Router Security Routers in the news Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |

Routers in the news, pretty much means routers getting exploited by bad guys to do bad things. I am still waiting for a good news story about routers. The flaws that are exploited are documented on the Bugs page. Articles that offer security advice are listed on the Other router security advice page.


APRIL 2018

UPnProxy- the UPnP abuse will never die - no progress in 5 years

UPnProxy: Blackhat Proxies via NAT Injections
by Akamai   undated (sometime this month)
UPnP was intended to be used on a LAN and, as such, all devices were considered trusted and the protocol has no security at all. It's an old protocol. Back in January 2013 it was discovered that millions of routers were exposing UPnP on their WAN side (the Internet) by mistake. For more on this see the Bugs page. Here we are, 5 years later and this is still true. It seems nothing was done about the millions of buggy/vulnerable routers from 2013. Last month, Symantec wrote about a cyber espionage group known as the Inception Framework abusing UPnP to forward traffic from one router to another to another to another, etc. This lets bad guys hide the true source of their bad deeds. The link and summary are on this page, under March 2018. Now, Akamai is reporting the same thing and they call it UPnProxy. Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Again, there should be none, UPnP was only intended for LAN side use. Of these exposed routers, Akamai says over 65,000 home routers are currently being abused. No need for a VPN or Tor when you bounce your Internet data through dozens of other people's routers. This is a gift to spammers, phishers, botnets and the like. It is a bit like having a dedicated bad-guy-only version of Tor. Akamai was kind enough to shame the buggy and vulnerable devices and their manufacturers. Asus is a disgrace, they have a large number of vulnerable devices. Some other manufacturers on the list are D-Link, Ubiquiti, Netgear and ZyXel. Peplink was not on the list. Akamai also blamed ISPs because they are in a position to block UPnP traffic that was never meant to traverse the Internet in the first place. Comcast deserves credit here, they block UDP port 1900. This story did not get nearly enough attention. My guess is that it is beyond the technical comprehension of the many Art History majors that cover technology. Steve Gibson's discussion of UPnProxy (link below) is the only one worth reading/hearing.
- - - -
WHAT YOU CAN DO: How can you tell if your router exposes UPnP to the Internet at large? Steve Gibson has the only test that I am aware of. It is part of his Shields Up! service, the link is below. Every consumer router that I have seen ships with UPnP enabled. So, first off, disable UPnP in your router and then test to see if it was disabled on the Internet/WAN side of the house. Akamai noted that UDP port 1900 is what makes a vulnerable router discoverable. Click here to test if UDP port 1900 is open on your router. Also, check if your router is doing any port forwarding at all. Nothing to do with UPnProxy, all forwarded ports are holes in the router firewall and thus potential security weaknesses. For an Asus router go to System Log, then the Port Forwarding tab. If you see nothing, then you are safe, at the moment. In this screen shot, we see five ports are being forwarded. These are normal forwarding rules in that the destination is a computer on the LAN - they all start with 192.168.1. Victims of UPnProxy would see a public IP address in the "Redirect to" column. I have no idea why UDP port 54051 is being forwarded on this Asus router. For a TP-Link router, go to the Advanced tab, then NAT forwarding, then UPnP. Again, nothing being forwarded is good. In this screen shot, we see two forwarding rules, both to an "Internal IP Address" (starting with 192.168.0). I don't know if any routers let you disable or delete a UPnP created forwarding rule. As we can see in these two screen shots, neither Asus nor TP-Link supports this. But, at least they do report on UPnP created port forwarding. I tried the emulator for a couple Linksys Smart routers and they do not seem to report on this at all. Exposing UPnP also opens up your router to attack which Akamai described in their report. It basically converts Remote Administration to Local Administration. To defend against this, change the port number(s) used for local administration and change the LAN side IP address of the router. And, of course, change the router admin password, and, when possible, the router admin userid too. All that said, the Defensive Computing thing to do is to replace a router exposing UPnP on the Internet. It shows the manufacturer is incompetent.

The Russians Are Coming, The Russians Are Coming

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
by the Department of Homeland Security, the FBI and the National Cyber Security Centre in the UK   April 16, 2018
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit devices. Instead, they take advantage of: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches. These factors allow access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population. Network devices are ideal targets. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
The Russians, like many others, are abusing Cisco Smart Install enabled devices. There is more about abusing Smart install below, dated April 6th. Details on the Smart Install flaws are on the Bugs page under March 2018. Also being attacked are Generic Routing Encapsulation (GRE) and Simple Network Management Protocol (SNMP). The National Cyber Security Centre (NCSC) is an arm of British intelligence agency GCHQ.
From my Defensive Computing perspective, there is nothing special about Russia, all Internet-facing devices are scanned all the time. I blogged about this last month, Routers are constantly being probed - examining a firewall log

