Router Security What can go wrong if a router gets hacked Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
On my Defensive Computing Checklist site don't miss the Domain Name and VPN topics

In a word, Everything.

Every bad thing you can imagine happening to a computing device, can happen to one that sits behind a hacked router. The only limit is the imagination and/or technical skill of the bad guys attacking your router.

A router sits between the Internet and all the computing devices on a LAN. To illustrate what can go wrong, consider two people who speak different languages communicating through an interpreter. If the interpreter is malicious, they can manipulate either person into thinking anything.

And, since a router sits between your home/office and the outside world, it can be attacked from either side.

In August 2021, T-Mobile was hacked, yet again, and data on millions of their customers was stolen. How? An unprotected router. It is not clear if it was a T-Mobile branded router. See T-Mobile Hacker Who Stole Data on 50 Million Customers: 'Their Security Is Awful'.


Spying on your activities (goes without saying). We saw a public example of this in September 2018 with an attack on MikroTik routers. The attackers spied on the routers by forwarding a copy of network traffic to the spies. This was done using the built-in packet-sniffing capabilities of MikroTik routers. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. For more see 7,500+ MikroTik Routers Are Forwarding Owners' Traffic to the Attackers, How is Yours? by Netlab 360.

DNS Hijacking (changing the DNS servers that the router gives out to attached devices). A victim using malicious DNS servers can think they are at website A, when they are really seeing a scam copy of it. Kiss that password good-bye. In March 2020, Liviu Arsene of BitDefender said "Having your router’s DNS compromised can spell disaster because if attackers can redirect you to any page they want without raising any suspicion in your browser, you could end up giving away credentials, you could end up giving away files, all sorts of sensitive information, or even allowing attackers to remotely dial into your company’s infrastructure. Compromising a router’s DNS is as bad as it gets."

If a computer is downloading software, the router can trick it into downloading a malicious copy of the software. A simple way to do this is with malicious DNS servers. A more sophisticated hack would see the request to download software and have the router respond with malicious software on its own.

An infected router may do nothing to its owner other than slow down the Internet connection. A big reason for taking over routers (and IoT devices too) is to use them in distributed denial of service attacks.

Many routers let you plug a USB based storage device into them for sharing files either within your home or publicly. If the router is hacked, any files that it can see, the bad guys can see.

In October 2021, Ido Hoorvitch of CyberArk described how he cracked the passwords of thousands of Wi-Fi networks. He warned that "... once attackers gain access to your network, they can launch various man-in-the-middle (MITM) attacks. That can lead to attackers gaining access to your important accounts, such as your bank account, your email account (which is everything in modern life) and compromising other sensitive credentials. This also further opens attack vectors to your IoT devices like smart home equipment, smart TVs, security systems, etc. For the small business, the risk lies in an attacker infiltrating a network and then moving laterally to high-value applications or data, such as a billing system or cashier... once an attacker is in the network, it facilitates a range of attack vectors."

If any device on the local network is sharing files they may be visible too. In November 2018, Akamai reported on a malware campaign that abused UPnP on vulnerable routers to open up the Windows SMB file sharing ports, 139 and 445. This is how they described the impact of this attack:

"For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms ... Victims of this attack will be at the mercy of the attackers, because they'll have machines existing on the internet that were previously segmented, and they'll have no idea this is happening. Moreover, machines within the network that had a low priority when it came to patches will become easy pickings."

In a January 2019 story, Tomáš Foltýn of ESET layed out his list of bad things a hacked router might do:

  1. redirect you to a web page that phishes for your credentials
  2. dupe you into installing malware-laced versions of legit software
  3. be hijacked to conduct man-in-the-middle attacks (MitM) on what you would believe are secure and encrypted connections
  4. be corralled into a botnet in order to launch DDoS attacks against websites or even against aspects of the internet’s infrastructure
  5. be co-opted as an on-ramp to attacks at other devices within your network
  6. be used to spy on you via Internet-of-Things (IoT) devices
  7. be compromised with malware such as VPNFilter, or, as another threat du jour, be misused for covert cryptocurrency mining
  8. And, he says, that is by no means an exhaustive list.

Can Everything I Do Online Be Monitored at My Router? by Leo A. Notenboom (March 2019)

- - - - - - - - - - - - - - - - - - - -

In August 2018, Micah Lee of The Intercept wrote that the NSA would use hacked routers to copy VPN traffic so they could decrypt the VPN. Quoting from the article: "In 2014, The Intercept reported on the NSA's plans ... to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt."

In July 2018 we heard of two cases where a compromised router was used to access computers on the LAN behind the router. In one case, a bank in Russia lost about $920,000. In another case sensitive US military documents were stolen and found for sale on the dark web.

In May 2018 we learned of a new problem that malware on a router can create - bricking the box. This was seen (as far as I know for the first time) in the VPNFilter malware first reported on by the Talos division of Cisco. Many of the 500,000 infected routers were in the Ukraine, so speculation was that Russia was out to permanently disable routers to disrupt the entire country.

