Updated Aug. 11 with comment from Verizon and a rough guide on how to check your model for firmware updates.
Millions of home Wi-Fi routers are under attack by botnet malware, just a week after a researcher put up a blog post showing how to exploit a vulnerability in the routers' firmware.
The researcher, Evan Grant, isn't entirely at fault for this. He's the one who found the flaw (catalog number CVE-2021-20090) back in January, after he took apart a Buffalo-branded router sold in Japan. A patch fixing the firmware flaw was released by Buffalo in April, after Tenable, the firm Grant works for, informed Buffalo.
- Your Wi-Fi router may tell everyone where you live — what you can do
- The best Wi-Fi routers you can buy
- How to access your router's settings
- Plus: This Mac malware breaks through Apple's defenses — what to do
The problem is that at least 36 other models of routers distributed by 20 different companies have identical or very similar flaws, and firmware patches may not be available yet for all of them. Few people even know that you need to update your router's firmware just as you need to update your computer or phone.
Some of these routers may be rented to customers by internet service providers (ISPs). If so, then the ISPs will be responsible for the firmware updates.
The affected routers include models distributed by Asus, British Telecom, Buffalo, Deutsche Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon and Vodafone, among other brands, "potentially affecting millions of devices worldwide," according to a Tenable blog post first put up in April and a later Tenable white paper.
Router models affected by this flaw
Here's a full list of known affected models and the affected firmware:
| Vendor | Device | Found on version |
|---|---|---|
| ADB | ADSL wireless IAD router | 1.26S-R-3P |
| Arcadyan | ARV7519 | 00.96.00.96.617ES |
| Arcadyan | VRV9517 | 6.00.17 build04 |
| Arcadyan | VGV7519 | 3.01.116 |
| Arcadyan | VRV9518 | 1.01.00 build44 |
| ASMAX | BBR-4MG / SMC7908 ADSL | 0.08 |
| ASUS | DSL-AC88U (Arc VRV9517) | 1.10.05 build502 |
| ASUS | DSL-AC87VG (Arc VRV9510) | 1.05.18 build305 |
| ASUS | DSL-AC3100 | 1.10.05 build503 |
| ASUS | DSL-AC68VG | 5.00.08 build272 |
| Beeline | Smart Box Flash | 1.00.13_beta4 |
| British Telecom | WE410443-SA | 1.02.12 build02 |
| Buffalo | WSR-2533DHPL2 | 1.02 |
| Buffalo | WSR-2533DHP3 | 1.24 |
| Buffalo | BBR-4HG | Row 14 - Cell 2 |
| Buffalo | BBR-4MG | 2.08 Release 0002 |
| Buffalo | WSR-3200AX4S | 1.1 |
| Buffalo | WSR-1166DHP2 | 1.15 |
| Buffalo | WXR-5700AX7S | 1.11 |
| Deutsche Telekom | Speedport Smart 3 | 010137.4.8.001.0 |
| HughesNet | HT2000W | 0.10.10 |
| KPN | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453 |
| KPN | VGV7519 | 3.01.116 |
| O2 | HomeBox 6441 | 1.01.36 |
| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |
| Skinny | Smart Modem (Arcadyan VRV9517) | 6.00.16 build01 |
| SparkNZ | Smart Modem (Arcadyan VRV9517) | 6.00.17 build04 |
| Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM | 1.01.00 build44 |
| TelMex | PRV33AC | 1.31.005.0012 |
| TelMex | VRV7006 | Row 29 - Cell 2 |
| Telstra | Smart Modem Gen 2 (LH1000) | 0.13.01r |
| Telus | WiFi Hub (PRV65B444A-S-TS) | v3.00.20 |
| Telus | NH20A | 1.00.10debug build06 |
| Verizon | Fios G3100 | 2.0.0.6 |
| Vodafone | EasyBox 904 | 4.16 |
| Vodafone | EasyBox 903 | 30.05.714 |
| Vodafone | EasyBox 802 | 20.02.226 |
As you might guess by the number of phone companies among those brands, a good chunk of the affected models are all-in-one DSL gateway combination modem/routers that are given or leased to customers by internet service providers.