Hacked routers with malicious DNS servers lead to Android malware

Roaming Mantis uses DNS hijacking to infect Android smartphones
By Suguru Ishimaru of Kaspersky Lab Securelist   April 16, 2018
Android malware, dubbed Roaming Mantis, is distributed through router DNS hijacking. When a user attempts to access any website via a compromised router, they are redirected to a malicious website. For example, if a web browser tried to access, it would be redirected to a rogue server that had nothing to do with the security research blog. The nature of the malicious website is hidden from the victim because the web browser displays the original URL. The malicious web page implores the victim to update to the latest version chrome. Victims that install the banking malware have their login credentials stolen. The malware can read SMS messages so it also steals the secret verification code used for two-factor authorization. The article goes into details on the malware, but says nothing about how the routers may have been hacked. It also offers bad advice: "If you have any concerns about the DNS settings on your router, please check the user manual and verify that your DNS settings haven't been tampered with, or contact your ISP for support." Better advice is to use the DNS server tester pages listed here to learn what your DNS servers are.

Hacking routers is the latest thing among bad guys

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks
By Catalin Cimpanu of Bleeping Computer   April 12, 2018
According to Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, the number of Advanced Persistent Threats leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. Maybe I should put ads on this site. Their research uncovered the LuckyMouse APT which uses routers for hosting their command and control servers, which, Raiu said, is unusual. They believe that the routers were hacked through an SMB vulnerability which allowed the bad guys to upload CGI scripts. He also pointed out that the US government released a document saying that router attacks have been the preferred attack vector for a number of malicious actors for a number of years, yet, the number of reports about router malware and router attacks are few and far between. Thus, Raiu concludes that there's a lot going on that we don't see.

Looks like the Boston Red Sox need better computer nerds

The Red Sox clubhouse's Wi-Fi password does not rank high for creativity
by Nik DeCosta-Klipa of   April 12, 2018
Yankee manager, Aaron Boone, was being interviewed after a game at Fenway Park against the Boston Red Sox when the camera showed a bulletin board on the wall next to Boone. On the bulletin board was the Wi-Fi network name and password. This got some attention because the password was the miserably insecure - "baseball". The Red Sox could hardly have chosen a worse password. They took it well, however, tweeting "Guess we need a new WiFi password". As I explain here on the Wi-Fi encryption page, Wi-Fi passwords need to be at least 14 characters long to resist brute force attacks. However, for a high value target such as the visitors clubhouse at Fenway Park, I would certainly go with a longer password. When you consider all the schools near Fenway Park (Harvard and MIT come to mind), churning out fresh new techies, I would make the password still longer. The password was not their only mistake, an SSID of "clubhouse" gives away too much information. Why not call it "VisitorsClubhouse" and take away all mystery. Better network names would have been BlueSky or ColdWeather or JoesNetwork. See more about picking an SSID. Some of the suggestions on Twitter for new passwords, shown below, were not half bad.

A suggestion that made me laugh was to use "JarrodSaltalamacchia," noting that potential hackers are bound to get it wrong. Saltalamacchia used to catch for the Red Sox. My guess is that the same person that chose the old password will choose the new one, so it will probably be "baseball123." It won't take the kids from MIT too long to crack that one.

ISPs keep customers ignorant

What most people think it looks like when you change router's admin password, apparently
by Kat Hall of The Register   April 12, 2018
A survey, by the British comparison website Broadband Genie, reported that 82 per cent of responders have never changed their router password. The article is unclear however about whether it is referring to the router password or to a Wi-Fi password. The survey also found that 52 per cent have not changed their Wi-Fi network name (SSID). This advertises to bad guys that the owner of this network is technically clueless, which may invite attack. 48 per cent of responders said they were baffled as to why they would need to make these changes. A pessimist might assume that ignorant customers make fewer tech support calls. This article is just as guilty as the ISPs it is trying to shame. It notes that bad things can happen if the DNS servers in the router are changed, but fails to mention that you can test for this fairly easily. My Test Your Router page lists many websites that report on the currently used DNS servers.

