By Dov Szego
If you can read this, you have access to a router. Maybe it’s at home, but most of our readers are in small to mid-size companies, and all of them use routers. In a rare event, the FBI in May told Americans to “reboot” their routers. It showed up everywhere, including in The New York Times, Fortune, Forbes, and even PCWorld and Slate. I was asked about it by colleagues, friends, and baristas. It really is that big of a deal. But, more recently, the FBI realized it was wrong, and that everyone should factory data reset (FDR) their routers. Next week, it will realize it was wrong again, and everyone should forcibly update their firmware. You heard it here first!
Routers are not the simple pieces of hardware they used to be. Nearly all have at least some built-in persistent memory and are capable of things like logging, virtual private networking (VPN), port forwarding, etc. This makes their corruption by bad actors particularly bad—a “hack” can send all of your traffic—including passwords, logins, usernames, files, etc.—through a remote server, which can parse that data for later use.
Malware can affect a solid-state device like a router on three levels. It can affect transient memory that goes away when the device is rebooted. And it can rewrite part of the persistent memory that remains when the device is rebooted. Especially bad malware can change the operating system (firmware) of such a device so that it not only gives control to a bad actor, but also fools the device into not updating to avoid overwriting the firmware. A simple unplug and restart (usually with a few minutes off) can eliminate the first type. The second type may require updated firmware, or another downloaded update. The third may require actively forcing the device to reinstall firmware, even if the device thinks it is up to date. At a minimum, every router (and NAS, or network accessible storage device) in the country should be powered down and restarted after a few minutes. Personally, I updated (including forcibly) all three of the routers at my house this week.
The best explanation I found of the imminent threat was at digitaltrends.com. The FBI apparently came across a three-stage malware, where stage 1 persistently altered the coding of routers, causing them to ping for instructions at stages 2 and 3. The FBI disrupted the malware by seizing the domain issuing the late-stage instructions, but many routers already had VPN forwarding in place. The FBI believes that rebooting the routers will purge these late-stage instructions.
On June 6, a new report announced that a simple reboot is not enough. They are now apparently concluding that the second level, or changes to the saved memory of the routers, is at issue. Smart money says that they are still wrong, and you should forcibly update the firmware on your routers because the firmware itself is corrupted, which is what I did.
Obviously, you should look at the documentation for your router or on the manufacturer’s website. Setting your router up again will take some time and knowledge. Explaining the specifics of how to FDR every router on the market is clearly beyond the scope of this article, but our readers should do just that. Generally, nearly every router ever made has a recessed button on the back that you push with a bent paper clip. Holding that button for 15–20 seconds will reset your router. You will lose all of your settings. Be sure you have read up on this first. You will need to reset your Wi-Fi SSIDs and passwords. Also, when you do this, change the administrator password—definitely do not use the default, but also do not use the password you used before. If your router is compromised, the password is likely already associated with the device’s MAC address.
For more information on how to do a forced reboot and update your firmware, click here.
This article is used by permission of Setliff Law in Glen Allen, Va.
Dov Szego is an attorney at Setliff Law in its technology and litigation groups.