Home Routers Under Attack by NSA-Spawned Malware: What to Do
Remember: You're not paranoid if they're actually watching you.
If you have an older home wireless router with the Universal Plug and Play (UPnP) protocol activated, there is a substantial chance that the router may have fallen prey to malware developed by none other than the U.S. National Security Agency.
NSA headquarters in Fort Meade, Maryland. Credit: National Security AgencyThe good news is that the NSA is not actually behind this nefarious plot. The bad news is that some very crafty cybercriminals are, and fixing the problem isn't easy, if you can spot it at all.
What you should do is factory-reset your router, disable UPnP, then check for firmware updates, since some companies have patched the vulnerability out. This won’t fix any other compromised systems, but it’s a necessary first step.
After that, you can factory-reset any other internet-connected device that you’re concerned about. You might also want to just buy a new router, as recent models do not appear to be susceptible to this type of attack.
This information comes from a blog post entitled "UPnProxy: EternalSilence" penned by researchers at Cambridge, Massachusetts-based data management firm Akamai. It draws from an earlier white paper that goes into the attack method in great detail.
The details are complicated, but here's a summary: Cybercriminals have learned how to take advantage of the UPnP protocols on older routers and get past the routers to directly attack Windows PCs on home and small-business networks. Akamai has dubbed this flaw “UPnProxy.” The most recent slew of attacks comes from an exploit that Akamai calls “EternalSilence” in a nod to the NSA-developed “Eternal” family of malicious code injections.
The bottom line is clear enough: Your router is the gateway to every connected device in your home, from your computer, to your phone, to your smart TV, to your smart light bulbs. If your router has been compromised, it’s possible that every other device in your home has followed suit.
Unfortunately, checking to see if you’ve been infected is hard, as antivirus software doesn’t normally scan routers. (A few products have begun to do so.) If malware makes it as far as your computer or game console, though, it’ll be easier to notice.
Cryptocurrency mining is a common cybercriminal tactic, as is drafting a system into a botnet. Either one will have a significant impact on performance, and will indicate that it’s time to back up your data and factory-reset the device.
As for the router itself, first check the earlier Akamai report to see if your system is vulnerable to UPnProxy. Dozens of routers could fall prey to this scheme, including models from Asus, D-Link and Netgear. The majority of models listed, though, are business-oriented devices that are popular in Europe and Asia, such as those from Axler, EFM, Netis and Ubiquiti.
If your router is on this list, just disabling UPnP might not be enough. If your system has already been infected, this would be the equivalent of closing the barn door after the horses have fled.
While Akamai doesn’t have hard numbers for how many devices have been compromised already, it estimates that there are at least 277,000 vulnerable routers in use right now. Of those, 45,000 are definitely infected. Extrapolating out for the number of devices connected to each router, that’s 1.7 million machines that are either infected, or at serious risk of being infected.
Akamai is not exactly sure what cybercriminals are doing with the infected machines, but cryptocurrency mining and botnet-drafting, as mentioned above, are always popular options. If an attacker chooses to inject more aggressive malware into a machine, the malware could steal usernames, passwords, financial information and more.
As for EternalSilence itself, it does indeed have a connection to the data-hungry NSA. The government agency developed a piece of malware called EternalBlue a few years ago, most likely in order to target enemies of the state through their computers.
But after the malware leaked online, cybercriminals began adapting it for their own use, notably in the pernicious WannaCry and NotPetya ransomware attacks. EternalSilence is a modification of EternalRed, which is in turn a modification of EternalBlue.
So there you have it: A piece of malware descended from a U.S. government project is now compromising routers all around the world, as well as any machine that’s connected to them. The diagnosis is complicated, and the fix is even more difficult.
As always, your best course of action is simply to buy high-quality routers in the first place, then keep the firmware on every machine you own updated as often as possible.