A recent discovery that new router-based malware, known as VPNFilter, had infected well over 500,000 routers just became even worse news. In a report expected to be released June 13, Cisco states that over 200,000 additional routers have been infected and that the capabilities of VPNFilter are far worse than initially thought. Ars Technica has reported on what to expect from Cisco Wednesday.
VPNFilter is malware that is installed on a Wi-Fi router. It has already infected almost one million routers across 54 countries, and the list of devices known to be affected by VPNFilter contains many popular consumer models. It's important to note that VPNFilter is not a router exploit that an attacker can find and use to gain access — it is software that is installed on a router unintentionally that is able to do some potentially terrible things.
VPNFilter's first attack consists using a man in the middle attack on incoming traffic. It then tries redirecting secure HTTPS encrypted traffic to a source that is unable to accept it, which causes that traffic to fall back to normal, unencrypted HTTP traffic. The software that does this, named ssler by researchers, makes special provisions for sites that have extra measures to prevent this from happening such as Twitter.com or any Google service.
Once traffic is unencrypted VPNFilter is then able to monitor all inbound and outbound traffic that goes through an infected router. Rather than harvest all traffic and redirect to a remote server to be looked at later, it specifically targets traffic that is known to contain sensitive material such as passwords or banking data. Intercepted data can then be sent back to a server controlled by hackers with known ties to the Russian government.
VPNFilter is also able to change incoming traffic to falsify responses from a server. This helps cover the tracks of the malware and allows it to operate longer before you can tell something is going wrong. An example of what VPNFilter is able to do to incoming traffic given to ARS Technica by Craig Williams, a senior technology leader and global outreach manager at Talos says:
It's difficult or impossible (depending on your skill set and router model) to tell if you are infected. Researchers suggest anyone who uses a router known to be susceptible to VPNFilter assume they are infected and take the necessary steps to regain control of their network traffic.
Routers known to be vulnerable
This long list contains the consumer routers known to be susceptible to VPNFilter. If your model appears on this list it is suggested you follow the procedures in the next section of this article. Devices in the list marked as "new" are routers that were only recently found to be vulnerable.
- RT-AC66U (new)
- RT-N10 (new)
- RT-N10E (new)
- RT-N10U (new)
- RT-N56U (new)
- DES-1210-08P (new)
- DIR-300 (new)
- DIR-300A (new)
- DSR-250N (new)
- DSR-500N (new)
- DSR-1000 (new)
- DSR-1000N (new)
- HG8245 (new)
- E3000 (new)
- E3200 (new)
- E4200 (new)
- RV082 (new)
- CCR1009 (new)
- CRS109 (new)
- CRS112 (new)
- CRS125 (new)
- RB411 (new)
- RB450 (new)
- RB750 (new)
- RB911 (new)
- RB921 (new)
- RB941 (new)
- RB951 (new)
- RB952 (new)
- RB960 (new)
- RB962 (new)
- RB1100 (new)
- RB1200 (new)
- RB2011 (new)
- RB3011 (new)
- RB Groove (new)
- RB Omnitik (new)
- STX5 (new)
- DG834 (new)
- DGN1000 (new)
- DGN3500 (new)
- FVS318N (new)
- MBRN3000 (new)
- WNR2200 (new)
- WNR4000 (new)
- WNDR3700 (new)
- WNDR4000 (new)
- WNDR4300 (new)
- WNDR4300-TN (new)
- UTM50 (new)
- TS439 Pro
- Other QNAP NAS devices running QTS software
- TL-WR741ND (new)
- TL-WR841N (new)
- NSM2 (new)
- PBE M5 (new)
- ZXHN H108N (new)
What you need to do
Right now, as soon as you're able, you should reboot your router. To do this simply unplug it from the power supply for 30 seconds then plug it back in. Many models of router flush installed apps when they are power cycled.
The next step is to factory reset your router. You'll find information about how to do this in the manual that came in the box or from the manufacturer's website. This usually involves inserting a pin into a recessed hole to press a microswitch. When you get your router back up and running, you need to ensure it is on the very latest version of its firmware. Again, consult the documentation that came with your router for details on how to update.
Next, perform a quick security audit of how you're using your router.
- Never use the default user name and password to administer it. All routers of the same model will use that default name and password and that makes for an easy way to alter settings or install malware.
- Never expose any internal devices to the internet without a strong firewall in place. This includes things like FTP servers, NAS servers, Plex Servers or any smart device. If you must expose any connected device outside your internal network you can likely use port filtering and forwarding software. If not, invest in a strong hardware or software firewall.
- Never leave remote administration enabled. It may be convenient if you're often away from your network but it's a potential attack point that every hacker knows to look for.
- Always stay up to date. This means check for new firmware regularly, and more importantly, be sure to install it if it is available.
Finally, if you're unable to update the firmware to prevent VPNFilter from becoming installed (your manufacturer's website will have details) just buy a new one. I know that spending money to replace a perfectly good and working router is a bit extreme, but you will have no idea if your router is infected unless you're a person who doesn't need to read these sort of tips.
We love the new mesh router systems that can be automatically updated whenever new firmware is available, such as Google Wifi, because things like VPNFilter can happen anytime and to anyone. It's worth having a look if you are in the market for a new router.
Google OnHub looks fine as does Google WiFi.
Yes, this was the case before. The upside to letting Google essentially manage the device.
Question: Would using a VPN stop this in any way?
Possibly, but the VPN needs to be one that is encrypted before it hits the router.
So with using Google Wifi, is using the app (and installing updates when Google pushes them) the only way to check if it has the latest version or is there something else to do? I know Google Wifi is not on this list, just want to understand a little better.
Are you asking how to update Google Wifi? The actual hardware is updated automatically. The last update to the firmware was back on February 2018 (10032.86.2) The app is of course, updated from Google Play.
According to the article, my device is affected. But, I am running an aftermarket firmware (Tomato, DD-WRT, Merlin, etc.) Is my router still potentially vulnerable?
No, according to the article, your device is on a list of potentially vulnerable devices, and I'm sure the article is not talking about aftermarket firmware.
I wouldn't be too sure about that. Asuswrt-Merlin is a lightly customized version of Asuswrt, which was based on Tomato. Of course it's hard to tell when you read its description on the website, but this quote makes it sound like it's rather close to stock Asuswrt functionally: "Developed by Eric Sauvageau, its primary goals are to enhance the existing firmware without bringing any radical changes...". I have the same problem, so I relegated my RT-AC66U to just being an AP for now, and because it's no longer supported by Asuswrt-Merlin, it's destined for the recycle bin sooner rather than later ;-) A quote from the developer on SNB Forums: "Q: Is Asuswrt-Merlin vulnerable to VPNFilter?
A: I don't know, since security researchers themselves don't know what specific methods are used to infect devices (they vary between models)."
I use Merlin as well and would love to know the answer. Asus changed the way they did firmware around the time that the AC 68 came out. I am wondering what level of firmware is susceptible.
Google WiFi had changed my life. After 18 years of complicated, punitive LAN systems, I now use and recommends only Google WiFi in 99% of cases. The accompanying Android app is jaw-dropping good.
Just because you have one of these routers doesn't mean you're necessarily I texted whatsoever. Just that your model is highly suseptable to getting infected. Two very different things.....
Glad to see that the Netgear Orbi isn't on this list.
I wonder if the T-Mobile router (which is basically a re-branded Asus router) is affected, as they have not had any firmware updates in a long time.
So I have two Google On Hubs meshed. Am I at increased risk compared to the newer Google WiFi mesh system?
There's more affected routers (scroll to bottom of page):
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.