According to a new report from security firm Cisco Talos, the VPNFilter malware is "targeting more makes and models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints."
That means if you own one of the affected routers -- and that list has expanded to include models from Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE -- it's strongly recommended that you perform two key steps: upgrade the firmware and then factory-reset the router.
Ugh. This is going to suck. But we can get through it.
Step 1: Upgrade your router's firmware
In some ways this is the easier step, as it can often be done within the confines of your router's dashboard. Firmware is just the core software that operates the router, and updating it usually involves little more than a download and a few automated router restarts.
Of course, if you've never so much as looked at that dashboard, well, it may be time for a trip to the owner's manual -- or the router manufacturer's online help pages.
Because the firmware-update process varies from one make and model to another, here's a quick, generalized overview -- one that's based on upgrading an Asus WRT router.
Step i: Visit the Asus support site and download the most current firmware for your specific model.
Step ii: Open a browser window, type in 192.168.1.1 and press Enter. This will take you to the router's dashboard page -- but you may need a username and password to gain access. If you never changed the defaults, you should be able to find them in the instruction manual. (Often, the defaults are "admin" and "password," respectively.)
Updating your router's firmware may involve a screen like this.
Asus
Step iii: Click the Administration button (again, this is just for Asus routers; on other models it might be Configuration or Firmware or the like), then the Firmware Upgrade tab.
Step iv: Click Choose File and locate the firmware file you downloaded in Step 1. Then click Upload to perform the update.
This may take a few minutes, and your router will likely restart at least once during the process. Needless to say, you'll lose all internet connectivity while this is happening.
And, again, this is just one example of the firmware-update process. It's a common one, but the steps may be different for your model.
Watch this:Russian hackers targeting your router: Here's what to...
1:23
Step 2: Factory-reset your router
Now for the big hassle. You probably know that you can reboot or reset your router by pulling the power cord for a few seconds and then plugging it back in. But a factory reset is a little different. True to its name, it restores all the settings to their original, factory state, so once it's done, you get to have the fun of setting up your home network again.
Before you get started, make sure to write down the name and password of each Wi-Fi network currently configured on your router. You might have just one; I've seen houses that had five. You'll want to note these so you can recreate them verbatim after the factory reset.
Why is that important? Because if your current "SmithLAN" network becomes "Smith LAN" after the reset (just because you forgot and added a space this time), now you'll have to manually reconnect every device in your house to that "new" network. Hassle city.
The actual reset should be pretty easy. On some Linksys routers, for example, there's a small reset button on the unit itself. You press and hold it for 10 seconds and that's it. Alternately, you may be able to sign into the dashboard and execute the reset from there. In the aforementioned Asus example, in Step 3, you'd click the Restore/Save/Upload tab and then the Restore button.
Again, consult your router manual (or router's website) for the correct factory-reset steps for your model.
Here are links to the support directories for some of the affected routers (the complete list is in the next section):
When it's done, you'll have to venture into the dashboard and recreate your networks. Thankfully, with your firmware upgraded and any trace of VPNFilter eradicated, you should be safeguarded from future attacks -- of this particular malware, anyway.
Which routers are affected?
Courtesy of Cisco Talos, here's a current list of the models that can be affected by VPNFilter. Those identified as new weren't included in the original report.
The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.
The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.
Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."
Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.
Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.
To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.
The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.
ENTERPRISE GRADE FIREWALL ROUTER FOR SAFER & SMARTER HOMES
Cybersecurity, Parental Controls & VPN Services For Your Home via Roqos Core routers. https://www.roqos.com/ Roqos VPN provides you a secure Internet experience by encrypting all your connections and routing them to your home router. You can browse safely from public Wi-Fi, access your connected devices in your home remotely, and enjoy streaming services while away from home.
Roqos Home app helps you setup and manage your Roqos Core Wi-Fi VPN router. Roqos subscription service comes with Roqos Core to help you take control of your home network and Internet access.
ENTERPRISE GRADE CYBERSECURITY A trusted cybersecurity technology that inspects the traffic on your network and automatically blocks threats traditional software or hardware solutions may not detect.
CONTENT FILTERS Control what your kids can access online by selecting from preset filter categories or creating your own custom filter lists.
SCHEDULES Set schedules to pause the Internet for your kids’ devices on certain days and times.
PAUSE INTERNET Instantly pause internet for family members with a single tap.
GUEST WiFi Share your internet securely with your guests. Text or email them a temporary access code valid for number of days.
MANAGE CONNECTED DEVICES See a list of all devices connected to your network and control their access.
VPN-IN Securely connect to your home network from public networks anywhere in the world and access devices at home.
KIDS VPN Enforce all parental control filters and schedules on your kids’ devices even when they are away from home.
VPN-OUT Prevent your Internet Service Provider from collecting data on your usage by encrypting Internet traffic between Roqos Core and Roqos VPN servers.
COUNTRY BLOCK Restrict internet traffic from select countries to protect yourself from threats originating from those countries.
