For your average internet user, a wireless router is something they plug in and then forget about – returning only to awkwardly read the Wi-Fi password off a sticker on the base, or to toggle the on switch when the internet goes down. “Most users just don’t care about their router,” says Martin Hron, a security researcher at Avast. “It’s just that thing that sits in the corner catching dust.”
But that’s causing big problems. Many routers are left without updates for years. They’re a mess of security flaws, easily compromised by hackers or malware. Research by the American Consumer Institute last year found that 83 per cent of home and office routers have vulnerabilities that could be exploited by attackers, including popular brands such as Linksys, NETGEAR and D-Link.
Once compromised, routers can be used to carry out Distributed Denial of Service attacks (DDoS), or for credential stuffing, where hackers gain access to someone’s password for one site, and use the botnet to quickly try it at lots of other places. They can also be used to hide the origins of illicit activity – traffic will appear to be coming from random residential addresses rather than its true source. With increasing fibre broadband speeds, some users might not even notice that their router is being used to hide someone else’s traffic, or for mining Bitcoin.
For home users, the biggest risk is their personal data being stolen. In August, security researchers at Radware spotted an exploit spreading across D-Link routers in Brazil, which eventually affected 100,000 devices. This particular attack was aimed at customers of Banco de Brasil, and used the hijacked routers and some DNS redirection to send them to a cloned version of the bank’s website, which stole their log-in details.
“The criminal community has woken up to the many holes in legacy firmware,” says Tom Gaffney, a security advisor at F-Secure. There are online databases where would-be cyber criminals can enter the name of a router manufacturer and instantly access a list of known vulnerabilities. Some entries even list the code required to take advantage.
As we connect more and more Internet of Things (IoT) devices to our routers – voice assistants, smart doorbells – the risks increase. Your connected security cameras might have robust protections, but if your router doesn’t, the whole system is vulnerable. “It’s like being broken into,” says Bharat Mistry, principal security strategist at Trend Micro.
A number of high-profile attacks, such as Mirai, have made use of unsecured routers and other unprotected IoT devices to wreak havoc, and known vulnerabilities are growing. “The first IoT specific threat (including routers) was back in 2003,” says Gaffney. “Then it’s nothing until 2015, and we had five families of threats in 2016. In 2018, we classified 35 families of threats, so we’ve definitely seen a big explosion.”
These include malware, such as VPNFilter, which was thought to be sponsored by the Russian government, and is estimated to have infected more than half a million routers worldwide. Other exploits have taken advantage of Universal Plug and Play, which allows connected devices to find and join together more easily. In November 2018, more than 45,000 routers were hit by an exploit that was developed by America’s National Security Agency and then leaked to the Internet, and which relies on vulnerable implementations of this technology.
“It’s a number of things,” says Mistry. “Routers are basically small microcomputers, so anything that can infect those can target a router.” Things like shared libraries have been vulnerable. “Most developers aren’t going to write a library from scratch, and they could be taken from a public repository. The problem then is that you need someone to be constantly validating libraries to make sure they’re patched on a regular basis.” The longer a piece of firmware is out in the world, the more vulnerable it becomes, and some routers are still running seriously outdated versions of Linux.
But the biggest problem is that most home users just aren’t that tech savvy. A lot still use the default passwords, both for the Wi-fi network itself, and for the admin account associated with it. The Banco de Brasil scam is one of many attacks that relied on this exploit.
Some believe that setting up a new router is now too easy. “In the past you had to configure it and set passwords, now it’s just plug it in and off you go,” says Gaffney. Hron agrees. “If the device works out of the box, it usually stays in a default configuration.” Adding a few steps to the process, such as forcing people to set their own passwords, would make everybody a lot safer.
“It would make sense to disable the internet until the user goes through some set up on the device,” he argues. Generally, routers provided by the big ISPs are now up to date when they arrive, and come with unique password details for each device. But those bought online, particularly the cheaper models, are more likely to be vulnerable, and more likely to give everyone the same password.
And that still doesn’t solve the problem of out of date, vulnerable firmware, something that’s hardly a priority for your average internet user. Vendors and ISPs have to bear some of the blame here too. “Very few of them until recently have had an active upgrade policy,” says Gaffney.
The researchers we spoke to believe ISPs need to find a better way of making sure people keep their router’s firmware up to date. Even when vulnerabilities are exposed, it can take months for them to actually reach users. When a hole was spotted in Mikrotik routers, for example, the company quickly rolled out a patch, but with more than two million of the company’s routers out in the wild, many remain vulnerable. One white-hat hacker has taken it upon himself to fix the problem, and has remotely patched more than 100,000 routers himself.
ISPs could be doing more to educate, for example by regular email bulletins to provide guidance and firmware updates, but that could potentially users them vulnerable to phishing scams. “I think the ISPs and vendors should make things a lot easier,” says Mistry, who suggests a tiered system where those advanced users who want more control of their set-up can have the option, but everyone else just gets updates rolled out automatically over the air. Amazon’s Echo smart speaker receives updates in this way, without notifying users beforehand, for example.
“There’s always a trade-off between ease and security,” says Gaffney – and right now, our plug-and-play routers are making life a breeze for cyber criminals.