Reboot your router! That is the advice put out on May 25, 2018, by one of the world’s most widely known law enforcement agencies: the US Federal Bureau of Investigation (FBI). But should you follow this advice? And if you do follow it, do you know how to do so safely? This article provides some answers, both long and short.
Here are eight short answers, for those who already know what a router is, what a router reboot means, and have experience performing a router reset.
- What’s going on? As many as 500,000 routers in more than 50 countries were found to be compromised by malware dubbed VPNFilter.
- What should I do? Rebooting your router – turn it off, wait 30 seconds, turn it on again – will help to defeat this particular malware.
- Who is affected? This threat mainly affects small office and home office (SOHO) routers. A list of models known to be impacted is located at the end of the article.
- What if my router is not on the list? It may still be at risk from VPNFilter, so current advice is for all SOHO routers to be rebooted.
- Is a reboot the same as a reset? NO! A reset wipes out configuration information and returns the router to factory defaults. Do not reset your router unless you know how to configure it and have a record of the configuration information, e.g. admin password, SSID, and so on.
- What if my router is supplied by my ISP? You should contact them for instructions if they have not already alerted you and provided instructions.
- What other defensive measures can I take? Consider upgrading your router to the latest firmware, changing the default password, and disabling remote administration. At the end of the article is a table of links to instructions for doing this work on known at-risk routers, along with links on how to reset them to their factory defaults.
- Does ESET detect this malware? Yes, it is detected as Linux/VPNFilter. However, ESET recommends that you go ahead and reboot your router.
What did the FBI say about routers?
On May 25, the FBI issued a statement with this headline: “Foreign cyber actors target home and office routers and networked devices worldwide”. This was in response to the discovery that “cyber actors” had used malicious code (malware) to compromise a whole bunch of routers and other equipment, like NAS devices.
In this context, the term “compromise” means these “cyber actors” executed their code on people’s devices without their permission. This malware, which has the ability to collect information flowing through the device but can also render the device inoperable, has been dubbed VPNFilter by the researchers in the Talos threat intelligence group at Cisco.
Fortunately, the part of VPNFilter that could be used to spy on your router traffic, and/or disable the device, can be removed with that classic IT move: turn it off and on again. So the FBI issued this recommendation:
“The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices.”
The next code that runs in the boot process is that which has been stored in something called non-volatile memory, a type of memory that retains data even when the device is powered down. That is different from volatile memory, the regular kind of memory that gets wiped clean when you power down your computer (or suffer a power outage).
Remember, your router is a computer, with firmware and memory, both volatile and non-volatile. When a router is compromised by VPNFilter malware, chunks of malicious code are loaded into volatile memory. Rebooting or power cycling your router will clear that out.
For some people the easiest way to reboot the router is to unplug the power supply, wait 30 seconds, then plug it back in again. Alternatively, there may be an on/off switch on the back of the router, in which case you can use that to turn it off, wait 30 seconds, and then turn it on again. However, you shouldn’t do that unless you are sure the switch you are using is the on/off switch.
Reboot vs. reset
Some routers have multiple switches on them; for example, the router on my desk right now has a “Wi-Fi” on/off button as well as a power switch and something called a WPS button. Also, your router may have a reset switch or “Restore Factory Settings” button. Resetting your router and thereby restoring it to the factory configuration is very different from rebooting it.
Performing a reset will erase both volatile memory and non-volatile memory. The latter is where your router stores any changes you have made to its configuration. For example, most routers come with a default administrator name and password that you should change to prevent attackers taking it over. How could they do that? Because the default user names and passwords are widely known. They are often printed on the back of the router and may be discoverable via a Google search based on your model number.