ALERTS Be in the know about what’s happening on your network via notifications sent to your phone and inbox.
Mashable's been closely covering this story — you canread everything here— but we'll give you the TL;DR version. The FCC has decided that large internet service providers (ISPs) like Xfinity, Verizon, RCN, and any other company in the game can charge customers premium rates for faster internet access. This decision was also significant in that it set ISPs significantly free from the confines of government oversight, and it is sparkingjustifiable privacy concernsas deregulation could empower ISPs to peek into our browsing behavior even more than they already do, or worse,sellthat data.
If you're one of those people who likes to stock up on canned goods before the first snowflakes even start to fall, all of this change might make you feel a little twitchy. But we're here for you: One way to get some peace of mind is by downloading a virtual private network (VPN) so that what you do online stays between you and your mouse.
A VPN will essentially allow you to access the web with protections that encrypt your data from prying ISP eyes. VPNs can help add a layer of privacy online no matter where you are, which is why they've long been used by people who travel abroad and want to protect personal info (financial or otherwise) while browsing on public Wi-Fi. Journalists working on sensitive stories find VPNs useful, too.
If you're new to the VPN game, then we have a few suggestions — most of which are even on sale.
According to PC Mag, TunnelBear is a "friendly" VPN option for first-time users due in large part to its "pleasing, approachable design." While it doesn't have P2P, BitTorrent, or any specialized servers, it's worth noting that TunnelBear works with Netflix, which isn't always the case with VPNs.
With more than 2,000 servers around the world and the ability to pay for a subscription in Bitcoin, NordVPN is a PCMag Editor's Choice product with a (rare) 5-star review. "None of the searches or streaming activities that originate within NordVPN's software are logged anywhere on any of NordVPN's servers," says PCMag. "The company maintains no logs of a user's internet path or actions."
This high-rated VPN has a bigger suite of advanced features than others, like automatic IP address cycling, and has some 750 servers across 61 countries. CNET lists IPVanish as one of the best VPN services of 2017. A con for IPVanish though is that it's expensive. Good news for you: it's currently on sale.
Though KeepSolid doesn't allow ad blocking, it's one of the most consistently affordable VPNs out there and offers many of the features you'll want: browser extensions, specialized servers, P2P networking, and more. (Read the TechRadar review here.) One of the biggest draws though is KeepSolid's flexible pricing plan, which includes an Infinity Plan for lifetime use that's currently 70% off.
PCMag gives VyprVPN 4.5 stars, due in part to its multi-platform and multi-protocol support. According to the review, VyprVPN has hundreds of servers and a great interface, though it covers fewer devices than others on the market. In case you're on the fence, VyprVPN also has the option of a three-day free trial.
Sometimes the best thing to say about a wireless router in your house is that once it's set it, you forget it exists. As long as the devices that need the Wi-Fi connection can get on and function, that's all that matters, right?
Maybe, but we also live in the age of leaks, wiki and otherwise. If you're worried about the security of your home and by extension your personal data—especially from hackers who could casually sit in a car outside and get access to your systems—then you need to put a padlock on that wireless. You may also want to prevent others from using your network, and freeloaders alike.
So what do you do? Follow these tips and you'll be well ahead of most home Wi-Fi users. Nothing will make you 1,000 percent safe against a truly dedicated hack. Crafty social engineering schemes are tough to beat. But don't make it easy on them; protect yourself with these steps.
Time-Tested Wi-Fi (and All Around) Security
Change Your Router Admin Username and PasswordEvery router comes with a generic username and password—if they come with a password at all. You need it the first time you access the router. After that, change them both. Immediately. The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings.
If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info.
Change the Network NameThe service set identifier (SSID) is the name that's broadcast from your Wi-Fi to the outside world so people can find the network. While you probably want to make the SSID public, using the generic network name/SSID generally gives it away. For example, routers from Linksys usually say "Linksys" in the name; some list the maker and model number ("NetgearR6700"). That makes it easier for others to ID your router type. Give your network a more personalized moniker.
It's annoying, but rotating the SSID(s) on the network means that even if someone had previous access—like a noisy neighbor—you can boot them off with regular changes. It's usually a moot point if you have encryption in place, but just because you're paranoid doesn't mean they're not out to use your bandwidth. (Just remember, if you change the SSID and don't broadcast the SSID, it's on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc.
Activate EncryptionThis is the ultimate Wi-Fi no-brainer; no router in the last 10 years has come without encryption. It's the single most important thing you must do to lock down your wireless network. Navigate to your router's settings (here's how) and look for security options. Each router brand will likely differ; if you're stumped, head to your router maker's support site.
Once there, turn on WPA2 Personal (it may show as WPA2-PSK); if that's not an option use WPA Personal (but if you can't get WPA2, be smart: go get a modern router). Set the encryption type to AES (avoid TKIP if that's an option). You'll need to enter a password, also known as a network key, for the encrypted Wi-Fi.
