Router Security What can go wrong if a router gets hacked Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website

What can go wrong if a router gets hacked? In a word, Everything.

Every bad thing you can imagine happening to a computing device, can happen to one that sits behind a hacked router. The only limit is the imagination and/or technical skill of the bad guys attacking your router.

A router sits between the Internet and all the computing devices on a LAN. To illustrate what can go wrong, consider two people who speak different languages communicating through an interpreter. If the interpreter is malicious, they can manipulate either person into thinking anything.

And, since a router sits between your home/office and the outside world, it can be attacked from either side.


Spying on your activities (goes without saying). We saw a public example of this in September 2018 with an attack on MikroTik routers. The attackers spied on the routers by forwarding a copy of network traffic to the spies. This was done using the built-in packet-sniffing capabilities of MikroTik routers. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. For more see 7,500+ MikroTik Routers Are Forwarding Owners' Traffic to the Attackers, How is Yours? by Netlab 360.

DNS Hijacking (changing the DNS servers that the router gives out to attached devices). A victim using malicious DNS servers can think they are at website A, when they are really seeing a scam copy of it. Kiss that password good-bye. In March 2020, Liviu Arsene of BitDefender said "Having your router’s DNS compromised can spell disaster because if attackers can redirect you to any page they want without raising any suspicion in your browser, you could end up giving away credentials, you could end up giving away files, all sorts of sensitive information, or even allowing attackers to remotely dial into your company’s infrastructure. Compromising a router’s DNS is as bad as it gets."

If a computer is downloading software, the router can trick it into downloading a malicious copy of the software. A simple way to do this is with malicious DNS servers. A more sophisticated hack would see the request to download software and have the router respond with malicious software on its own.

From this article Dust off your home WiFi router: It needs some upkeep to stay secure in the Washington post (March 23, 2022).
"Some cybercriminals steal the router's computing power to mint cryptocurrency such as bitcoin - and run up your electricity bill. Others make off with your data after using your router to grab remote access to your computers. Some even put fake error messages up on connected gadgets like smart TVs, urging you to call a phony customer service number."

An infected router may do nothing to its owner other than slow down the Internet connection. A big reason for taking over routers (and IoT devices too) is to use them in distributed denial of service attacks.

Many routers let you plug a USB based storage device into them for sharing files either within your home or publicly. If the router is hacked, any files that it can see, the bad guys can see.

In a January 2019 story, Tomáš Foltýn of ESET layed out his list of bad things a hacked router might do:

  1. redirect you to a web page that phishes for your credentials
  2. dupe you into installing malware-laced versions of legit software
  3. be hijacked to conduct man-in-the-middle attacks (MitM) on what you would believe are secure and encrypted connections
  4. be corralled into a botnet in order to launch DDoS attacks against websites or even against aspects of the internet’s infrastructure
  5. be co-opted as an on-ramp to attacks at other devices within your network
  6. be used to spy on you via Internet-of-Things (IoT) devices
  7. be compromised with malware such as VPNFilter, or, as another threat du jour, be misused for covert cryptocurrency mining
  8. And, he says, that is by no means an exhaustive list.

Can Everything I Do Online Be Monitored at My Router? by Leo A. Notenboom (March 2019)

An infected router can allow a bad guy to set themselves up as a Man-In-The-Middle. Here is a funny story of what one person did when a neighbor used their Wi-Fi network without permission: Upside-Down-Ternet. In this case, the person whose Wi-Fi was being stolen, was the Man-In-The-Middle, and he was playing a joke on the thief - every image the Wi-Fi thief saw, was upside-down. Pretty darn funny.

In October 2021, Ido Hoorvitch of CyberArk described how he cracked the passwords of thousands of Wi-Fi networks. He warned that "... once attackers gain access to your network, they can launch various man-in-the-middle (MITM) attacks. That can lead to attackers gaining access to your important accounts, such as your bank account, your email account (which is everything in modern life) and compromising other sensitive credentials. This also further opens attack vectors to your IoT devices like smart home equipment, smart TVs, security systems, etc. For the small business, the risk lies in an attacker infiltrating a network and then moving laterally to high-value applications or data, such as a billing system or cashier... once an attacker is in the network, it facilitates a range of attack vectors."

If any device on the local network is sharing files they may be vulnerable too. In November 2018, Akamai reported on a malware campaign that abused UPnP on vulnerable routers to open up the Windows SMB file sharing ports, 139 and 445. This is how they described the impact of this attack:

"For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms ... Victims of this attack will be at the mercy of the attackers, because they'll have machines existing on the internet that were previously segmented, and they'll have no idea this is happening. Moreover, machines within the network that had a low priority when it came to patches will become easy pickings."


April 8, 2024: It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise by Palo Alto Networks. Bad guys have been scanning the Internet to find vulnerabilities in networks or systems for a very long time. A growing number of them are now using malware infected hosts (think routers) for scans of their targets instead of the more traditional approach of direct scans. Scanning attacks from what the world sees as a benign network lets the bad guys cover their tracks and bypass geofencing.

February 2024: Buggy and/or mis-configured routers help China and Russia attack the US. In the first week of February 2024, the US Justice Department announced they had done their best to kick the Chinese out of consumer routers. A week later, another Press Release about what they had done to kick the Russians out of routers. Scary stuff. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) Press Release. Quoting: "A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes. These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning."

