Your old router is an absolute goldmine for hackers. In the last three years, cyber attacks against insecure routers have rocketed. Last year there were 35 families of threat and the number is only set to increase
For your average internet user, a wireless router is something they plug in and then forget about – returning only to awkwardly read the Wi-Fi password off a sticker on the base, or to toggle the on switch when the internet goes down. “Most users just don’t care about their router,” says Martin Hron, a security researcher at Avast. “It’s just that thing that sits in the corner catching dust.”
That is now causing big problems. Many routers are left without updates for years. They are a mess of security flaws, easily compromised by hackers or malware. Research by the American Consumer Institute last year found that 83% of home and office routers have vulnerabilities that could be exploited by attackers, including popular brands such as Linksys, NETGEAR and D-Link.
Once compromised, routers can be used to carry out Distributed Denial of Service attacks (DDoS), or for credential stuffing, where hackers gain access to someone’s password for one site, and use the botnet to quickly try it at lots of other places. They can also be used to hide the origins of illicit activity – traffic will appear to be coming from random residential addresses rather than its true source. With increasing fibre broadband speeds, some users might not even notice that their router is being used to hide someone else’s traffic, or for mining Bitcoin.
For home users, the biggest risk is their personal data being stolen. In August, security researchers at Radware spotted an exploit spreading across D-Link routers in Brazil, which eventually affected 100,000 devices. This particular attack was aimed at customers of Banco de Brasil, and used the hijacked routers and some DNS redirection to send them to a cloned version of the bank’s website, which stole their log-in details.
“The criminal community has woken up to the many holes in legacy firmware,” says Tom Gaffney, a security advisor at F-Secure. There are online databases where would-be cyber criminals can enter the name of a router manufacturer and instantly access a list of known vulnerabilities. Some entries even list the code required to take advantage.
As we connect more and more Internet of Things (IoT) devices to our routers – voice assistants, smart doorbells – the risks increase. Your connected security cameras might have robust protections, but if your router doesn’t, the whole system is vulnerable. “It’s like being broken into,” says Bharat Mistry, principal security strategist at Trend Micro.
A number of high-profile attacks, such as Mirai, have made use of unsecured routers and other unprotected IoT devices to wreak havoc, and known vulnerabilities are growing. “The first IoT specific threat (including routers) was back in 2003,” says Gaffney. “Then it’s nothing until 2015, and we had five families of threats in 2016. In 2018, we classified 35 families of threats, so we’ve definitely seen a big explosion.”
These include malware, such as VPN Filter, which was thought to be sponsored by the Russian government, and is estimated to have infected more than half a million routers worldwide. Other exploits have taken advantage of Universal Plug and Play, which allows connected devices to find and join together more easily. In November 2018, more than 45,000 routers were hit by an exploit that was developed by America’s National Security Agency and then leaked to the Internet, and which relies on vulnerable implementations of this technology.