This new router exploit is the motivation you need to switch to a mesh solution

By Jerry Hildenbrand
last updated

Google Wifi
Google Wifi (Image credit: Jerry Hildenbrand / Android Central)

Most everyone has a Wi-Fi router in their home and their workplace. Wi-Fi is everywhere and it's how most personal devices connect to the internet: a Wi-Fi router is connected to an internet gateway and your queries and messages zip on through. As detailed in a recent report, however, there's a good chance someone could hijack that Wi-Fi router, thanks to a new exploit that makes it pretty simple to set up a proxy server inside a protected Wi-Fi network and have it pass internet traffic along from almost any source. In other words, we have an all-new type of botnet to worry about.

How it works

UPnP (Universal Plug and Play) is a protocol that makes it easy for one device to connect and communicate with another. It's old, and it's been proven unsafe many times, but because it's designed to be used inside a protected network, nobody paid much attention to it. The new exploit can expose a UPnP socket on an internet connection to the outside world so a crafty person with the right script can connect, then inject a Network Address Translation (NAT) table and create a proxy server that any other device can use.

UPnP is not secure and is outdated, but it's not meant to be used over the internet so nobody really cares.

This works just like any other proxy server, which means it's almost like a VPN. Traffic sent to the proxy can be forwarded and when it reaches its destination, the origin is hidden. The NAT that is injected can be modified to send any traffic anywhere, and unless you have the right tools and are actively looking for it, you would never know if this was running on your network.

The worst part of it all is the list of affected consumer routers. It's huge, with almost every company and its most popular products on it. It's so long we're not going to copy it here and instead direct you to Akami's wonderfully put together .pdf presentation.

How bad is this?

The sky isn't falling. It's bad, but because it needs to query an open internet socket for information several times in different ways, then put the right information into the payload, it isn't going to spread unchecked. Of course, this would change if someone were able to automate the process and should this become self-replicating and one bot can attack a network to install another bot, things would get really ugly really quickly.

Bots are bad. An army of them can wreck almost anything.

A botnet is a group of small servers installed on separate networks. These small servers are called bots and can be programmed to accept almost any command and try to run it locally or try to run it on a different remote server. Botnets are bad not because of what they do but what they can enable other machines to do. The tiny bit of traffic from a bot connecting to its home is unnoticeable and doesn't affect your network in any real way, but with the right commands you can have an army of bots doing things like phishing account passwords or credit card numbers, attacking other servers through DDoS flooding, distributing malware, or even brute-force attacking a network to gain access and admin control. A bot can also be commanded to try any or all of these things on your network instead of a remote network. Botnets are bad. Very bad.

What can I do?

If you're a network engineer or the hacker type, you can audit the NAT tables on your local network and see if anything has been monkeyed with. If you're not, you're kind of stuck and can only hope you don't have a nasty bot changing how traffic is routed through your network to the internet. That kind of advice isn't very helpful, but there's really nothing else a consumer can do here.

You need a router from a company that will patch this quickly and automatically.

Your ISP, on the other hand, can nip this particular exploit in the bud by refusing the type of traffic that is meant for internal network communications. Should this become a serious problem I expect we'll see that happen. That's good — your ISP should be filtering out this traffic anyway.

The most likely scenario is that the company who made your router will prepare an update that kills it somehow. If you have a router that automatically updates you'll then be good to go, but many routers require you to manually initiate any updates and there are a lot of people who have no idea how to go about this.

More: Do I really need a mesh network?

This is why Google Wifi is a great product. It's not listed as affected by this exploit (though that could change) and if it were a patch would soon be on its way and automatically install itself without you ever having to worry about it. Or even know about it. There are people who do nothing but look for exploits like this. Some are paid researchers who do it to make us safer but others are doing it so they can use them. Network products that come from a company who is proactive when it can be and reacts quickly when it can't are a must nowadays. Google has your back here.

See at Best Buy (opens in new tab)

Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

41 Comments
  • If you are using the new DNS released by Cloudfare that you mentioned on the podcast, would that do anything to reduce your chances of being attacked?
  • No. This and DNS are not related.
  • Or you could just do the right thing from the start and disable UPnP
  • This is the most logical fix, provided the user knows how. But most people have never logged into a router, much less know how to to disable UPnP.
  • Right! Funny how that is lost in the messaging of this article.
  • I think the point of the article is: "Does your grandma know how to disable UPnP?"
  • This is the first thing I do with every router.
  • Won't that prevent you from using a chormecast, Google home or any smart device?
  • Nope, my UPnP is off & all those function without issue
  • Good to know I'll do that on my Google WiFi.
  • I have linksys velop. I should be fine right?
  • Hang the Velop mesh onto a solid (uneffected) front-end router and turn on 'Bridge Mode'.
  • I’ve tried this setup but no matter what my velop won’t see the internet connection. Must be something with my bridge mode. Not sure.
  • Just another reason I love my Google Wifi!
  • Yes! I’m so happy with mine!
  • Same here... Many reviewers say how great the Orbi is but Google Wi-Fi is so much cheaper and it's a rock solid system in my experience over the last 8 months. It's also pretty fast, I get 300 to 400 megabit download speeds over Wi-Fi across all 3 of my Wi-Fi points using wired backhaul... I am perfectly happy with these speeds... we are Cable Cutters so all of our TV and video entertainment is through streaming and between my wife and I and our 7 kids we have yet to saturate this wireless network and 1Gbs internet service when we're all streaming something at the same time. Then you add in how easy the system is to set up and manage and the fact that Google automatically keeps it up to date is just icing on the cake.
  • My beast of a router ASUS RT-AC88U is not on the list thankfully. I've tried the Google wifi mesh routers and it couldn't come close to the signal coverage and speed of this router.
  • I would still make sure that UPNP is turned off.
  • Oh what a wonderful article. Scary click bait with an affiliate link. Doesn't even mention that this can be disabled and totally steers you away from diy because it's too hard...
  • Eh, it's just AndroidCentral in a nutshell nowadays. They just suggest whatever is most expensive and call it day. Look at the stupid number of Nest articles they post. They never bother to mention that there are programs that give you smart thermostats for free. Nope. Just "buy this" and post a link. There's an exploit in Wifi. Don't bother mentioning affordable solutions. Nope. Buy this niche product for an exorbitant price and click our link to do it! It's gross.
  • Maybe you guys just didn't get the memo, but AC caters to mainstream users. Not network engineers, not DIY tinkerers. Not even necessarily "techies". That's been the case for sometime now. Re: affiliate links - They need to make money. People don't work for free and websites don't run themselves.
  • That logic works on some of their articles, but not this one. And I have no problem with affiliate links either. But mesh systems are pricey and often unnecessary. And the logic behind the reasoning for a Mesh system in this article has nothing to do with the potential networking benefits, but rather it's simply that they usually auto-update better than *some* regular routers. The average user can figure out (or ask their kid or friend to figure out) how to log into their router to update or change a single setting to fix this, and it won't cost them anything. Heck they could hire Geek Squad to do it for them for a third of the cost of most Mesh systems. The info Jerry provides on this exploit is great. The "solution" is a force-fed affiliate plug and not the best solution for most users, even average "non-techie" users. The title and context of the article implies having a mesh system is THE fix for this, and that's not the case at all.
  • This article really does not have anything to do with mesh Wi-Fi systems... Jerry should have said "switch to Google Wi-Fi" and left mesh solution out of it... Because his point with Google Wi-Fi is that Google automatically keeps their router up to date and does it frequently. Also not all mesh systems are that expensive... You can spend more on a single Nighthawk router than it costs for a 3 pack of Google Wi-Fi at $260. Also if you don't need the coverage you can purchase a single Google Wi-Fi Point for $120 which still gives you the same automatic updates.
  • The average person has like a ****** $40 linksys or whatever their ISP gave them because that's all they need. You're talking like $260 is some gloriously cheap price anyone can afford. Hell, even $120 is a lot of money for the vast majority of people. I don't know if you're just privileged or you've been well-off too long, but the numbers you're throwing around as if they're just pocket change are exorbitantly expensive to a large majority of the population.
  • Really!? The way to fix this exploit is to go and buy an expensive mesh routing system. It couldn't be as easy as just disabling UPnP on the router could it? I guess doing that wouldn't get affiliate link clicks.
  • Let's take a network vulnerability and turn it into an add for one particular router, instead of just telling everyone to turn off UPnP.
  • I would rather build my own wifi router with a Linux box then ever buying one made by Google. Like others have said already, upnp can be easily disabled on most decent routers.
  • Mesh packs are targeted at a very specific, plug-n-plug segment of the market. And the vast majority of consumers that use them as their primary WiFi backbone don't want or don't possess the knowledge to dig into settings. This article is click bait to promote Mesh. Plain & simple. It is also interesting that TP-Link and Linksys aren't mentioned in the Akami list. Losing faith in Android Central with garbage articles like this.
  • So the rationale that justifies the title is mesh networks provide automated updates? Cmon Jerry, this is beneath your writing. This article is solid information with nothing more than a clickbait / affiliate solution which isn’t even the best / easiest solution for most average users.
  • Oh yeah, no TP-Link C7 on there! For now...
  • He probably could've left the "mesh" part out and included other router options. BTW, you can buy a single Google WiFi router; you're not stuck with buying three in order to create a mesh. But, this is Android Central, and without Google....well, it'd just be Central.
  • That's not true. It would still be Playstation, Mattress, SoyBoy Central.
  • Asus is on the list but they are pretty good at fixing bugs in their firmware.
  • If the article really wanted to help the average consumer get ahead of this, it could have been easy to pick 4 or 5 of the main manufacturers and post screen shots of the login page and screens of the settings where the user might find uPnP to see if it's on or off. Those could have been chosen from what's available on Best Buy, Walmart, etc shelf or top sellers on Amazon because that's where the average consumer shops. But instead the solution is an affiliate link to a mesh system that most people don't need. This is on top of the 13 ad trackers running on this article (according to Brave browser) and since Google wifi is the only mesh mentioned, there's a good chance this article is sponsored by Google as well. Quite the triple dip on the revenue stream.
  • Dear God the internetz have ads and no real wimmonz, what shall we do???
  • Mark would be proud!
  • I noticed my TP-Link OnHub was not mentioned in the PDF. Now, I know why.
  • Shameless plug for a Google product piggybacking on a real issue.
  • So you don't like your beer commercials with scantily clad ladies? I mean eventually the 2 usually are technically connected, but I am a straight male married to a female so... I'm in the minority here lol.
  • Oh c'mon now, you know that's a bit different than this situation where a real problem is presented.
  • I think he just wanted to talk about beer and scantily clad ladies.