Russians Hack Wi-Fi Routers: What to Do Right Now
It's a pain in the neck, but you should probably factory-reset your home wireless router as soon as possible. You definitely need to do this if you own one of several Netgear, Linksys, TP-Link or MicroTik models.
Credit: Cesezy Idea/Shutterstock
That's because at least 500,000 routers and other devices worldwide have been infected by sophisticated malware that likely comes from Russian state-sponsored hackers, as Cisco Talos labs disclosed last week. The malware, which Cisco Talos calls "VPNFilter," can steal personal information, redirect web traffic, infect other devices and -- worst of all -- even "brick" infected devices to make them unusable.
The FBI said owners of any small-office/home-office (SOHO) routers should reboot their devices, but that won't fully get rid of the malware. (The FBI seized a web domain crucial to the malware's operations, but that may be only a temporary fix.)
You actually have to reset the router to factory-default settings to make sure the VPNFilter malware is gone. Several specific router models are known to be affected by VPNFilter, but Cisco Talos fears those might just be the tip of the iceberg.
Cisco Talos listed the definitively affected routers as the Linksys E1200, E2500 and WRVS4400N; the Netgear DGN2200, R6400, R7000, R8000, WNR1000 and WNR2000; and the TP-Link TL-R600VPN SafeStream VPN router. MicroTik Cloud Core routers, mainly used by enterprises, may be affected if they run versions 1016, 1036 or 1072 of the MicroTik RouterOS.
Cisco Talos found that two QNAP networked-attached-storage (NAS) drives, the TS-251 and TS-439 Pro, were also affected by VPNFilter.
But Cisco Talos isn't done with its research,
"Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected," Cisco Talos researchers wrote in a blog posting.
"We recommend that users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them," the posting said. "Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat."
All the routers affected by VPNFilter had previously disclosed vulnerabilities, and Cisco Talos assumes that the bad guys got in by exploiting those flaws. However, it's hard to detect the VPNFilter infection, and updated devices may have been infected before patches were applied, so it might be best to start from scratch.
How to Factory-Reset Your Router
Before you reset your router, do a little preparation. Write down the names of and passwords for your wireless networks. That way, you can set up the router again with the same information and all your devices will re-connect easily.
Make sure that you have any router setup disks, instructions or software at hand if you need to refer to them. If you don't, you can get them from the router maker's website. You should also have an Ethernet cable; there's usually one in the retail box with the router.
Finally, make sure that no one else, and no device, in your household is actively using the internet connection, as the reset and setup process can take up to an hour.
Next comes the actual reset. There's often a small pinhole button on the underside or back of the router that performs a factory reset if you press it with a pin or the end of a paperclip. If there isn't, check your router maker's website for specific factory-reset instructions.
Press the button, or do what the router maker's website tells you do. Then follow the regular setup instructions. You'll probably have to run a setup program from a PC or Mac while connected to the router via an Ethernet cable.
As indicated above, create the wireless network or networks using the same network names and access passwords as before, so that your Wi-Fi-enabled devices can connect painlessly.
But make sure you change the default administrative password that came with the factory reset. You should also disable remote administrative access if you can.
Then install the latest firmware updates for your router. We've got instructions on how to do this with the major router brands here.