Router Exploit – VPNFilter
Unless you’ve been living under a rock the past month or so, you will have heard about a router exploit making the rounds. The router exploit (or malware) is called VPNFilter. So far, it has infected over half a million devices in 54 countries around the world. The US Department of Homeland Security (DHS) put out a recommendation to reboot all routers to make sure the malware was removed, if present.
I won’t geek out on the technical details. You can read a good article on this router exploit at Ars Technica if you’re interested.
How Do I Reboot My Router?
Rebooting a router is as simple as unplugging it from the power source, letting it sit 20-30 seconds and plugging it back in. This causes the router to reset and clears out its volatile memory. Doing so ensures that any exploit residing in volatile memory is removed.
So, That’s All I Have To Do?
Well, no. When the router comes back on, check the login ID and password to make sure that they’re not set to the factory defaults. This is the single most common cause of successful router exploits. Anyone can go online and look up the factory default login for many routers, especially older ones. Once they have that information, it’s just a matter of cruising around to find unprotected routers to exploit.
Don’t Bet Your Security On Memory
One of my friends rebooted her router after hearing the DHS warning and then thought to check the router login. To her horror she found that it was still at the factory default values. She had thought she’d changed them when she first got the router, and may very well have done so. The reality is that routers can be reset any number of ways due to power outages or firmware updates among other things.
How Do I Check The Login?
Get out your router manual or go to the router manufacturer’s website and download it. There will be an IP address that connects your computer to your router. It will typically be something like:
http://###.###.###.001
where the # represents a number between 0 and 9. The first three sets of numbers are your local network address. The last set of numbers is the address of a specific device, such as the router, printers, computers, phones, etc.
Once you are at the login screen for your router, enter the login credentials to see if they’re still what you think they are. If they don’t work, try the factory default credentials. If they work, then you need to change them immediately. Again, the manual will have instructions for setting new login credentials.
What Else Can I Do?
If you’re really concerned or you’re pretty sure your router has been exploited, you can do a hard reset to clear all memory. This will definitely remove any router exploit. The disadvantage is that it will lose all other settings and be reset to the factory defaults for all settings. You will need to change the login as described above and set up your network again.
If need be, consult your router documentation or the manufacturer’s support team. Older routers are especially vulnerable, but that doesn’t mean that the newest ones are completely safe.
Protected by WebARX