The FBI’s Latest Warning on Connected Routers


The FBI announced on May 25th that a new, dangerous threat to cyber security could be residing on thousands of home an business based wireless routers.

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in a warning released on Friday. The malware, called ‘VPNFilter’ can do things like scoop up users’ personal data and cripple website service.

Western security authorities are warning that Russian hackers may have infected routers in an attempt to gain unauthorized access to personal and corporate information, and that consumer need to be proactive in their efforts to protect themselves. Specifically, the FBI wants all owners of routers to reboot them, which will disrupt the malware’s ability to  communicate with other machines under its control. Details on how to properly reboot your router can be found here.

Research released last week from Talos Security Group, a CISCO company, suggests that potentially 500,000 routes may be infected. Cisco Talos listed the definitively affected routers as the Linksys E1200, E2500 and WRVS4400N; the Netgear DGN2200, R6400, R7000, R8000, WNR1000 and WNR2000; and the TP-Link TL-R600VPN SafeStream VPN router. MicroTik Cloud Core routers, mainly used by enterprises, may be affected if they run versions 1016, 1036 or 1072 of the MicroTik RouterOS. The research firm also found that two QNAP networked-attached-storage (NAS) drives, the TS-251 and TS-439 Pro, were also affected by VPNFilter.

The FBI wants everyone with a small business or home office (SOHO) router to reboot so they can track the communications. By seizing control of the domain the mothership, the FBI says it can track the different layers of the malware. But the folks from Talos are warning that is could just be the beginning, and even if you don’t see your router make and model on their list, you should reboot anyway. “Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected,” Cisco Talos researchers wrote in a blog posting.

Due to the severity of the event, Talo decided to publish its finding early, even thought their research and investigation is ongoing. “Publishing early means that we don’t yet have all the answers – we may not even have all the questions. We will update our findings as we continue our investigation” the blog goes on to say.

by Girard Cseh