OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

How to manage a hacked wireless router

Published March 18th, 2014 at 9:48 AM EST , modified June 14th, 2014 at 2:06 PM EST

There have been a lot of cases of wireless routers being hacked or infected with malware recently. With news of the malware known as the “Moon” that has been infecting a number of LinkSys routers (one of the most popular brands) and a report that one gang of hackers is in control of more than 300,000 wireless routers, this is a dangerous time to manage a wireless network. So how does the average home or small business user manage their wireless routers?

First, it’s important to understand the consequences of having your wireless router compromised. The primary goal of such attacks is to redirect users of the wireless network to different web sites. This could be for the purposes of click fraud, which is the act of using unethical or illegal methods to get paid for advertising clicks. Foisting ads on the user by redirecting normal sites to an advertising site, or redirecting normal ads to load from a different site, results in the hacker getting paid. The true victims in this case are the advertisers, who are unknowingly paying someone who is abusing their services.

Another purpose is to redirect users to look-alike phishing sites. In other words, a hacked router could redirect a user to a site designed to look like another site, for the purposes of stealing any personal information (such as login credentials) that the user is prompted to enter. As a concrete example, a user who tries to go to Amazon.com may be redirected to a site designed to look exactly like Amazon. That site requests that the user logs in, and if he/she does so, the login credentials are stolen by the hackers. This would probably be followed up by a spending spree on the scammed user’s Amazon account.

The typical symptom of such a phishing redirect – before the credit card statements start rolling in – is an inability to actually log in to the account. Since you’re not actually on the real site, you will typically be sent to a faked page claiming that the service is down or too busy or something similar.

In any event, many people are currently affected by a hacked router. They may very well have no idea, or they may have seen suspicious behavior but never think to blame the router. I’ve seen countless posts on the Apple Support Communities, and have received a number of e-mails as well, from people who think they have malware or adware installed on their devices when the router is the true source of their problems.

If you are seeing strange redirects or other browser behaviors that lead you to suspect you may have a hacked router, there are a few very simple tests you can do. First, check the affected sites on other devices. (Be aware that you may see a different version of a site on a mobile browser – eg, a browser on an iOS or Android device – than you will on a computer, so comparing these may or may not be meaningful.) If other devices exhibit the same symptoms, either the site itself has been hacked or it’s a network problem (potentially due to the router).

Next, check the affected sites, using the same devices, on some other network. Go to a coffee shop, a local library, a friend’s house or some other place where you can connect to a different wireless network. If the problem continues, it’s not related to your router. However, if it stops, that’s pretty conclusive proof that your network is the cause.

If you have determined that your network is the issue, you can try disconnecting your wireless router and plug a device directly into your DSL or cable modem. (Assuming these devices are separate… if you have an all-in-one modem and router provided by your internet service provider, you won’t be able to perform this test, and will probably need to contact that provider for assistance.) There should be an ethernet wire connecting the modem and the router… unplug this cable from the router and plug it into your computer.

If the problem continues, you need to call your internet service provider, as they have an issue on their end. It’s probably a poisoned domain name server. This can be fixed temporarily by changing your DNS server settings, either for your computer or for your entire wireless network (by changing the settings in the wireless router). Rather than using the server provided by your internet service provider, try changing to the OpenDNS DNS servers or the Google DNS servers. (See those links for complete instructions for changing your settings.)

If the problem stops when you have removed the wireless router from the equation, your wireless router is compromised. At this point, or if you simply want to take proactive action, you will need to reset your wireless router to factory settings. Next, download and install any firmware updates provided by the manufacturer of your router. You should also investigate what particular methods are necessary for securing your particular router. If you aren’t sure how to do these things, you will need to refer to the user manual for your router, or contact the manufacturer’s customer support.

If there are no available upgrades for the router’s firmware, then you should probably install a third-party firmware, such as DD-WRT. This is an open source firmware that can be installed on most popular routers, and provides better security than the firmware available on many routers. DD-WRT is a popular firmware, but it is by no means the only option. Others can be found here:

http://en.wikipedia.org/wiki/List_of_wireless_router_firmware_projects

Once the router has been reset and updated, you can set up your network again. Make sure that any remote administration features are disabled, and that you change the administrative password from the default. (Most routers will use a very predictable login, such as “admin” as both the username and the password. This must be changed!) The password you choose needs to be a secure one, not one that would be easy to guess. The wireless network should be protected with WPA2 encryption – WEP should not be used, as it is extremely easy to crack, and you absolutely should not leave your network wide open if you value your data! Make sure that the password required to join the network is also secure, and different from the admin password.

Tags: ,

18 Comments

  • Gerard says:

    I use mac addresses as well. Even if someone had the password he/she still cannot login.

    • Thomas says:

      Yes, that’s a good idea, though not practical for everyone. Non-techies would likely have trouble figuring out how to manage that. But doing that certainly does add to the security of your network.

    • Al says:

      The issue here is logging into and controlling the router, not your wireless network. If someone can guess your router password and you allow it to be reconfigured from the WAN (Internet) side of the router, then they can take control of your router. Use of MAC addresses won’t help you with that. The controller can always add their MAC address and join your Wi-Fi that way, if that’s what was their goal.

