The security of consumer routers is terrible. Attackers are taking advantage of sloppy manufacturers by launching large-scale attacks against routers. Here's how to see if your router has been hacked.
The market for home routers is similar to the market for Android smartphones. Manufacturers are mass-producing a variety of devices and failing to update them, leaving them vulnerable to attack.
Attackers frequently try to change your router's DNS server settings to point it to a rogue DNS server. When you try to connect to a legitimate website, such as your bank's website, the malicious DNS server redirects you to a phishing site. Even if your address bar still says bankofamerica.com, you'll be on a phishing site.
The rogue DNS server may or may not respond to all requests. Most requests may time out, redirecting inquiries to your ISP's default DNS server. Unusually slow DNS requests could indicate that you have an infection.
Some users will detect that a phishing site does not use HTTPS encryption, but most people will not. SSL-stripping attacks can even decrypt data as it transits.
Injecting adverts, redirecting search results, or installing drive-by downloads are all options available to attackers. They can intercept requests for Google Analytics or other scripts used by practically every website and reroute them to a server that injects advertisements. You're almost likely infected with anything if you see pornographic adverts on a genuine website like How-To Geek or the New York Times.
Some routers may have remote administration interfaces enabled and default users and passwords; bots can cruise the Internet for such routers and acquire access. Other exploits can exploit various vulnerabilities in routers. Many routers, for example, appear to be vulnerable to UPnP. Let’s see how to Check Your Router for Malware.
The DNS server has been altered, which is one clear sign that it has been hacked. You'll need to go to your router's web interface and look at the DNS server settings.
To begin, go to the web-based configuration page for your router. Find out how to look up your network connection's gateway IP or reference your router's documentation.
If necessary, log in with the username and password for your router. Look for a "DNS" option somewhere, usually in the WAN or Internet connection settings. It's fine if it's set to "Automatic" because it'll get it from your ISP. It could be a problem if it's set to "Manual" and custom DNS servers entered there.
You've set up your router to utilize good alternative DNS servers, such as 18.104.22.168 and 22.214.171.124 for Google DNS or 126.96.36.199 and 188.8.131.52 OpenDNS, you won't have any issues. However, if you see DNS servers you don't recognize, it's a sign that malware has modified your router's DNS settings.
If you're unsure, look up the DNS server addresses on the Internet to determine if they're real. Something like "0.0.0.0" is OK, as it usually just indicates the field is empty, and the router will automatically find a DNS server.
Experts recommend checking this option regularly to see whether your router has been compromised.
If your router has a malicious DNS server installed, you can disable it and tell it to use your ISP's automated DNS server or enter the addresses of legal DNS servers like Google DNS or OpenDNS.
If a malicious DNS server is listed here, you should wipe all of your router's settings and factory-reset it before resetting it, to be cautious. Then, to help safeguard the router against future assaults, utilize the tips below.
You can, to some extent, protect your router from these assaults. You won't secure your router if it has security weaknesses that the manufacturer hasn't corrected.
Ensure that your router's firmware is up to date. If your router allows it, enable automatic firmware upgrades; regrettably, most don't. At the very least, you'll be safe from any weaknesses that have been patched.
Remote access to the router's web-based administration pages should be disabled.
To prevent attackers from accessing the router's web-based administration interface using the default password, change it.
Particularly vulnerable has been UPnP. Even if your router's UPnP isn't vulnerable, malware running inside your local network can use UPnP to modify your DNS server. That's how UPnP works: it trusts all requests that come from your local network.