Two router surveys by PC Magazine

April 11, 2018: PC Magazine just published their Readers' Choice Awards 2018: Routers and NAS Devices. Asus won the router award for the seventh straight year. Just days earlier, Akamai issued a white paper, UPnProxy: Blackhat Proxies via NAT Injections that detailed problems with UPnP. The Akamai paper listed buggy devices. Asus had quite a few buggy routers: DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B, MTK7620, RT-AC3200, RT-AC51U, RT-AC52U, RT-AC53, RT-AC53U, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-AC56R, RT-AC56S, RT-AC56U, RT-AC66R, RT-AC66U, RT-AC66W, RT-AC68P, RT-AC68R, RT-AC68U, RT-AC68W, RT-AC87R, RT-AC87U, RT-G32, RT-N10E, RT-N10LX, RT-N10P, RT-N10PV2, RT-N10U, RT-N11P, RT-N12, RT-N12B1, RT-N12C1, RT-N12D1, RT-N12E, RT-N12HP, RT-N12LX, RT-N12VP, RT-N14U, RT-N14UHP, RT-N15U, RT-N16, RT-N18U, RT-N53, RT-N56U, RT-N65R, RT-N65U, RT-N66R, RT-N66U, RT-N66W, RTN13U, SP-AC2015 and the WL500. Peplink, my preferred router vendor, was not on the radar screen of PC magazine readers.

Cisco devices are being hacked all over the world

What happened to the Internet: attack on Cisco switches
by Kaspersky   April 6, 2018
At the end of March 2018 Cisco released 34 bug fixes of which three were deemed critical. Details are on the Router Bugs page. By April 6th, there was a massive attack against Cisco switches. These devices are used in data-centers across the globe. The attacks are exploiting a bug in the Cisco Smart Install Client software. The Smart Install protocol does not require authentication and should not be exposed to the Internet. Yet, there it is. Kaspersky blames the nerds working in datacenters for failing limit access to TCP port 4786. Or, they should have disabled Smart Install altogether. A simple command tests if Smart Install is running and another command can disable it. Hackers have attacked networks in a number of countries including Iran where they left the image of a U.S. flag on screens along with a warning: "Don't mess with our elections." Some hackers claimed to have fixed the bug on vulnerable devices in the U.S. and UK. One report said the flaw apparently affected 200,000 router/switches. Talos found 168,000 devices exposed by the Cisco Smart Install Client. Motherboard reported 166,000. Attackers are able to reset the devices back to their default configuration and display a message to the victims. The attack on some ISPs cut off Internet access for their subscribers. Talos observed hackers exploiting the vulnerability to target critical infrastructure. Joseph Cox of Motherboard said that the attack seems relatively unsophisticated. Taols, which is owned by Cisco, believes that some of the attacks are from nation-state actors. Sounds better than a bunch of 14 year old kids.

The better to spy on you, my dear

Chinese city shops ordered to start using government-approved routers
by Shannon Liao of The Verge April 5, 2018
The eastern Chinese city of Qingdao will force shops and restaurants that offer Wi-Fi hotspots to use government-approved routers. The stores have to buy the routers themselves at a cost of either $16 or $63. Failure to use the mandated routers incurs a penalty of up to $18,589. The routers are made by BHU, which boasts on its website about a "long-term close collaboration" with local police in China. Do I need to even mention that in August 2016 an expert found multiple security flaws in a Bhu router (see the Router Bugs page). There were three different ways to gain admin access to the router and it also injected suspicious looking third party JavaScript into HTTP traffic. Qingdao is not the first city to mandate a government-approved router. Free routers were given to shops in Chifeng, a city in Inner Mongolia, in 2016. Multiple cities in China have been told to install a "security management system."

MikroTik routers used in DDoS attacks

Mirai-Variant IoT Botnet Used to Target Financial Sector in January 2018
by Priscilla Moriuchi and Sanil Chohan of the Insikt Group. April 5, 2018
In late January 2018, three European financial institutions were hit by DDoS attacks powered by a new variant of the Mirai botnet. The botnet that hit the first company consisted of at least 13,000 devices. The Insikt Group used IP geolocation, service banners from Shodan, and additional metadata to analyze the composition of the botnet and found that the attack was 80 percent comprised of compromised MikroTik routers, with the remaining 20 percent composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL. All of the compromised MikroTik devices had TCP port 2000 open, which is usually reserved for MikroTik’s bandwidth test server protocol. This port is usually enabled by default in new MikroTik devices. No MikroTik devices with TCP 2000 disabled (a recommended security measure in production environments) were discovered within the botnet.

MARCH 2018

Multiple reports of DNS hijacking on Asus routers

Asus RT-AC66U DNS hacking
by Mpuk7   at the SmallNetBuilder forum   March 10, 2018
Because I maintain this website, someone emailed me asking about their Asus router that had its DNS hijacked. As we both looked into it, there seems to be a lot of that going around. The person who posted this claimed to have the latest Asus firmware, a long password and they had even changed the default router userid. Of course, the latest firmware, at least with consumer routers, always includes old software with known bugs. I am not qualified to review the Asus router log, but this one made it obvious the router was running some old software with known bugs. The router had remote administration enabled, which is almost always a mistake. Two interesting quotes from these reports: "I tried Asus support but they were immensely useless" and another person said Asus was as helpful as a chocolate teapot :-) Two of the bad DNS servers were and
Update March 16, 2018: David Redekop suggested this might be the flaw that was abused here: ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models. Routers enabled for Remote Administration using HTTP rather than HTTPS would be vulnerable to this.