      • Thomas says:

        Logging on to the network can be a problem, though. If you have disabled remote administration, that doesn’t protect you if your admin password is weak (or guessable) and someone is able to get onto your network. Of course, this isn’t something that affects your router’s ability to get hacked by all the automated botnets probing the internet for vulnerable devices.

  • Darren Kehrer says:

    Any issues with apples AEBS? I use wpa2

    • Thomas says:

      I’m not aware of any vulnerabilities with any of Apple’s AirPort base stations. Just be sure to follow all the advice above to make sure it doesn’t get hacked through more prosaic means.

  • Darren Kehrer says:

    Here is one more follow up. On my AEBS, under the Advanced Tab, there is a checkbox “Allow SNMP” which is tunred on. But, the box below it “Allow SNMP over WAN” is off. Is it better to turn the “Allow SNMP” off?

    My setup: cable modem to AEBS. Everything connects to AEBS vi WPA2 Personal

    • Thomas says:

      You definitely want to keep SNMP over WAN disabled. That’s the remote admin feature on an AEBS. Leaving the “Allow SNMP” box checked should be okay, as long as nobody untrusted can get onto your wireless network.

  • Darren Kehrer says:

    Thanks, just what I needed to know. Again, thanks for what you do!

  • Deborah says:

    Thank you all for this discussion — I will try these tests. FYI, I have a Mac Airport Express for my wifi router and get the blue tag website when playing Scrabble.

  • James C. Young says:

    I am having an issue with all my portable Mac devices, 2 iPad 3’s , two iPhone 4’s and a iPod touch 4th generation ( which never is used much). Anyway you replayed to a post I put up on Apple Support about my router being Hacked. I use a Netgear WNDR4000 router not a linkysys , but that doesn’t mean anything I guess hacking a wireless router is probably easily done no matter which brand you own. I do have a very strong password and there appears to be no unknown devices showing up in the devices connected. I am not sure they would if it is hacked.
    The issue I am having is that I can open the sites I frequent and they open fine. It is when I click an item within the site, it opens a new window that either takes me to one of three sites, a YouTube site for donations, the one I listed on the post and oddly enough to the App Store to a random app that is just there, with nothing in the background except the stuff at the bottom of the page. It doesn’t always do it on all items within the site. Amazon oddly enough works fine and does not redirect me and I have confirmed that a purchase was from them by having them call me. This was before I realized this was happening on my devices. So I guess I will not be buying anything online just yet. I am going to try to go to a Wi-Fi hotspot today to see if it is my router. If it is not, do you have any suggestions as to what I should do? Thanks in advance for you time and help. I have a Windows laptop running Windows 7 Pro and a WHS server that has virus protection on it as well. One last thing if I replace the router, how do I get rid of the bug or what ever it is?

  • James C. Young says:

    Hi there, figured out that TWC hacked my router yesterday when this all starting happening. They could somehow change my IP and Subnet Mask, but not my DNS servers. We where on a static address with everything checked in the router to use a certain IP and two DNS servers, but they decided to drop static addresses in our area except for Business Class. I am still baffled how I was able to connect at all to the internet. I changed the DNS setting to “Get from ISP” but I still can not figure how TWC managed to change my IP as it was a checked item as well. Everything seems to be working like it is suppose to now, so I guess it was the router settings.

    I left you the 10 points at Apple Support Forums and I am glad you responded to the question. I am still wondering if they can force the router to change IP addresses or if it did this when I unplugged it several times to reboot it when the outage occurred yesterday. Ran a complete scan on the Lenovo Windows 7 machine and it came back clean. Thanks for the help and I guess my question has been solved. I also bookmarked your site for future reference in case I have another issue.

  • Martin says:

    I would also recommend to secure the Wifi network by using WPA2-Enterprise for advanced authentication.

    We recently started offering a Free Edition of our IronWifi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.

    The Free Edition features 5 user accounts, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, Android client, and activity logging.

    This is great for IT professionals wanting to experiment with 802.1X or to get enterprise security in homes and small offices.

  • Slatery says:

    Thanks for the help with this-hoping I can figure it all out navigating all the tech stuff.

  • Al says:

    I’m not sure if I’m having the same problem. For me the issue is occuring with certain apps (dating apps) on my iPad 2. I have not experienced an issue with the browser.

    When I open the app or click features within the app, I get redirected to the App Store to purchase a game app. When I close the App Store and reopen the app, I get redirected to the App Store again in an endless loop.

    Do you think that this is a potential router issue or something else? I’ve seen some posts that this is somehow related to scripts in the banner ads, but what’s weird is that it is the same set of 7 game apps (from 5 different developers) in the App Store that I keep being redirected to and they don’t seem to be related to the banner ads in the apps.

    • Thomas says:

      That’s not likely to be a router issue. Sounds like a problem with those dating apps you’re using. You should talk to the developer of those apps.

  • SMT says:

    This fixed it up straight away for me…. Thanx..

  • mspipes07 says:

    Hello! I am using Cisco router in my home but when I tried to connect I am redirecting to Belkin gateway page which is already logged showing the connected devices. Only my ipad and iphone experienced that and the other devices are working fine.

This post is more than 90 days old and has been locked. No further comments are allowed.