connected to it—by identifying malicious software used to collect and encrypt the personal data on a computer, rendering it useless.
Just make sure you download the software from the manufacturer's official website, because scammers have been known to create fake sites. And double-check that you’re not grabbing a fee-based product by mistake.
No-cost applications, such as Avira Free Antivirus, can be very effective. However, the software you pay for tends to offer extra benefits. It may provide protection against phishing schemes used by cyberthieves to trick people into giving up login credentials or financial information, for example. It may also feature antispam protection, built-in backup software, and a browser toolbar that alerts you when you're visiting a site that hosts malware.
Use WPA2
The security protocols for routers improve over time, which means the old ones get outdated. In January, for example, the Wi-Fi Alliance announced enhanced security features that will be included in the latest standard—WPA3—expected to roll out later this year.
They include simplified settings, stronger password protection, and improved data encryption.
Currently, the best security is provided by a protocol called WPA2-AES, but your router may let you use another standard, such as the older WEP protocol, instead. (Sadly, acronyms are unavoidable when discussing router security.)
In settings, make sure you have WEP turned off and WPA2-AES turned on. If you have a really old device, this may not be an option, Fisco says. “Unfortunately, router manufacturing and security research aren’t always aligned,” says Richter. “So older routers may not be equipped with newer protocols.”
If you have one of those routers, he says, it's time to replace it.
Currently, the best security is provided by a protocol called WPA2-AES, but your router may let you use another standard, such as the older WEP protocol, instead. (Sadly, acronyms are unavoidable when discussing router security.)
Tercius Bufete
I'm an avid photographer and tech nerd with a passion for writing about gadgets and consumer technology. Originally from Los Angeles, I'm now an East Coast resident searching for the perfect burrito in Brooklyn. Follow me on @tercius.
See more at: Consumer Reports
See more at: Consumer Reports