When we hear the word hacking, our minds immediately go to servers, computers and laptops being hacked, but hacking isn’t just for computers, Wi-Fi routers can get hacked as well and are no exception to cyber attacks.
If an attacker is to compromise an organisation’s routers, they can affect the entire network and this can be catastrophic.
In this blog post, we will look at the various ways of router hack, the motivation behind the hackers to do this and the precautions companies and individuals can take to protect themselves.
What is router hacking?
In simple words, router hacking is when a cyber criminal compromises and controls the organisation’s router without their consent. This can be the result of misconfigurations, zero vulnerabilities, unpatched bugs, default or easy admin credentials etc.
When an attacker hacks a router they can essentially target every device on that network with a technique called pivoting. This gives attackers the liberty to scan and enumerate the devices on the network and locate the weakest link and exploit it.
Different ways of hacking routers
Depending on the make, model, configurations and how well the router has been hardened there are several different ways a cybercriminal can target and breach the router security.
Use of default credentials
This is the easiest way to get into and hack someone’s router. If the organisation or individual has not changed the default password that the router comes manufactured with, an attacker can simply do an internet search against the router model and find the default password and log in as admin.
Having gained access to an admin panel, the attacker can then perform any malicious activity.
Exploiting unpatched vulnerabilities
From time to time vulnerabilities are discovered and publicly disclosed for software, operating systems, firmware etc. If the organisation or individual does not regularly check for updates and patches, an attacker may be able to leverage the disclosed unpatched vulnerabilities and compromise the router.
More often than not Wi-Fi hackers are able to access systems because of the misconfigurations made by administrators or other personnel. It is important for network administrators to apply best practices when configuring router devices.
Some recent router hacks
DNS rebinding is a router hack that allows an attacker to bypass the Same Origin Policy (SOP). This policy is implemented so that multiple applications within a browser do not share unnecessary information or sensitive data with each other.
The attack takes place when a victim visits a malicious website that is controlled by the attacker. The attack takes place with the following steps:
- The victim visits an attacker controlled web application (www.evil.com).
- This web application contains an iFrame that requests data from a subdomain that is also controlled by the attacker. (www.sub.evil.com).
- This payload performs consecutive HTTP requests to the server, however, after a few seconds the malicious HTTP server stops responding to these requests.
- Now the browser tries to initiate the connection to the sub domain and another DNS request is sent. This time the malicious DNS server responds with the IP of the target server, which is in this case the router attached to the user’s internal network.
- The victim’s browser established a connection with the router instead of the HTTP server. The browser now treats the router’s IP address as the IP address of www.sub.evil.com.
Unmasking true IP addresses of VPN users
A zero day vulnerability was discovered in the Virgin Media Super Hub 3 routers that allowed attackers to unmask the real IP addresses of VPN users using the hacked router.
The motivation behind a hacker
There may be various reasons and motivations behind a Wi-Fi hacker that compel them to hack an organisation or individual’s systems including routers. Some of these reasons include:
An attacker or adversary might want to listen in on all the communications you make, and since a router is a gateway between your system and the internet, every communication made passes through the router. It is the ideal location for an attacker to see all the internet traffic on the network and look for sensitive information.
- Install malware
Installing and spreading malware is one of the first steps an adversary might carry out to launch a more advanced attack. If a cyber criminal has access to a router, they can inject malware into it.
- Monitor traffic
If a web application or mobile application is using insecure communication protocols such as HTTP, then all the traffic is readable and in cleartext. This means that an attacker can see all the activities carried out by a user and can also capture data of the users including any personal data or sensitive data the user has shared with the web servers.
- Interfere and intercept HTTP traffic
As mentioned above if HTTP is used, the requests are readable and also modifiable by the attacker. The attacker can simply sniff the network traffic and intercept requests to make any changes with the web requests, such as injecting malicious code.
- Attack other devices on the network
If an attacker has access to the router, they can see all the connected devices in that specific network, this makes it easier for the attacker to map out their attack surface and choose the weakest link. This way an attacker can hop from the router to any other system and compromise those as well.
- Redirect internet traffic
A router also has settings to configure the DNS server, having control over this setting means that an attacker can redirect the traffic at a DNS level and route the traffic to their own controlled servers. This can be used to further launch phishing and pharming attacks.
- Launch botnet attacks
Botnets are generally massive networks of attacker controlled devices throughout the world, which they use for launching attacks such as DDoS or mining cryptocurrencies. An attacker may also add the compromised router to their network of botnet machines and launch attacks using them.
- Use internet resources
One of the more annoying things an attacker can do is use the person or organisation’s internet connection for their own use, like piggybacking on the Wi-Fi connection. This could choke the bandwidth and cause the internet to slow down.
Common signs to look out for
Now that we have established it is very possible for an attacker to hack into a company’s or individual’s router, let’s discuss the common signs to look out for and identify if your router has been hacked.
- Changed DNS settings
If you notice there is a change in your DNS server setting, chances are your router has been hacked. As we discussed earlier, an attacker can change your DNS server setting and redirect the traffic to another location, this is typically known as a DNS hijacking attack or harming. Look to utilise secure DNS such as DNS over HTTPS.
- Credentials are not working
If you are trying to login into the router’s admin panel and the router password simply don’t seem to work, chances are that an attacker got in and locked you out by changing the password. In this case, you can factory reset the router physically and set a new password.
- Internet speed becomes unusually slow
If you notice that your internet is becoming unusually slow, this might indicate the presence of an outsider. Although slow internet speeds don’t necessarily mean a cyber attack, it is a good idea to check and make sure there are no out of the ordinary bandwidth consumptions.