This is NOT the same password you used for the router—this is what you enter on every single device when you connect via Wi-Fi. So make it a long nonsense word or phrase no one can guess, yet something easy enough to type into every weird device you've got that uses wireless. Using a mix of upper- and lowercase letters, numbers, and special characters to make it truly strong, but you have to balance that with ease and memorability.
Double Up on Firewalls The router has a firewall built in that should protect your internal network against outside attacks. Activate it if it's not automatic. It might say SPI (stateful packet inspection) or NAT (network address translation), but either way, turn it on as an extra layer of protection.
For full-bore protection—like making sure your own software doesn't send stuff out over the network or Internet without your permission—install a firewall software on your PC as well. Our top choice: Check Point ZoneAlarm PRO Firewall 2017; there a free version and a $40 pro version, which has extras like phishing and antivirus protection. At the very least, turn on the firewall that comes with Windows 8 and 10.
Turn Off Guest NetworksIt's nice and convenient to provide guests with a network that doesn't have an encryption password, but what if you can't trust them? Or the neighbors? Or the people parked out front? If they're close enough to be on your Wi-Fi, they should be close enough to you that you'd give them the password. (Remember—you can always change your Wi-Fi encryption password later.)
Use a VPN
A virtual private network (VPN) connection makes a tunnel between your device and the Internet through a third-party server—it can help mask your identity or make it look like you're in another country, preventing snoops from seeing your Internet traffic. Some even block ads. A VPN is a smart bet for all Internet users, even if you're not on Wi-Fi. As some say, you need a VPN or you're screwed. Check our list of the Best VPN services.
Update Router FirmwareJust like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware. Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it's a win-win.
If you're feeling particularly techie—and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt. These programs completely erase the manufacturer's firmware on the router but can provide a slew of new features or even better speedscompared to the original firmware. Don't take this step unless you're feeling pretty secure in your networking knowledge.
Turn Off WPSWi-Fi Protected Setup, or WPS, is the function by which devices can be easily paired with the router even when encryption is turned because you push a button on the router and the device in question. Voila, they're talking. It's not that hard to crack, and means anyone with quick physical access to your router can instantly pair their equipment with it. Unless your router is locked away tight, this is a potential opening to the network you may not have considered.
'Debunked' Options
Many security recommendations floating around the Web don't pass muster with experts. That's because people with the right equipment—such wireless analyzer software like Kismet or mega-tools like the Pwnie Express Pwn Pro—aren't going to let the following tips stop them. I include them for completion's sake because, while they can be a pain in the ass to implement or follow up with, a truly paranoid person who doesn't yet think the NSA is after them may want to consider their options. So, while these are far from foolproof, they can't hurt if you're worried.
Don't Broadcast the Network Name
This makes it harder, but not impossible, for friends and family to get on the Wi-Fi; that means it makes it a lot harder for non-friends to get online. In the router settings for the SSID, check for a "visibility status" or "enable SSID broadcast" and turn it off. In the future, when someone wants to get on the Wi-Fi, you'll have to tell them the SSID to type in—so make that network name something simple enough to remember and type. (Anyone with a wireless sniffer, however, can pick the SSID out of the air in very little time. The SSID is not so much as invisible as it is camouflaged.)
Disable DHCPThe Dynamic Host Control Configuration Protocol (DHCP) server in your router is what IP addresses are assigned to each device on the network. For example, if the router has an IP of 192.168.0.1, your router may have a DCHP range of 192.168.0.100 to 192.168.0.125—that's 26 possible IP addresses it would allow on the network. You can limit the range so (in theory) the DHCP wouldn't allow more than a certain number of devices—but with everything from appliances to watches using Wi-Fi, that's hard to justify.
For security, you could also just disable DHCP entirely. That means you have to go into each device—even the appliances and watches—and assign it an IP address that fits with your router. (And all this on top of just signing into the encrypted Wi-Fi as it is.) If that sounds daunting, it can be for the layman. Again, keep in mind, anyone one with the right Wi-Fi hacking tools and a good guess on your router's IP address range can probably get on the network even if you do disable the DHCP server.
Filter on MAC Addresses Every single device that connects to a network has a media access control (MAC) address that serves as a unique ID. Some with multiple network options—say 2.4GHz Wi-Fi, and 5GHz Wi-Fi, and Ethernet—will have a MAC address for each type. You can go into your router settings and physically type in the MAC address of only the devices you want to allow on the network. You can also find the "Access Control" section of your router to see a list of devices already connected, then select only those you want to allow or block. If you see items without a name, check its listed MAC addresses against your known products—MAC addresses are typically printed right on the device. Anything that doesn't match up may be an interloper. Or it might just be something you forgot about—there is a lot of Wi-Fi out there.
Turn Down the Broadcast Power Got a fantastic Wi-Fi signal that reaches outdoors, to areas you don't even roam? That's giving the neighbors and passers-by easy access. You can, with most routers, turn down the Transmit Power Control a bit, say to 75 percent, to make it harder. Naturally, all the interlopers need is a better antenna on their side to get by this, but why make it easy on them? via pcmag
