Your home or small office (SOHO router) is likely being targeted by cybercriminals, malware, and nation-state actors alike. Though this targeting often has nothing to do with wanting to spy on you, your SOHO router can be a valuable resource for threat actors looking to conceal their malicious traffic and activity.

Unfortunately, targeting of SOHO routers is growing primarily due a multifaceted problem – which includes vendors selling routers with poor security and many users not understanding the importance of updating their devices.

Malware, cybercriminals, and state-backed threat actors target SOHO routers. They’ve done so increasingly over the last few years.

To backtrack a little , it’s important to understand that a lot of threat actors target routers – which can include modems and gateways – alongside internet-of-things (IoT devices). Here I will focus on “routers” as general term, as this can include gateways (which are router/modem combinations and extremely popular for home/small offices users).

For simplicity’s sake, I’ll also focus on malware, cybercriminals, and state-backed threat actors. (Yes, state-backed APTs or hackers have and do target SOHO routers in pursuing their own goals.)

To be fair, malware, botnets and cybercriminals often go together; botnets are often used by cybercriminals to carry out their goals, whether that is overloading servers to keep a service offline or launching distributed credential stuffing attacks. However, botnets regularly use malware like Mirai variants – which are considered a self-replicating worm – to “automatically” launch attacks and recruit devices into the botnet, so it felt important enough to make the distinction.

Before diving into why threat actors find “regular” consumer routers interesting enough to bother “hacking” them, it’s important to understand the security landscape of the SOHO router market. Admittedly, this topic itself could be an entire post (or website – check out routersecurity.org, but put simply – it’s not good.

Without even considering the technical ability of the end user, SOHO routers are routinely plagued with issues – top of the list are security vulnerabilities. While it is not reasonable or feasible to expect firmware and software to be completely free of security issues, perhaps in the modern age some shouldn’t be as prevalent as they are (ex: failing to sanitize input or straight up broken security controls). There are many reasons security vulnerabilities can crop up in SOHO routers, but I am willing to bet many are due to lack of security-oriented review and/or just insecure design.

Security vulnerabilities in router firmware is too large of a topic to cover in just a section of this post. Fortunately, there are many examples where consumer routers had some pretty nasty vulnerabilities I can point you to:

• In April 2024, unpatched TP-Link Archer routers were targeted by attackers for mass exploitation of a previously disclosed and patched command injection vulnerability. Specifically, the vulnerability was in the web management interface of this model.
• In September 2023, multiple high-end ASUS routers marketed to gamers had format strong vulnerabilities, which could be exploited remotely and without authentication. Exploitation could lead to remote code execution.
• In July 2023, 900,000 MikroTik devices were exposed to a privilege escalation bug, which when exploited could lead to code execution. The researching firm (VulnCheck) noted: “It wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions…”

The problem has not gone unnoticed by agencies in the US – and some other government agencies from other governments.

In light of the nation-state actor Volt Typhoon exploiting security vulnerabilities in SOHO routers (there’s more information on that later in this post), the US Cybersecurity and Infrastructure Security Agency (CISA) has urged vendors to incorporate “Secure by Design” principles into their firmware/software. The Federal Communications Commission (FCC) has proposed the “US Cyber Trust Mark” for smart devices – though it could (and should) include SOHO routers.

This section primarily pertains to end user behavior, which when combined with router manufacturer blunders, makes quite the interesting (and compounded) issue.

While misconfigurations can certainly be default values, users may misconfigure their routers by enabling or disabling features. For example, some SOHO routers may support remote management. Some users may enable this despite not truly needing it while not understanding the risk of exposing the administrator login panel of their router to the public internet.

In fact, even CISA has described the risks of exposing administrative interfaces of devices like routers to the public internet. While their guidance is directed towards more sophisticated organizations, the basics do apply here.

Many people do not know or understand that router firmware should be updated regularly, as updated firmware can include security fixes for vulnerabilities. As such, millions of SOHO routers either do not have the most recent updates installed or updates are installed after a considerable amount of time has passed – enough time for possible exploitation by attackers. As I’ve noted in other posts, this is important as the time between vulnerability disclosure and exploitation attempts continues to shorten.

Automatic updates can fix this, but the availability of automatic updates (and whether they are even enabled by default) depends on manufacturer, model, and submodel. Of course, users should realize (automatically) updating is not without slight risk of introducing new bugs or inconveniences, but it’s certainly better than the alternative in most situations – on the receiving end of n-day vulnerability exploitation.

Just like with any other device, router models eventually become “old” or “legacy” after a number of years. Eventually, manufacturer support – including updates for the firmware – for some models ceases, reaching end of life (EOL). Since devices may not be “broken” or “dead” when the EOL period arrives, many people fail to replace their devices. As such, vulnerabilities discovered in these EOL models often do not get updates, leaving them open for exploitation by attackers:

• In June 2024, it was reported that hackers exploiting a vulnerability affecting all D-Link DIR-859 WiFi routers to collect information, such as passwords, from the device. D-Link released a security advisory but did not release a patch for the vulnerability as this…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/soho-routers