As a standard feature, consumer router security isn’t exactly top notch, which can lead to your router being easily compromised by hackers. In this post we’re going to show you how to check if your router has been attacked and what you can do to protect yourself.
How hackers can compromise your router
One thing hackers often do is they change the DNS server settings on your router, which will then point to a malicious DNS server instead. Afterwards, when you attempt to connect to a website the malicious DNS server will send you to a phishing website, which still has the same URL address and looks completely legit, it is actually fake.
This malicious DNS server doesn’t even have to respond to all queries, it could time out on most requests and then redirect queries to your ISP’s default DNS server. So if your DNS requests are unusually slow, it could mean your system has been infected.
One thing to look for is the fact that the phishing website won’t have HTTPS encryption, but most people don’t really know about this or forget to check. And besides, SSL-stripping attacks can even remove the encryption in transit.
Others things attackers might do is inject advertisements, redirect search results, or try to install drive-by downloads. If, for example, you see advertisements that look out of place (pornographic ads on a serious website like The Huffington Post or are a good indication something is wrong, most likely on your end), then either your computer or your router has most likely been infected.
Finally, some routers might have their remote administration interfaces activated together with default usernames and passwords – the problem is bots can scan for these routers on the internet and gain access to them.
How to check to see if your system has been compromised
The clearest sign that your router has been compromised is that its DNS server has been changed. To see this, go to your router’s web-based interface and check its DNS server setting.
To begin with, go to your router’s web-based setup page (check your network connection’s gateway address or use the router’s documentation to find out how to do that). After you’ve signed in, look for a “DNS” setting (you can often find this in the WAN or Internet connection settings screen).
If this is set to “Automatic”, everything should be OK – the DNS is coming from your ISP. If, on the other hand, it is set to “Manual” and there are custom DNS servers entered there, there’s the possibility that you have a problem.
Now, if you’ve configured your router to use trustworthy alternative DNS servers (like 126.96.36.199 and 188.8.131.52 for Google DNS or 184.108.40.206 and 220.127.116.11 for OpenDNS), this is perfectly fine. But if you don’t recognize the DNS servers, your computer could be infected with malware. A good idea would be to enter the DNS server addresses into a search engine and see if they’re legit or not.
What to do if there’s a malicious DNS server configured
The solution to this problem is fairly straightforward: disable the malicious DNS server and set your router to either use the automatic DNS server from your ISP, or enter the addresses of trusted DNS servers like Google DNS or OpenDNS here.
Just to be on the safe side, you can also wipe all your router’s settings and factory-reset it before you set it back up again.
How to protect your router from attacks
While you can never be completely safe from every kind of external attacks, there are some things you could do to make it harder for hackers to compromise your router.
First of all, always install the latest firmware updates for your router – this will ensure any flaws which have been patched won’t cause any problems. Also, you should disable remote access to the device’s web-based administration pages and change the router’s password, so the hackers can’t just gain access to it if they know the default code. Finally, turn off UPnP, which has proven to be quite vulnerable in the past.