Recently, there have been several router-related infections that the press covered, so there's slightly more public awareness about the fact that routers can also be infected with malware, but still not enough. As you probably already know, just like any PC, Mac, etc., your router can also be the victim of hackers, and it's actually a more common practice than you can imagine. Why wouldn't it to be? There are no anti-virus, anti-malware or anti-exploit applications for routers, so unless you manually check for problems, you will never even know that it's infected. In case you don't know how to tell, here's a short guide on how to figure out if your router has malware, what to do in case if it does, and how to prevent it from happening again.
Why would my router be infected?
I'm guessing that the first thing I should tell you is why would a hacker go through the trouble of infecting your router. The answer is not that complicated: since the router is the gateway between you and the Internet, it gives the attacker control over the data that you send out and receive. What generally happens is that the cyber criminals switch your regular DNS address to one that they control and once that's done, they can do a whole lot of nasty things, such as injecting ads into your regular pages, intercepting private conversations or even get a hold of your banking information through phishing schemes. If you aren't careful enough to constantly check if the address you're accessing starts with HTTPS and not simple HTTP, the information you send out can easily be read by anyone using a man-in-the-middle attack. Moreover, even if you are a using a secure HTTPS connection, there is a technique known as SSL-stripping which will take out the encryption while the data is in transit, so that's not completely safe either.
Want to know how does it happen? I'm guessing there are many more ways of infecting one's router, but to be honest, I only have direct knowledge of three:
- All the routers that I have owned in the past had an issue with the UPnP (Universal Plug and Play) protocols. The UPnP is extremely vulnerable to hacking because it automatically trusts all the connections that come from within the network.
- Lastly, there are a bunch of bots roaming the Internet searching for routers which have the remote administration option activated and still use the default user name and password. When they find one, they alert the attacker which can then easily take over your device.
How do I know if there's any malware?
If you've ever configured a router or at least went through its settings before, figuring out if the device is infected is a piece of cake. In order to do stuff to you attackers change the DNS address, so that's what you need to check out. Go to your router's administration page, and if your DNS is set on automatic, you are safe, as your Internet provider is defining the DNS that you use. If you've manually set the DNS, and the address matches, you are, once again, safe. However, if your DNS has been manually entered, and you haven't seen those numbers before, you are most likely infected. Google the address to confirm, and if it turns out to be a bogus server, skip to the next chapter.
If you are a beginner and have never worked with a router before, here's what you need to do:
- Look for the router's manual (it should be in the box that the device came in). There, you will find all the required instructions on how to get to the DNS settings. If you found the manual, there's no need for you to keep reading the next steps, as you already have all you need, so you should check your DNS settings (as written above) and skip to the next chapter.
- Didn't find the manual? No problem, here's what you need to do: If you're using Windows, press the Win + R keys, type cmd and press Enter. In the window that pops up, type ipconfig /all and scroll up until you find a field named Default Gateway followed by a string of numbers. Write those numbers down because you will need them. If you're a Mac user, click on the Apple icon in the upper-left corner of the screen, then go to System Preferences and select the Network option. Once there, you will see a field named Router; the string of numbers that follows is the one that you need.
- Open a browser and enter the string of numbers that we've just found as the address. Let's say that 192.168.1.1 is the string you have (it's the generic one, so this might actually be it in many cases); you will type in "http://192.168.1.1" (without the quotes) into the address bar. Once the interface pops up, enter the administrator user name and password.
- Find a section called DNS Options or something similar. The menus are different from router to router, but the DNS should be in the WAN or Internet Connection category.
- Once you found it, check the first paragraph of this chapter to see whether you're safe or not.
As an additional piece of advice, try to do this check periodically, but with various time intervals. It takes very little time, so if you have any concerns about your router's security, it's not too much of an effort.
My router's infected, now what?
If your router looks infected, the best thing that you can do is perform a factory reset. Of course, this means that all your configurations will be gone, and you will have to set them up once again, but the malware should disappear. Now, I'm guessing that most of you will be wondering what's to stop the attackers from bypassing your defenses once more and reinstalling the malware? Here are a few things that you can do to make it harder to infect your router again:
- The easiest thing that you can do, and which actually matters, is change your password. If you're using the default password or a simple one like 123456, change it with a real password that can't be guessed within 5 seconds. It's easy and utterly important.
- As I said a little earlier, the UPnP protocol provides an easy way to infiltrate routers, so you should disable it from the administration page of your router.
- Another thing I mentioned was the Remote Access setting, which, as far as I'm concerned, should always be disabled. If you are a security expert, that's a different story, but if you're a regular user, then you probably would never use it anyway, and even if you do, the risks far outweigh the benefits of having remote access enabled.
- The last thing that you can do (but also the most complicated one) is update the router's firmware. In case if your router has the option to automatically download and install the latest firmware updates, make sure that the setting is always enabled. If it does not have it, just search Google for how to install firmware updates on your router (include the brand, name and model of the device in the query so that you get specific instructions).
There you have it friends, this is basically the best that you can do to check if your router is infected or not. I hope this helped, and if you have any questions, post them in the comment section or in the Answers page on our website.