US, UK warn of Russian hackers targeting millions of routers
Russian spies are looking for vulnerabilities in routers for future attacks. Officials are urging people, and device makers, to take security measures.
Russian hackers are targeting millions of routers around the world, including devices in homes and offices, according to US and UK officials.
In a joint announcement Monday from the US Department of Homeland Security, the FBI and the UK's National Cyber Security Center, officials warned that Russian spies have been looking for vulnerabilities on millions of routers as a tool for future attacks.
The targets include routers in homes and offices, as well as firewalls and switches from internet service providers, critical infrastructure and major private companies, said National Security Council cybersecurity coordinator Rob Joyce.
"We have high confidence Russia has carried out a coordinated campaign to gain access to enterprise, small office/home office routers known as SOHO routers, and residential routers, and the switches and connectors worldwide," Joyce said in a conference call.
Video: Russian hackers targeting your router: Here's what to do
In a detailed technical alert published after the call, the joint warning said that Russian hackers took advantage of outdated devices, as well as routers with weak defenses. That included routers with default passwords, as well as devices no longer supported by security patches.
The DHS said it's seen Russian activity with scans for vulnerabilities on routers over the past two years, but it's hard to assess how many have been affected.
"The purpose of these attacks could be espionage, it could be theft of intellectual property, it could be prepositioning for use in times of tension," NCSC Director Ciaran Martin said.
State-sponsored cyberattacks are a national security concern, as hackers look to use vulnerabilities to affect elections, power grids and businesses. The US has taken actions in the last year against alleged hackers from Iran, Russia and North Korea.
"The attribution of this malicious activity sends a clear message to Russia -- we know what you are doing and you will not succeed," said a spokesperson for the UK government.
In router attacks, consumers can protect themselves by keeping the devices updated. But the responsibility also falls on device makers to issue necessary fixes.
"Once you own the router, you own the traffic," Jeanette Manfra, DHS' top cybersecurity official, said on the conference call.
Compromising a router would allow attackers to steal credentials, as well as use it for future attacks, Joyce added.
"It is a tremendous weapon in the hands of an adversary," the FBI cyber division's deputy assistant director Howard Marshall said.
The Russian attackers would scan across the internet for routers with vulnerabilities, according to the technical alert. These scans would give an attacker information on the make and model of open routers, allowing them to identify which ones are vulnerable to future attacks.
From there, an attacker has several ways to break into the router. They could use a brute-force attack, where they would spam it with different usernames and passwords until it unlocked. Most of the time, however, hackers are able to get in thanks to default passwords that were never changed.
As such, the US and UK are warning people to update their internet of things devices and routers, and telling companies to build their connected gadgets with better security.
Attacks on routers can have more potential for damage since they're not maintained with the same level of security that servers or computers are, Manfra said. The DHS and the UK's NCSC hope to change that with Monday's technical alert. Part of the alert calls on people to step up their own security, with Manfra pointing out that the DHS can't "protect every single device."
For router owners, the technical alert advises that you immediately change any default passwords, and use different passwords across multiple devices. The DHS also recommends people "retire and replace legacy devices" that can't be updated.
For manufacturers, officials are asking that they stop supporting outdated and unencrypted devices. It also recommended that future products be designed with security in mind, like requiring customers to change default passwords.
First published, April 16, 10:10 a.m. PT.
Update, 11:30 a.m. PT: Includes details from the joint technical alert.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.