How to manage a hacked wireless router
Published March 18th, 2014 at 9:48 AM EST , modified June 14th, 2014 at 2:06 PM EST
There have been a lot of cases of wireless routers being hacked or infected with malware recently. With news of the malware known as the “Moon” that has been infecting a number of LinkSys routers (one of the most popular brands) and a report that one gang of hackers is in control of more than 300,000 wireless routers, this is a dangerous time to manage a wireless network. So how does the average home or small business user manage their wireless routers?
First, it’s important to understand the consequences of having your wireless router compromised. The primary goal of such attacks is to redirect users of the wireless network to different web sites. This could be for the purposes of click fraud, which is the act of using unethical or illegal methods to get paid for advertising clicks. Foisting ads on the user by redirecting normal sites to an advertising site, or redirecting normal ads to load from a different site, results in the hacker getting paid. The true victims in this case are the advertisers, who are unknowingly paying someone who is abusing their services.
Another purpose is to redirect users to look-alike phishing sites. In other words, a hacked router could redirect a user to a site designed to look like another site, for the purposes of stealing any personal information (such as login credentials) that the user is prompted to enter. As a concrete example, a user who tries to go to Amazon.com may be redirected to a site designed to look exactly like Amazon. That site requests that the user logs in, and if he/she does so, the login credentials are stolen by the hackers. This would probably be followed up by a spending spree on the scammed user’s Amazon account.
The typical symptom of such a phishing redirect – before the credit card statements start rolling in – is an inability to actually log in to the account. Since you’re not actually on the real site, you will typically be sent to a faked page claiming that the service is down or too busy or something similar.
In any event, many people are currently affected by a hacked router. They may very well have no idea, or they may have seen suspicious behavior but never think to blame the router. I’ve seen countless posts on the Apple Support Communities, and have received a number of e-mails as well, from people who think they have malware or adware installed on their devices when the router is the true source of their problems.
If you are seeing strange redirects or other browser behaviors that lead you to suspect you may have a hacked router, there are a few very simple tests you can do. First, check the affected sites on other devices. (Be aware that you may see a different version of a site on a mobile browser – eg, a browser on an iOS or Android device – than you will on a computer, so comparing these may or may not be meaningful.) If other devices exhibit the same symptoms, either the site itself has been hacked or it’s a network problem (potentially due to the router).
Next, check the affected sites, using the same devices, on some other network. Go to a coffee shop, a local library, a friend’s house or some other place where you can connect to a different wireless network. If the problem continues, it’s not related to your router. However, if it stops, that’s pretty conclusive proof that your network is the cause.
If you have determined that your network is the issue, you can try disconnecting your wireless router and plug a device directly into your DSL or cable modem. (Assuming these devices are separate… if you have an all-in-one modem and router provided by your internet service provider, you won’t be able to perform this test, and will probably need to contact that provider for assistance.) There should be an ethernet wire connecting the modem and the router… unplug this cable from the router and plug it into your computer.
If the problem continues, you need to call your internet service provider, as they have an issue on their end. It’s probably a poisoned domain name server. This can be fixed temporarily by changing your DNS server settings, either for your computer or for your entire wireless network (by changing the settings in the wireless router). Rather than using the server provided by your internet service provider, try changing to the OpenDNS DNS servers or the Google DNS servers. (See those links for complete instructions for changing your settings.)
If the problem stops when you have removed the wireless router from the equation, your wireless router is compromised. At this point, or if you simply want to take proactive action, you will need to reset your wireless router to factory settings. Next, download and install any firmware updates provided by the manufacturer of your router. You should also investigate what particular methods are necessary for securing your particular router. If you aren’t sure how to do these things, you will need to refer to the user manual for your router, or contact the manufacturer’s customer support.
If there are no available upgrades for the router’s firmware, then you should probably install a third-party firmware, such as DD-WRT. This is an open source firmware that can be installed on most popular routers, and provides better security than the firmware available on many routers. DD-WRT is a popular firmware, but it is by no means the only option. Others can be found here:
Once the router has been reset and updated, you can set up your network again. Make sure that any remote administration features are disabled, and that you change the administrative password from the default. (Most routers will use a very predictable login, such as “admin” as both the username and the password. This must be changed!) The password you choose needs to be a secure one, not one that would be easy to guess. The wireless network should be protected with WPA2 encryption – WEP should not be used, as it is extremely easy to crack, and you absolutely should not leave your network wide open if you value your data! Make sure that the password required to join the network is also secure, and different from the admin password.