The VPNFilter malware would also change outgoing HTTPS requests to HTTP thus making it easier for an infected router to both spy on the transmitted data and also to change it. Another interesting trick used by VPNFilter was to listen for a special incoming trigger packet, without opening any ports.

In June 2018 we first heard of a hacked router serving as the Command and Control of a botnet.. Bad guys hacked a data center belonging to a Central Asian country and embedded malicious JavaScript code on government websites. The code re-directed victims to malicious websites hosting exploitation tools that attempt to infect victims with a remote access trojan (RAT). The attackers hacked a MikroTik router to host the command and control server of the RAT. The hacked router controlled and retrieved data from victims, providing an additional layer of anonymity between the bad guys, victims, and forensic investigators.

A very common router attack is changing the DNS servers. In late April 2018, an ISP was hacked to use malicious DNS servers. The hack pointed users of to a phishing site at a Russian IP address. Anyone who logged into their account would have had their passwords stolen. Likewise, browsers already signed in, would have transmitted cookies which bad guys could have used to log on to the site. The malicious DNS servers were active for only two hours, but users of lost around $150,000. Victims should have received a warning that the scam site was using a self-signed digital certificate. They ignored it, perhaps because they did not understand what the warning meant. While this was not a router hack (technically it was a BGP leak), it illustrates what can happen when using malicious DNS servers. The Test Your Router page lists websites that display your current DNS servers.

April 16, 2018: The New York Times, reporting on Russian hacking (U.S.-U.K. Warning on Cyberattacks Includes Private Homes) quotes Howard Marshall, the deputy assistant director of the cyber division at the FBI: "Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords ... It is a tremendous weapon in the hands of an adversary."

April 16, 2018: A joint Technical Alert was issued by the Department of Homeland Security, the FBI and the British National Cyber Security Centre - Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. It had a section called, Own the Router, Own the Traffic, which details what can go wrong: "Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization's gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization's internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts ... An actor controlling a router between ICS-SCADA sensors and controllers in a critical infrastructure - such as the Energy Sector - can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network."

Federal networks susceptible to router hacks, DHS says by Derek B. Johnson of FCW March 6, 2018. The Department of Homeland Security just released a report from 2016 on network infrastructure security. The report (see bellow) says that "as security practices for individual computers and devices have hardened, nation-state hackers have adapted by focusing on weaker network infrastructure devices, like routers, that 'are often working in the background with little oversight -- until network connectivity is broken or diminished'." A letter, released along with the report, quoted the agency head: "for several years, network infrastructure devices have been the attack-vector of choice" for advanced persistent threat hacking groups to conduct denial of service attacks, data theft and alteration of data moving across federal networks.

The report referred to above is The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. One section details what can happen after a router is hacked: "If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data. Intruders with infrastructure privilege and access can impede productivity and severely hinder reestablishing network connectivity ... Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts."

In May 2017, Trend Micro wrote "A compromised home router can open up the user to significant consequences: information or even identity theft, malicious sites and advertisements, VoIP fraud, and more. Cybercriminals can also profit by using compromised home routers in for-profit distributed denial-of-service attacks (DDoS) or as part of a rented botnet. Botnets have become quite profitable ... "

In March 2013, Leon Juranic of Defense Code documented flaws with UPnP. His document started with this: Hacking network devices is a sort of the Holy Grail for hackers, because once we're in a network device like a router or switch, we can (more-or-less) overtake all machines behind it. Network traffic sniffing, man-in-the-middle attacks, binary infection on-the-fly, further network penetration, so on, and so on... His document included a huge list of routers vulnerable to particular UPnP bug. No Peplink routers were on the list.


See the Routers in the news page.

An infected router can setup a bad guy as a Man-In-The-Middle. Here is a funny story of what one person did when a neighbor used their Wi-Fi network without permission: Upside-Down-Ternet. In this case, the person whose Wi-Fi was being stolen, was the Man-In-The-Middle, and he was playing a joke on the thief - every image the Wi-Fi thief saw, was upside-down. Pretty darn funny.


If I ran a spy agency, one group of people that I would most want to spy one would be those downloading the Tails version of Linux which is used to access TOR. In fact, Tails is the best way to access the TOR network. Tails lives at which (as of June 2015) resolves to IP address The Internet thinks this IP address is in the United States, specifically in Seattle, Washington.

A malicious router could easily change every outgoing packet destined to and replace the legitimate IP address with one for a malicious copy of the website. A victim would never know they were looking at a scam website with scam checksums for the modified hacked ISO at the scam site.

Then again, if I ran a spy agency, I would have the ISP do this for me. Much less work than hacking a router and it lets me corrupt far more copies of Tails Linux.

Page Created: June 18, 2015      
Last Updated: October 28, 2021 8PM CT
Viewed 77,943 times
(33/day over 2,359 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2021