MikroTik routers hacked to infect Windows PCs

Kaspersky Lab uncovers Slingshot, the spy that came in from the router
by Kaspersky   March 9, 2018
It is not known how the MikroTik routers were hacked. Currently routers are configured using either a web interface or a mobile app. In the previous century they were administered with Windows software. The hacked routers were administered with Windows software known as Winbox. Winbox, for whatever reason, downloads some Windows executable files (DLLs) from the router. The hacked routers had malicious DLLs that infected the Windows computer used to configure the router. This was professional spyware of the highest caliber. The infections seem to be very targeted, with only around 100 PCs known to be infected. The spyware was extremely effective at stealthy information gathering, hiding its traffic in marked data packets that it can intercept without trace from everyday communications. Operation slingshot seems to have started in 2012 and was still active in February 2018. The MikroTik router firmware no longer installs software on Windows computers. Winbox is still a thing, but they also have a web interface. Kaspersky software can defend against this. So too, can a Chromebook.


Ellen Nakashima, of the Washington Post, wrote Russian spies hacked the Olympics and tried to make it look like North Korea did it. Quoting: "Apart from accessing the computers, GRU cyber-operators also hacked routers in South Korea last month ... according to Western intelligence agencies. Such access could enable intelligence collection or network attacks..." The article also has a quote from security expert Jake Williams of Rendition Infosec: "Anyone who controls a router would be able to redirect traffic for one or more selected targets or cause total disruption in the network by stopping the routing entirely."


An old D-Link HNAP flaw exploited by a new botnet

Masuta : Satori Creators' Second Botnet Weaponizes A New Router Exploit.
by Ankit Anubhav, Principal Researcher, NewSky Security   January 23, 2018
Quoting: "We analyzed two variants of an IoT botnet named 'Masuta' where we ... discovered a router exploit being weaponized for the first time in a botnet campaign ... The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol. It is possible to craft a SOAP query which can bypass authentication by using hxxp:// Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution."

MikroTik and Ubiquiti Routers defaced due to default passwords

Tens of Thousands of Defaced MikroTik and Ubiquiti Routers Available Online
by Catalin Cimpanu of Bleeping Computer   January 10, 2018
If you don't change the default password, you get what you deserve. It seems that, as a prank, someone has been changing the names of routers. Ankit Anubhav of cyber-security company NewSky Security, first ran across this back in July. He estimates that over 40,000 Ubiquiti routers have been defaced along with 7,300 MikroTik routers. The names given to the routers are "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," and "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."


JUNE 2017

In June 2017, it came to light that the CIA has been hacking routers for many years. In covering the story



In October 2016, Brian Krebs wrote about malware that targeted Asus and Linksys routers. The software turned the routers into SOCKS proxies, which help bad guys hide their location, much like Tor. Bad guys were using these hacked routers for "or a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites." Plus, access to these hacked routers was being sold in exchange for Bitcoin.


In August 2015, Jeff Atwood blogged about how two people he knew fell victim to compromised routers (see Welcome to The Internet of Compromised Things). In one case, the infected router inserted ads onto all HTTP web pages. Quoting:

It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level ... I write about this because it recently happened to two people I know ... This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them. Router malware is the ultimate man-in-the-middle attack ... [bad guys] can direct you to phishing websites at will - if you think you're on the "real" login page for the banking site you use, think again.

In May 2015, Scott Hanselman wrote about an infected router at his local sandwich shop that "... started to redirect me to a fake 'update your flash' and download a 'Install flashplayer_10924_i13445851_il345.exe' malware file..... This affects their PoS (Point of Sale) system, tablets, iPhones ... It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML."

Victims don't have do anything to have their computing devices infected with malware. A hacked router can corrupt the self-update mechanism of either the operating system or a specific application. In June 2015 a case like this got a lot of publicity; the pre-installed Swift keyboard on Samsung smartphones self-updated in an insecure way that could be corrupted by anyone able to modify network traffic. A hacked router is one source, so too is a malicious ISP, a bad guy on the LAN or malware running on another LAN-resident device. Because the keyboard software ran with very high system privileges there was almost no end to what malware it was tricked into installing could do.


When visiting popular websites, the router can install malware by prompting users to install a plug-in. Here is a screen shot of this from 2012 in Brazil. See also Info Stealer Poses as Google Chrome Installer from Trend Micro written in May 2012.

This page was last updated: April 23, 2018 7PM CT     
Created: April 11, 2018
Viewed 1,156 times since April 11, 2018
(93/day over 12 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2018