- Unknown software or malware on the devices
Apart from placing malware directly on the router itself, hackers can download malware on the computers or other devices connected to the network. Always keep a lookout for any suspicious software installed on the system and use up-to-date endpoint protection solutions.
- Unrecognised devices on the network
It is important to monitor and keep track of all devices connected on the network. If you notice any unfamiliar device, always investigate who it belongs to. In some cases, it might be an attacker device or some external threat who has joined your network.
How to contain a router hack
If you or your organisation has become a victim of router hacking and you have identified evidence of the routers being compromised there are a few quick steps you can take to contain and stop the damage from increasing.
Disconnect and isolate the router
The first step to take is quarantine! Immediately disconnect the router from the internet and all connecting devices so that the attacker can not penetrate into the network further nor gather any more information.
However, do not disconnect the power as the router needs to be turned on during the recovery phase.
Perform a factory reset
Now that the router is disconnected from the internet and other devices the next step is to hit the factory reset button. This will remove all configurations, settings and changes made and revert the router to the default settings it came manufactured with.
Some malware like NPNFilter will also be removed from the router by doing a manual factory reset.
Login and change the default credentials
After the factory reset is complete log in to the admin panel using the default credentials and change the password immediately. This will ensure that the attacker can not log in using the default administrative credentials.
Make sure the password is strong and meet the standard password complexity requirements so an attacker can not crack it.
Create a SSID and password
Next change the name of the SSID (Service Set Identifier) which is the name of the Wi-Fi network to some generic long name that does not disclose such information. Generally, default SSIDs contain model or brand names which can be helpful to an attacker for targeting your devices.
Additionally, create a new Wi-Fi password for logging into the network as well, again make sure the password is strong and meets the complexity requirements so that it is difficult for a hacker to brute force the passwords.
Create a guest network
It is probably a good idea to create a guest network or a separate network for granting access to people you don’t want to have access to your primary or core network.
This technique can also be useful to isolate any unknown devices, protect the main network from any unwanted malware etc.
Update the router’s firmware
Lastly, download and install the latest firmware of your router either automatically or manually from the vendor’s official website.
Updating the firmware will ensure that there are no unpatched vulnerabilities in the device that an attacker can take advantage of.
How to protect router from hacking?
It is always much easier for an organisation to implement preventive control rather than to respond to an active cyber attack, hence best practices on ensuring router security should be implemented so that organisations can better protect themselves.
Some of the techniques and tips to ensure router protection include the following:
Always change the default credentials
Whenever you purchase a router, the first foremost thing to do is to change the default password. There is a very high chance that a hacker discovers the default passwords of the router just by doing a simple internet search, so make sure to change the passwords immediately.
Follow security guidelines for creating a password such as keeping a minimum length of 8 characters with both alphanumeric and special characters.
Disable remote access
Until absolutely necessary remote access to the router’s admin panel should not be allowed access remotely. This increases the chances of a hacker getting access since they would not need to be a part of the local network.
Deactivate the remote access so that the administrators can only access the admin panel by locally being a part of the network.
Monitor Wi-Fi network traffic
Monitor the Wi-Fi network and the wireless network traffic for any anomalies that may indicate a hack. Such as unidentified devices on the network or unusual traffic.
Enable WPA3 support
WPA3 is the latest protection protocol known as the Wi-Fi Protected Access security protocol. This secures the Wi-Fi network by using AES encryption so that there is no loss of confidentiality.
WPA3 and its older version WPA2 are relatively secure when implemented correctly such as when a secure and strong password is set. However the same can not be said from WPS (Wi-Fi Protected Setup).
WPS allows PINs to be used and is mostly considered an insecure and obsolete method. If any of your routers are using WPS or WEP it should be immediately disabled.
Change the default SSIDs
As discussed earlier, default SSIDs can disclose product and vendor information which can be helpful to hackers in gaining more knowledge about the target.
As soon as a router is powered on for use, the SSID should be changed to something that does not disclose information to the attackers. The SSID should be long and more complex names are better.
Update the router regularly
As discussed earlier, hackers can exploit existing vulnerabilities within the router’s firmware and gain access. It is crucial to regularly update devices to and isntall the latest security updates and patches.
Periodically check the vendor’s website to see if any new patches are released and if possible configure the router to update automatically.
Configure a router firewall
Setting up a router firewall is also a recommended practices as a firewall acts as a barrier and stops any unwanted traffic from passing through. By implementing a firewall administrators can configure to only allow known legitimate devices to pass through.
In many modern routers, firewalls are a built-in feature, so all that’s need to be done is to enable it.
Use VPN where possible
Although HTTPs has offered a much safer and secure internet usage. Using a VPN within the internal network will add an additional layer of security by encrypting DNS requests as well.
Using a VPN makes it difficult for an attacker to see what the user is doing as well as to redirect the users to any malicious website.
Disable auto-connect on devices
Once you enter the credentials of an SSID, many devices tend to automatically connect to the SSID as soon as the signal is within range.
This makes the devices vulnerable to connect to a different, attacker controlled, Wi-Fi network but with the same SSID. To prevent this from happening, disable the “Auto connect” feature on all devices.
When we talk about internet security, all areas, devices and aspects of the technology should be considered. Routers are the backbone of network security and one of the prime targets for hackers and act as an entry point to the organisation’s internal network.
Hardening and tightening router security is a step that no organisation or individual should skip.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.