Wednesday 22 July 2015

Is your router being hacked?

Is your router being hacked

Hackers don’t just want to break into your PC – they’re after your router, too. Jane Hoskyn explains how to keep your internet connection safe

You know your PC can be hacked, you know your phone can be hacked and there seem to be new stories every day about websites being hacked. But your router?

Routers are actually very easy for hackers to break into. This is partly because your antivirus isn’t designed to protect your router, but mainly because we tend to be blasé about our router settings. When’s the last time you changed your router’s password or scanned it for malware? Exactly.

Here we’ll show you how to check your router for invaders, then kick them out and keep them out.


Scan your router for hijackers


It only takes seconds to check if anyone or anything has hijacked your router, and you don’t even need to download software. Just go to the free new online tool from security company F-Secure, Router Checker (www.snipca.com/17269), and click ‘Start now’. Your results will appear in a couple of seconds, if that. If all is well, you’ll see a big green message: ‘No issues were found’. If all isn’t well, you’ll be guided through what to do next.

Router Checker isn’t a malware scanner in the vein of Malwarebytes and similar tools; it doesn’t look for malicious files. Instead, it looks for malicious activity such as DNS (domain name server) requests that don’t end up where they’re supposed to go. In other words, it checks that when you type a web address such as www.google.co.uk into your browser, your router connects you to the appropriate website (Google, in this case) rather than to, say, a malware-riddled site created by a hacker who’s busy logging your keystrokes.

Once you’ve run Router Checker, click the ‘+’ symbol under the results to see your router’s vital statistics, including your IP address, your DNS server’s IP address (they’re different) and your broadband provider. Copy these details to Notepad or print them for safekeeping.

Incidentally if you’re ever out and about with your laptop, tablet or phone and you want to connect to public Wi-Fi, run Router Checker first to quickly check the safety of the router you’re using. Security on public Wi-Fi is often far more lax than in our homes.

Watch out for redirecting URLs


If you type a URL in your browser’s address bar and it changes into an address you don’t recognise or takes you to an unexpected site, it may indicate that your router is being hacked or the site’s server has been hijacked.

Not all so-called ‘redirects’ are dodgy, of course. Web addresses often redirect for legitimate reasons, usually to save you having to type in a very long URL. Our shortened snipca.com URLs – which redirect automatically to longer web addresses – are just one example (try this, for example: www.snipca.com/17276). Similarly, if you type gmail.com into the address bar (or even just gmail, depending on your browser), the URL will automatically change into the full address for Gmail (https://mail.google.com/mail/u/0/#inbox), which we’re rather glad we don’t have to type in full every time.

But other redirects aren’t so well-intentioned, so it’s good practice to check your browser bar for unexpected URL behaviour. This is especially important when you’re visiting a sensitive site such as your bank or webmail account, where the URL should always start ‘https’. If it doesn’t, you may have been redirected to a fake (‘phishing’) version of the site by hackers, who could now merrily go about stealing your passwords and harvesting any personal details you type.

If you’re worried about any URL, copy it to your clipboard and check it on free online tool VirusTotal (https://www.virustotal.com). Click VirusTotal’s URL tab, paste the suspicious URL in the box and press Enter.

Dig out router worms


Router hackers commonly use worms to spread from router to router. They don’t actually stuff routers with earthworms; in this context, worms are malware that replicate themselves and use security holes to spread from device to device.

The best-known example of a router worm is The Moon, which was found spreading among older Linksys routers last year. Its main effect was to drastically cut the routers’ internet speeds, but it could ultimately have been used by its creators to remotely access and even control victims’ internet activity.

The Moon was soon brought down by a Linksys firmware update (www.snipca.com/17264) that patched the security holes the worm had been wriggling through.

Now there’s an even more dangerous worm about. It’s called Moose, and it’s still on the loose. Moose (full name ‘Linux/Moose’) was first spotted in May, spreading through routers made by numerous companies including TP-Link, Belkin and Netgear as well as poor old Linksys. Once Moose has infected a router, it uses the hijacked internet connection to post spam and fake ‘Likes’ on social sites including Facebook. According to security firm ESET (www.snipca.com/17274; PDF), it could be used to eavesdrop on victims’ internet activity.

As with last year’s Moon attack, Moose can be removed by updating your router’s firmware. Get into the habit of checking your router manufacturer’s website for firmware updates (see below); the site will also provide installation instructions. Always download firmware updates to a computer that’s connected to your router using an Ethernet cable.

If your router won’t accept the firmware file, it may be because it’s infected by a more tenacious form of malware. It’s a Catch-22: you update the firmware to get rid of malware, but malware won’t let you update firmware. You could try downloading a third-party firmware file instead – the DD-WRT site has firmware for hundreds of routers (www.snipca.com/17288). If that doesn’t work, you may need to buy in a new router.

Lock out router hackers


Firmware updates don’t just remove malware, they also help prevent it, by patching flaws that worms and other bugs exploit. There are many easier ways to lock hackers out, but we rarely do them. In fact, once we’ve got our Wi-Fi set up, most of us never think about our router settings again.

Connect to your router using an Ethernet cable and then log into your router’s settings by typing your router’s IP address (obtained from Router Checker, for example) in your browser’s address bar.

Open your router manufacturer’s website in a separate tab and check it for configuration instructions. Use the instructions to find your DNS server settings (usually listed under WAN, broadband or internet connection menus). The DNS server settings should be ‘Automatically obtain DNS server settings from ISP’. If it’s set to ‘Use the following’ (or similar) instead, and there’s a string of numbers after it, type the string of numbers into Google to check they’re associated with your ISP. If they’re not, your router may be in the hands of a hacker. Change the setting to ‘Automatically obtain…’, save the setting and restart your router.

We also recommend switching off ‘remote administration’ or ‘remote management access’, which is often enabled by default. This setting can be useful but you’re rarely likely to need it, and it can make your router vulnerable. So switch it off.

Finally, change your router’s default password – and change it again every few months for good measure. Again, the exact process will differ according to router; you’ll find instructions on the manufacturer’s website (here are instructions for Linksys routers, for example: www.snipca.com/17287). In the next issue we’ll show you how to create unforgettable, unhackable passwords for all your devices and accounts.

GET YOUR FIRMWARE UPDATE


Check which company made your router, then go to the relevant link below and follow the site’s instructions. You’ll need your router’s model number; you can usually find it on a sticker on the back or bottom of the router.

Asus: www.asus.com/uk/support
Belkin: www.snipca.com/17277
D-Link: www.dlink.com/uk/en/support
Linksys: www.snipca.com/17275
Netgear: www.snipca.com/17295
TP-Link: www.snipca.com/17278