Skip to main content

Millions of home Wi-Fi routers under attack by botnet malware — what you need to know

A product shot of the Asus DSL-AC88U on an orange background.
(Image credit: ASUS)

Updated Aug. 11 with comment from Verizon and a rough guide on how to check your model for firmware updates.

Millions of home Wi-Fi routers are under attack by botnet malware, just a week after a researcher put up a blog post showing how to exploit a vulnerability in the routers' firmware.

The researcher, Evan Grant, isn't entirely at fault for this. He's the one who found the flaw (catalog number CVE-2021-20090) back in January, after he took apart a Buffalo-branded router sold in Japan. A patch fixing the firmware flaw was released by Buffalo in April, after Tenable, the firm Grant works for, informed Buffalo. 

The problem is that at least 36 other models of routers distributed by 20 different companies have identical or very similar flaws, and firmware patches may not be available yet for all of them. Few people even know that you need to update your router's firmware just as you need to update your computer or phone. 

Some of these routers may be rented to customers by internet service providers (ISPs). If so, then the ISPs will be responsible for the firmware updates.

The affected routers include models distributed by Asus, British Telecom, Buffalo, Deutsche Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon and Vodafone, among other brands, "potentially affecting millions of devices worldwide," according to a Tenable blog post first put up in April and a later Tenable white paper.

Router models affected by this flaw

Here's a full list of known affected models and the affected firmware:

VendorDeviceFound on version
ADBADSL wireless IAD router1.26S-R-3P
ArcadyanARV751900.96.00.96.617ES
ArcadyanVRV95176.00.17 build04
ArcadyanVGV75193.01.116
ArcadyanVRV95181.01.00 build44
ASMAXBBR-4MG / SMC7908 ADSL0.08
ASUSDSL-AC88U (Arc VRV9517)1.10.05 build502
ASUSDSL-AC87VG (Arc VRV9510)1.05.18 build305
ASUSDSL-AC31001.10.05 build503
ASUSDSL-AC68VG5.00.08 build272
BeelineSmart Box Flash1.00.13_beta4
British TelecomWE410443-SA1.02.12 build02
BuffaloWSR-2533DHPL21.02
BuffaloWSR-2533DHP31.24
BuffaloBBR-4HG
BuffaloBBR-4MG2.08 Release 0002
BuffaloWSR-3200AX4S1.1
BuffaloWSR-1166DHP21.15
BuffaloWXR-5700AX7S1.11
Deutsche TelekomSpeedport Smart 3010137.4.8.001.0
HughesNetHT2000W0.10.10
KPNExperiaBox V10A (Arcadyan VRV9517)5.00.48 build453
KPNVGV75193.01.116
O2HomeBox 64411.01.36
OrangeLiveBox Fibra (PRV3399)00.96.00.96.617ES
SkinnySmart Modem (Arcadyan VRV9517)6.00.16 build01
SparkNZSmart Modem (Arcadyan VRV9517)6.00.17 build04
Telecom (Argentina)Arcadyan VRV9518VAC23-A-OS-AM1.01.00 build44
TelMexPRV33AC1.31.005.0012
TelMexVRV7006
TelstraSmart Modem Gen 2 (LH1000)0.13.01r
TelusWiFi Hub (PRV65B444A-S-TS)v3.00.20
TelusNH20A1.00.10debug build06
VerizonFios G31002.0.0.6
VodafoneEasyBox 9044.16
VodafoneEasyBox 90330.05.714
VodafoneEasyBox 80220.02.226

As you might guess by the number of phone companies among those brands, a good chunk of the affected models are all-in-one DSL gateway combination modem/routers that are given or leased to customers by internet service providers. 

Others use Fios or cellular data connections to get internet access, but almost all are routers combined with some form of broadband modem, not standalone routers that need a separate modem to get broadband access.

These routers were all manufactured by Taiwanese technology maker Arcadyan and then distributed under other names as part of a "white label" deal. 

The exploit is what's called a "path traversal vulnerability" in which trying to remotely access certain files in the router's file system will lead you to a file that can be altered, giving the attacker control over the router from afar.

What you can do about this

Unfortunately, your options are limited if you are leasing or renting your home router or gateway from your ISP. If that is your situation, and your ISP is one of the brands mentioned above, then check the router for a model number to see if it matches a model mentioned.

Even then, though, it's hard to be sure, because some ISPs will not put the actual model number on the unit. Your best bet is to contact your ISP's customer service and bother them about this.

If you own your router, and you are somewhat technically skilled, then you should access the administrative settings to check the model number and firmware version. Plugging an Ethernet cable from a laptop into one of the router's Ethernet ports is the quickest way to do this. 

If your router is one of the models on this list and the firmware is out of date, you'll need to check for updated firmware. We have a generic guide on how to update your router's firmware here, but in truth the procedure varies from model to model.

Some newer routers will update themselves, and others may have a mechanism within the administrative interface to check for firmware updates. Sometimes you'll have to go to the support website of the company whose name is on the router and see whether you can download an update from there.

If you're already in the administrative interface, then poke around and see if you can disable remote access. Turning that off will protect you from almost all router hacks that can be carried out over the internet.

Does the Verizon router have a firmware update? Stay tuned

One of the affected models appears to be the Verizon Fios G3100, a $300 Fios combination modem/router. We couldn't find any page on the Verizon website that might offer a firmware update, so we initiated a chat with a Verizon support representative. 

The support rep bounced us to a chat with the technical team, who insisted that "we ensure that our equipments and services are secure at all level" and that customers whose equipment was affected by any flaw would be contacted by text message.

We asked the technician on the chat whether the Verizon Fios G3100's firmware had been update to fix the CVE-2021-20090 flaw. The technician replied that they did not have the "in-depth knowledge" for the answer and gave us the generic Verizon contact page. 

We have sent an emailed query to Verizon press representatives and will update this story when we receive a reply.

Update: A Verizon representative provided us with this statement: 

"Our security teams are actively addressing the recently reported router authentication bypass concerns. Verizon will provide an update to the Fios Router software and/or firmware to address the issue, which affects roughly 2% of our Fios router customers. There will be no action needed by the customer to receive this update."

What about the Asus models?

It was a bit easier to find web pages with firmware updates for the four Asus models mentioned by Tenable as being potentially vulnerable. Unfortunately, none of the four appear to have received any new updates since at least December 2018. 

Here are links to each model's firmware update page, if you'd like to check back later: DSL-AC88UDSL-AC87VGDSL-AC3100 and DSL-AC68VG.

A serious flaw

Grant put up his blog post, which contained information on how the flaw could be exploited, on Aug. 3. On Aug. 6, researchers from network-hardware maker Juniper Networks said a known malware crew had incorporated Grant's methods into its arsenal and was using them to attack Arcadyan-based routers.

The malware crew is infecting the routers with a variant of the Mirai botnet, which was first spotted in the summer of 2016 and led to some widespread attacks that fall. Once infected, the routers will function properly, but they may also secretly be used by criminals to send spam or launch distributed denial-of-service (DDoS).  

One of the Buffalo models, the WSR-2533DHPL2, contains two other firmware flaws, for which the Tenable blog post included proof-of-concept exploits. Buffalo has issued firmware updates for these as well.

"The vendor selling you the device is not necessarily the one who manufactured it," said Grant in his blog post. "If you find bugs in a consumer router's firmware, they could potentially affect many more vendors and devices than just the one you are researching."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.