In June 2022, the NSA, FBI and CISA issued this joint Alert (AA22-158A): People's Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices. Quoting: "This joint Cybersecurity Advisory describes the ways in which People's Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide ... PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as SOHO routers and NAS devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities." The last point refers to using a hacked device to hide the fact that the hackers are in China. That is, the hackers route their traffic through a maze of innocent victims making it hard for the victims to track down the original source of an attack. The owners of the hacked routers are unlikely to notice anything. The most frequently attacked devices include those from Cisco, Netgear, D-Link Zyxel and MikroTik.

This June 2022 article from Kaspersky, The hidden threats of router malware, discusses some things that they see bad guys doing with hacked routers. The most common thing they do is assimilate a hacked router into a botnet for the purpose of DDoS attacks. DDoS attacks flood a website with so much data it is overwhelmed and virtually useless. This is extortion. Other times bad guys steal your data or redirect you to pages with ads or malicious sites instead of the ones you want to visit.

In August 2021, T-Mobile was hacked, yet again, and data on millions of their customers was stolen. How? An unprotected router. It is not clear if it was a T-Mobile branded router. See T-Mobile Hacker Who Stole Data on 50 Million Customers: 'Their Security Is Awful'.

In August 2018, Micah Lee of The Intercept wrote that the NSA would use hacked routers to copy VPN traffic so they could decrypt the VPN. Quoting from the article: "In 2014, The Intercept reported on the NSA's plans ... to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt."

In July 2018 we heard of two cases where a compromised router was used to access computers on the LAN behind the router. In one case, a bank in Russia lost about $920,000. In another case sensitive US military documents were stolen and found for sale on the dark web.

In May 2018 we learned of a new problem that malware on a router can create - bricking the box. This was seen (as far as I know for the first time) in the VPNFilter malware first reported on by the Talos division of Cisco. Many of the 500,000 infected routers were in the Ukraine, so speculation was that Russia was out to permanently disable routers to disrupt the entire country.

The VPNFilter malware would also change outgoing HTTPS requests to HTTP thus making it easier for an infected router to both spy on the transmitted data and also to change it. Another interesting trick used by VPNFilter was to listen for a special incoming trigger packet, without opening any ports.

In June 2018 we first heard of a hacked router serving as the Command and Control of a botnet. Bad guys hacked a data center belonging to a Central Asian country and embedded malicious JavaScript code on government websites. The code re-directed victims to malicious websites hosting exploitation tools that attempt to infect victims with a remote access trojan (RAT). The attackers hacked a MikroTik router to host the command and control server of the RAT. The hacked router controlled and retrieved data from victims, providing an additional layer of anonymity between the bad guys, victims, and forensic investigators.

A very common router attack is changing the DNS servers. In late April 2018, an ISP was hacked to use malicious DNS servers. The hack pointed users of to a phishing site at a Russian IP address. Anyone who logged into their account would have had their passwords stolen. Likewise, browsers already signed in, would have transmitted cookies which bad guys could have used to log on to the site. The malicious DNS servers were active for only two hours, but users of lost around $150,000. Victims should have received a warning that the scam site was using a self-signed digital certificate. They ignored it, perhaps because they did not understand what the warning meant. While this was not a router hack (technically it was a BGP leak), it illustrates what can happen when using malicious DNS servers. The Test Your Router page lists websites that display your current DNS servers.

April 16, 2018: The New York Times, reporting on Russian hacking (U.S.-U.K. Warning on Cyberattacks Includes Private Homes) quotes Howard Marshall, the deputy assistant director of the cyber division at the FBI: "Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords ... It is a tremendous weapon in the hands of an adversary."

April 16, 2018: A joint Technical Alert was issued by the Department of Homeland Security, the FBI and the British National Cyber Security Centre - Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. It had a section called, Own the Router, Own the Traffic, which details what can go wrong: "Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization's gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization's internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts ... An actor controlling a router between ICS-SCADA sensors and controllers in a critical infrastructure - such as the Energy Sector - can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network."

Federal networks susceptible to router hacks, DHS says by Derek B. Johnson of FCW March 6, 2018. The Department of Homeland Security just released a report from 2016 on network infrastructure security. The report (see bellow) says that "as security practices for individual computers and devices have hardened, nation-state hackers have adapted by focusing on weaker network infrastructure devices, like routers, that 'are often working in the background with little oversight -- until network connectivity is broken or diminished'." A letter, released along with the report, quoted the agency head: "for several years, network infrastructure devices have been the attack-vector of choice" for advanced persistent threat hacking groups to conduct denial of service attacks, data theft and alteration of data moving across federal networks.

The report referred to above is The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. One section details what can happen after a router is hacked: "If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data. Intruders with infrastructure privilege and access can impede productivity and severely hinder reestablishing network connectivity ... Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts."

In May 2017, Trend Micro wrote "A compromised home router can open up the user to significant consequences: information or even identity theft, malicious sites and advertisements, VoIP fraud, and more. Cybercriminals can also profit by using compromised home routers in for-profit distributed denial-of-service attacks (DDoS) or as part of a rented botnet. Botnets have become quite profitable ... "

In March 2013, Leon Juranic of Defense Code documented flaws with UPnP. His document started with this: Hacking network devices is a sort of the Holy Grail for hackers, because once we're in a network device like a router or switch, we can (more-or-less) overtake all machines behind it. Network traffic sniffing, man-in-the-middle attacks, binary infection on-the-fly, further network penetration, so on, and so on... His document included a huge list of routers vulnerable to particular UPnP bug. No Peplink routers were on the list.

See too, the Routers in the news page for more examples of router hacks.

Page Created: June 18, 2015      
Last Updated: April 10, 2024 3PM CT
Viewed 112,369 times
(34/day over 3,287 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2024