Your gateway to the Internet may be the portal that foreign hackers are using to snatch your data. The FBI recently issued a security notice warning that all home and small office routers should be rebooted after Cisco’s Talon group discovered sophisticated Russian-linked “VPNFilter” malware infecting at least 500,000 networking devices.
Here’s what you need to know about VPNFilter and the FBI’s guidance to reboot your router—which might not even safeguard against the malware completely.
What’s the threat?
Since all your Internet and local network traffic flows through your router, it can be pretty severe.
“VPNFilter is able to render small office and home office routers inoperable,” the FBI warns. “The malware can potentially also collect information passing through the router.”
Routers are especially ripe targets for hackers because they usually connect directly to the Internet and aren’t often protected by your PC’s antivirus or other security solutions. Most people don’t install router firmware updates, either, which can leave vulnerabilities exposed. VPNFilter also encrypts its network traffic, which can make detection even more difficult, the FBI says.
Most recent infections observed by Cisco occurred in the Ukraine, however, and the Justice Department connected VPNFilter to “Sofacy Group,” an espionage group associated with Russia.
What routers are affected?
The FBI’s security notice suggests that all router owners reboot their devices. Additionally, Cisco’s Talon group says that “Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.”
So you should reboot your router no matter what. That said, Symantec released the following list of routers and NAS devices known to be susceptible to VPNFilter. Some are popular affordable models, and one (the Netgear WNR1000) is provided to Comcast customers in some circumstances.
- ”Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN”
But once again: The FBI and Cisco’s crack security squad suggests that everyone reboot their routers, even if yours isn’t on this list.
How do I reboot my router?
Rebooting your router eradicates what Cisco calls the “Stage 2” and “Stage 3” elements of VPNFilter—the destructive part of the malware.
Rebooting your router is easy. Simply unplug it from the wall, wait 30 seconds, and plug it back in. Done!
Is there anything else I should do to stay safe?
Yes. Let’s start with the easy steps.
The FBI and some hardware makers recommend disabling remote management features on your router, which are off by default in most cases. You’ll also want to change your router’s default login credentials, swapping in a strong, unique password—not one you use for any other websites or services. PCWorld’s guide to the best password managers can help if you aren’t using one already.
Even though routers aren’t typically protected by your PC’s antivirus, Symantec says its software can detect VPNFilter. Running security software on your computer helps it stay as safe as possible, and this episode serves as a reminder that you should be doing it. PCWorld’s guide to the best antivirus for Windows PCs can help you pick the best for your situation.
Now for the bad news.
Should I factory reset my router?
What makes VPNFilter so sophisticated is its “Stage 1” element, which can persist even through a reboot and then contact the hackers to reinstall the other stages of the malware. The Justice Department seized a website that the malware used to install VPNFilter’s later stages on infected PCs, but that doesn’t mean the threat is eliminated as it also uses other methods to connect to attackers.
The only way to fully remove the malware from your PC is to perform a factory reset of your router and updating it to the latest firmware revision available. It’s a complicated procedure that will require you to reconfigure your network settings, but we’d recommend doing it if your router is on the list of devices known to be affected.
The exact procedure for resetting a router can vary, though it usually involves pressing a pin or the end of a paperclip into a small pinhole button on the hardware, followed by connecting the device to a PC via ethernet to complete the initial configuration. Linksys, MikroTik, Netgear, QNAP and TP-Link have all posted instructions explaining how to factory reset your routers and otherwise protect against VPNFilter.
Performing a little prep work beforehand can make the experience less of a hassle. Although you’ll want to change your router’s default administrative username and password, jot down your existing network name(s) and password before you reset your hardware. When you create a new network after factory resetting your router, it’s safe to use the same Wi-Fi name and passwords as before. Doing so will let all your devices reconnect easily.