Others use Fios or cellular data connections to get internet access, but almost all are routers combined with some form of broadband modem, not standalone routers that need a separate modem to get broadband access.
These routers were all manufactured by Taiwanese technology maker Arcadyan and then distributed under other names as part of a "white label" deal.
The exploit is what's called a "path traversal vulnerability" in which trying to remotely access certain files in the router's file system will lead you to a file that can be altered, giving the attacker control over the router from afar.
What you can do about this
Unfortunately, your options are limited if you are leasing or renting your home router or gateway from your ISP. If that is your situation, and your ISP is one of the brands mentioned above, then check the router for a model number to see if it matches a model mentioned.
Even then, though, it's hard to be sure, because some ISPs will not put the actual model number on the unit. Your best bet is to contact your ISP's customer service and bother them about this.
If you own your router, and you are somewhat technically skilled, then you should access the administrative settings to check the model number and firmware version. Plugging an Ethernet cable from a laptop into one of the router's Ethernet ports is the quickest way to do this.
If your router is one of the models on this list and the firmware is out of date, you'll need to check for updated firmware. We have a generic guide on how to update your router's firmware here, but in truth the procedure varies from model to model.
Some newer routers will update themselves, and others may have a mechanism within the administrative interface to check for firmware updates. Sometimes you'll have to go to the support website of the company whose name is on the router and see whether you can download an update from there.
If you're already in the administrative interface, then poke around and see if you can disable remote access. Turning that off will protect you from almost all router hacks that can be carried out over the internet.
Does the Verizon router have a firmware update? Stay tuned
One of the affected models appears to be the Verizon Fios G3100, a $300 Fios combination modem/router. We couldn't find any page on the Verizon website that might offer a firmware update, so we initiated a chat with a Verizon support representative.
The support rep bounced us to a chat with the technical team, who insisted that "we ensure that our equipments and services are secure at all level" and that customers whose equipment was affected by any flaw would be contacted by text message.
We asked the technician on the chat whether the Verizon Fios G3100's firmware had been update to fix the CVE-2021-20090 flaw. The technician replied that they did not have the "in-depth knowledge" for the answer and gave us the generic Verizon contact page.
We have sent an emailed query to Verizon press representatives and will update this story when we receive a reply.
Update: A Verizon representative provided us with this statement:
"Our security teams are actively addressing the recently reported router authentication bypass concerns. Verizon will provide an update to the Fios Router software and/or firmware to address the issue, which affects roughly 2% of our Fios router customers. There will be no action needed by the customer to receive this update."
What about the Asus models?
It was a bit easier to find web pages with firmware updates for the four Asus models mentioned by Tenable as being potentially vulnerable. Unfortunately, none of the four appear to have received any new updates since at least December 2018.
Here are links to each model's firmware update page, if you'd like to check back later: DSL-AC88U, DSL-AC87VG, DSL-AC3100 and DSL-AC68VG.
A serious flaw
Grant put up his blog post, which contained information on how the flaw could be exploited, on Aug. 3. On Aug. 6, researchers from network-hardware maker Juniper Networks said a known malware crew had incorporated Grant's methods into its arsenal and was using them to attack Arcadyan-based routers.
The malware crew is infecting the routers with a variant of the Mirai botnet, which was first spotted in the summer of 2016 and led to some widespread attacks that fall. Once infected, the routers will function properly, but they may also secretly be used by criminals to send spam or launch distributed denial-of-service (DDoS).
One of the Buffalo models, the WSR-2533DHPL2, contains two other firmware flaws, for which the Tenable blog post included proof-of-concept exploits. Buffalo has issued firmware updates for these as well.
"The vendor selling you the device is not necessarily the one who manufactured it," said Grant in his blog post. "If you find bugs in a consumer router's firmware, they could potentially affect many more vendors and devices than just the one you are researching."
- More: How to see who's using your Wi-Fi network
- How to delete a Wi-Fi network on Android and iOS
