A few weeks ago we published an article about an FBI request that people reboot their routers. I cited articles from various sources (including in the NY Times, and Fortune, andForbes, and even PCWorld and Slate). More recently, they realized they were wrong, and that everyone should Factory Data Reset (“FDR”) their routers. Next week, they will realize they were wrong, and everyone should forcibly update their firmware. It really is that big of a deal.

As mentioned before, nearly all routers have at least some built-in persistent memory, and are capable of things like logging, Virtual Private Networking ("VPN"), port forwarding, etc. This makes their corruption by bad actors particularly bad - a "hack" can send all of your traffic, including passwords, logins, usernames, files, etc. through a remote server, which can parse that data for later use. Malware can just affect transient memory that goes away when the device is rebooted, it can rewrite part of the persistent memory that remains when the devices is rebooted, or it can change the operating system ("firmware") of such a device so that it both gives up control to the virus and fools the device into not protecting itself or transferred data. The FBI first thought this VPN filter attack was the first type, which can be fixed with a simple unplug and restart (usually with a few minutes off). They now believe this is the second type, which usually will require updated firmware, or another downloaded update. I expect at least some computers are affected by the third type, which may require actively forcing the device to reinstall firmware, even if the device thinks it is up to date.

Initially the FBI came across a 3-stage malware where stage 1 persistently altered the coding of routers to cause them to ping for instructions at stages 2 and 3. The FBI disrupted the malware by seizing the domain issuing the late-stage instructions, but many routers already had VPN forwarding in place. The FBI believed that rebooting the routers will purge these late-stage instructions. Less than a week later, the FBI realized it was wrong, and that a simple reboot is not enough. They are now apparently concluding that the second level, or changes to the saved memory of the routers is at issue. Smart money says that they are still wrong, and you should forcibly update the firmware on your routers because the firmware itself is corrupted – that’s what I did last weekend.

FDR – no longer only a president

Obviously you should look at the documentation for your router, or look at the manufacturer’s website. Setting your router up again will take some time and knowledge. Explaining the specifics of how to FDR every router on the market is clearly beyond the scope of one of these articles, much less explaining how to log in to the routers by IP address, but our readers should do that. Generally, nearly every router ever made has a recessed button on the back that you have to push with a bent paper clip. Holding that button for 15-20 seconds will reset your router. You will lose all of your settings. Be sure you have read up on this first. You will need to reset your wifi SSIDs and passwords. Also, when you do, change the administrator password – DEFINITELY do not use the default, but also, do not use the password you used before. If your router is compromised, the password is likely already associated with the device’s MAC id.

[Here are some router reset buttons]

But seriously – forcible update

THIS PROCESS CAN WRECK (OR “BRICK”) YOUR ROUTER. Read how to do it from the manufacturer before you try it. Again, this will take some time and knowledge.

It is possible to update most routers from inside the GUI of the firmware (Netgear NetGenie, I’m looking at you…), but if you’re assuming the firmware is corrupt, why would you do that? To really take this threat seriously, you are going to have to go to the manufacturer of your router’s website, download the newest firmware for your particular router, and put that somewhere you can find it on your computer. Then you are going to have to log into your router from a browser using the IP address of the router (usually 192.168.0.1, 192.168.1.1, or 192.168.2.1), log in as an administrator (FDRing before doing this will reset the admin password, if you don’t know what it is currently, so you can look up the default password), and then, somewhere in “advanced settings” tell the router to update to the firmware you downloaded. Even if your router says it has that firmware already (and especially if it says it has newer firmware and you downloaded the newest) tell it to update the firmware. You will still need to set up wifi and change the new admin password, not using one you have used before.

I mentioned before that a few months ago we did an article about spearfishing and data privacy breaches. If you're not willing to fix your router, look that article up and keep our number handy. You might need them…

If you have questions about this article, please contact Dov Szego at 804-377-1283 or dszego@setlifflaw.com.